Key Findings

• Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026.

• The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.

• The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same functionality into a single GHOSTFORM binary.

• Malware employed various evasion techniques, including DLL sideloading, delayed execution, and in-memory script execution to avoid detection.

• Evidence suggests the threat actor may have leveraged generative AI tools to assist in the development of the TWINTALK and GHOSTFORM malware.

• Indicators of Compromise (IOCs) linked the campaign to the Dust Specter group's previous activities in July 2025, involving the use of a fake Cisco Webex meeting invitation page.

Background

The Dust Specter threat group, which has been linked to Iran-nexus activities, has been observed targeting Iraqi government officials with a new campaign involving previously undocumented malware families. Zscaler ThreatLabz researchers analyzed two distinct attack chains used in this operation, which deliver a range of custom .NET-based droppers and backdoors.

Attack Chain 1: SPLITDROP, TWINTASK, and TWINTALK

• The first attack chain begins with a password-protected RAR archive containing a .NET dropper named SPLITDROP, disguised as a WinRAR application.

• SPLITDROP deploys two modules: TWINTASK, a worker component that executes PowerShell commands, and TWINTALK, a command-and-control (C2) orchestrator.

• TWINTASK uses DLL sideloading to execute malicious code through legitimate software like VLC and WingetUI, establishing persistence and periodically polling a file for new commands.

• TWINTALK beacons to the C2 server, retrieves commands, and coordinates tasks with TWINTASK, supporting file upload/download capabilities.

Attack Chain 2: GHOSTFORM

• The second attack chain consolidates the functionality of TWINTASK and TWINTALK into a single GHOSTFORM binary.

• GHOSTFORM executes commands retrieved from the C2 server directly in memory, eliminating the need for writing artifacts to disk.

• Some GHOSTFORM samples include a hard-coded Google Forms URL that's automatically launched, posing as an official survey from Iraq's Ministry of Foreign Affairs.

Generative AI and Evasion Techniques

• ThreatLabz researchers identified unusual elements, such as emojis and Unicode text, in the TWINTALK and GHOSTFORM source code, suggesting the possible use of generative AI tools in their development.

• The campaign also employed techniques like randomized URI paths, JWT tokens, and geofencing for C2 communication to evade detection.

• The group previously used a fake Cisco Webex meeting invitation page in a July 2025 campaign, demonstrating the use of ClickFix-style social engineering tactics.

Attribution to Dust Specter and Iran-Nexus

• ThreatLabz attributes this campaign to the Dust Specter group with medium-to-high confidence, based on the targeting patterns, malware design, and tactics consistent with previous Iranian cyber-espionage operations.

• The use of compromised Iraqi government infrastructure and the development of custom lightweight .NET backdoors are also indicative of Iran-linked threat actors.

Sources

• https://securityaffairs.com/189033/apt/iran-nexus-apt-dust-specter-targets-iraq-officials-with-new-malware.html

• https://thehackernews.com/2026/03/dust-specter-targets-iraqi-officials.html

• https://x.com/smica83/status/2028563647446864055

• https://cybersecuritynews.com/iran-nexus-apt-dust-specter-hits-iraqi-officials/

• https://x.com/autumn_good_35/status/2029559451854979348

• https://www.cypro.se/2026/03/05/dust-specter-targets-iraqi-officials-with-new-splitdrop-and-ghostform-malware/