Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware  Ravie Lakshmanan  Mar 05, 2026 Malware / Threat Intelligence A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country's Ministry of Foreign Affairs to deliver a set of never-before-seen malware. Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter . The attacks, which manifest in the form of two different infection chains, culminate in the deployment of malware dubbed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. "Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system," security researcher Sudeep Singh said . "The C2 server also utilized geofencing techniques and User-Agent verification." A notable aspect of the campaign is the compromise of the Iraqi government-related infrastructure to stage malicious payloads, not to mention the use of evasion techniques to delay execution and fly under the radar. The first attack sequence begins with a password-protected RAR archive, within which there exists a .NET dropper named SPLITDROP, which acts as a conduit for TWINTASK, a worker module, and TWINTALK, a C2 orchestrator. TWINTASK, for its part, is a malicious DLL ("libvlc.dll") that's sideloaded by the legitimate "vlc.exe" binary to periodically poll a file ("C:\ProgramData\PolGuid\in.txt") every 15 seconds for new commands and run them using PowerShell. This also includes commands to establish persistence on the host via Windows Registry changes. The script output and errors are captured in a separate text file ("C:\ProgramData\PolGuid\out.txt"). TWINTASK, upon first launch, is designed to execute another legitimate binary present in the extracted archive ("WingetUI.exe"), causing it to sideload the TWINTALK DLL ("hostfxr.dll"). Its primary goal is to reach out to the C2 server for new commands, coordinate tasks with TWINTASK, and exfiltrate the results back to the server. It supports the ability to write the command body from the C2 response to "in.txt," as well as download and upload files. "The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution," Singh said. "Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands." The second attack chain represents an evolution of the first, consolidating all the functionality of TWINTASK and TWINTALK into a single binary dubbed GHOSTFORM. It makes use of in-memory PowerShell script execution to run commands retrieved from the C2 server, thereby eliminating the need for writing artifacts to disk. That's not the only differentiating factor between the two attack chains. Some GHOSTFORM binaries have been found to embed a hard-coded Google Forms URL that's automatically launched on the system's default web browser once the malware begins execution. The form features content written in Arabic and masquerades as an official survey from Iraq's Ministry of Foreign Affairs. Zscaler's analysis of the TWINTALK and GHOSTFORM source code has also uncovered the presence of placeholder values, emojis, and Unicode text, suggesting that generative artificial intelligence (AI) tools may have been used to assist with the malware's development. What's more, the C2 domain associated with TWINTALK, "meetingapp[.]site," is said to have been used by the Dust Specter actors in a July 2025 campaign to host a fake Cisco Webex meeting invitation page that instructs users to copy, paste, and run a PowerShell script to join the meeting. The instructions mirror a tactic widely seen in ClickFix -style social engineering attacks. The PowerShell script, for its part, creates a directory on the host, and attempts to fetch an unspecified payload from the same domain and save it as an executable within the newly created directory. It also creates a scheduled task to run the malicious binary every two hours. Dust Specter's connections to Iran are based on the fact that Iranian hacking groups have a history of developing custom lightweight .NET backdoors to achieve their goals. The use of compromised Iraqi government infrastructure has been observed in past campaigns linked to threat actors like OilRig (aka APT34). "This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq's Ministry of Foreign Affairs," Zscaler said. "The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Command and Control , cybersecurity , Iran , Iraq , Malware , powershell , social engineering , Threat Intelligence , Zscaler Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research