- A suspected Iran-nexus threat actor, tracked as Dust Specter, impersonated Iraq’s Ministry of Foreign Affairs to target government officials with new malware.
- The campaign deployed four distinct malware families—SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM—using Iraqi government infrastructure to host payloads.
- Evidence within the malware’s source code suggests generative AI tools may have assisted in its development.
- The attacks employed advanced evasion, including geofencing, delayed execution, and file-based polling for command retrieval.
A suspected Iran-nexus actor code-named Dust Specter targeted Iraqi government officials in January 2026, deploying never-before-seen malware in a sophisticated impersonation campaign. Zscaler ThreatLabz observed this activity, which used two distinct infection chains to ultimately deliver a suite of malicious tools.
The first chain began with a password-protected RAR archive containing the SPLITDROP dropper. Consequently, this module delivered the TWINTASK worker and TWINTALK command orchestrator to compromised systems.
TWINTASK, a malicious DLL, sideloaded via a legitimate binary to poll a local file every 15 seconds for new commands. Security researcher Sudeep Singh said the actors used randomly generated URI paths with checksums to verify infected systems.
Meanwhile, TWINTALK’s role was to communicate with the command-and-control server for new instructions. Its C2 server also utilized geofencing techniques and User-Agent verification to avoid detection.
The second attack chain represented an evolution, consolidating functionality into a single binary called GHOSTFORM. However, this variant uniquely embedded a hard-coded Google Forms URL that launched a fake Arabic-language survey upon execution.
Analysis of the malware source code revealed placeholder values, emojis, and Unicode text. This suggests generative artificial intelligence tools may have been used to assist with the malware’s development.
Furthermore, the C2 domain was previously used in a July 2025 campaign hosting a fake Cisco Webex invitation. This earlier attack used a ClickFix-style script to fetch and schedule a malicious payload on the host.
Attribution to an Iran-nexus group is based on their history of developing custom .NET backdoors and using compromised Iraqi infrastructure. Zscaler stated this campaign was attributed with medium-to-high confidence to Dust Specter.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
