A suspected Iran-linked cyber threat group known as Dust Specter has launched a targeted cyber-espionage campaign against Iraqi government officials, deploying newly discovered malware strains including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
Security researchers from Zscaler ThreatLabz detected the activity in January 2026, revealing a sophisticated attack chain that impersonates Iraq’s Ministry of Foreign Affairs to deliver malicious payloads.
Dust Specter Cyber Campaign Overview
The attackers use social engineering tactics and compromised Iraqi government infrastructure to distribute malware while avoiding detection.
According to security researcher Sudeep Singh, the malware communicates with command-and-control (C2) servers using randomly generated URI paths combined with checksum validation. This technique ensures that the communication originates from a legitimate infected system.
The attackers also deployed additional evasion techniques, including:
- Geofencing restrictions to limit access to specific regions
- User-Agent verification to detect analysis environments
- Execution delays to bypass automated detection systems
These techniques make the campaign particularly difficult for security teams to detect in early stages.
First Infection Chain: SPLITDROP, TWINTASK, and TWINTALK
The initial attack vector begins with a password-protected RAR archive sent to targets.
Inside the archive is a .NET-based dropper called SPLITDROP, which installs two additional components:
- TWINTASK – a worker module responsible for executing commands
- TWINTALK – a command-and-control orchestration module
TWINTASK Worker Module
The TWINTASK malware is disguised as a malicious DLL named libvlc.dll. It is side-loaded by a legitimate VLC executable (vlc.exe), allowing attackers to run malicious code under the guise of trusted software.
Key behavior includes:
- Polling the file C:\ProgramData\PolGuid\in.txt every 15 seconds for commands
- Executing commands using PowerShell
- Capturing command output in C:\ProgramData\PolGuid\out.txt
- Creating Windows Registry persistence mechanisms
This design allows attackers to remotely execute commands and maintain long-term access to compromised systems.
TWINTALK C2 Orchestrator
After deployment, TWINTASK launches another legitimate executable called WingetUI.exe, which loads the TWINTALK DLL (hostfxr.dll).
TWINTALK’s main functions include:
- Connecting to the attacker’s C2 server
- Coordinating tasks with TWINTASK
- Uploading stolen data
- Downloading additional payloads
TWINTALK also enters a beaconing loop, periodically contacting the C2 server after random delays to retrieve new instructions.
Second Infection Chain: GHOSTFORM Malware
The attackers later introduced a more advanced variant called GHOSTFORM, which consolidates TWINTASK and TWINTALK capabilities into a single binary.
Unlike the earlier attack chain, GHOSTFORM executes PowerShell scripts entirely in memory, reducing forensic evidence on the system and increasing stealth.
Another unique feature of GHOSTFORM is the inclusion of a hard-coded Google Forms link that automatically opens in the victim’s browser during execution.
The form appears as an official survey from Iraq’s Ministry of Foreign Affairs, written in Arabic to increase credibility and deceive victims.
Signs of AI-Assisted Malware Development
During analysis of the TWINTALK and GHOSTFORM source code, researchers discovered unusual artifacts such as:
- Placeholder values
- Emojis within the code
- Unicode text fragments
These indicators suggest that generative AI tools may have assisted the attackers in developing portions of the malware code.
Links to Previous Dust Specter Campaigns
Security analysts also discovered that the command-and-control domain meetingapp[.]site had been used in an earlier campaign in July 2025.
In that operation, attackers hosted a fake Cisco Webex meeting page that instructed victims to copy and execute a malicious PowerShell script to join a meeting.
This tactic resembles ClickFix-style social engineering attacks, where victims unknowingly execute malicious commands themselves.
Once executed, the script:
- Creates a hidden directory on the victim’s system
- Downloads a payload from the attacker’s domain
- Saves the payload as an executable file
- Creates a scheduled task running every two hours
This ensures persistent access for attackers.
Possible Iranian Threat Actor Connection
Cybersecurity experts believe Dust Specter may have links to Iranian threat actors, citing similarities in attack techniques.
Iranian groups have historically developed lightweight .NET-based backdoors for espionage campaigns.
Additionally, the use of compromised Iraqi government infrastructure mirrors tactics previously associated with OilRig, a well-known Iranian cyber-espionage group.