Cybersecurity researchers have disclosed a campaign attributed to a suspected Iran-linked threat actor targeting Iraqi government officials. The attackers impersonated Iraq’s Ministry of Foreign Affairs to deliver previously unknown malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
Observed by Zscaler ThreatLabz in January 2026, the campaign employs two distinct infection chains that ultimately deploy these malicious tools.
A key tactic used by the attackers, tracked as Dust Specter, involves randomly generated URI paths for command-and-control (C2) communications with appended checksum values, ensuring requests originate from infected systems. The C2 servers also implement geofencing and User-Agent validation to restrict unauthorized access.
The first attack chain starts with a password-protected RAR archive containing a .NET dropper named SPLITDROP. This dropper facilitates deployment of TWINTASK, a worker module, and TWINTALK, a C2 orchestrator.
TWINTASK is a malicious DLL (libvlc.dll) sideloaded by the legitimate vlc.exe binary. It polls a file (C:\ProgramData\PolGuid\in.txt) every 15 seconds for commands, executing them through PowerShell and logging output to out.txt. It also ensures persistence by modifying the Windows Registry.
When first executed, TWINTASK triggers another legitimate binary (WingetUI.exe) to sideload the TWINTALK DLL (hostfxr.dll). TWINTALK communicates with the C2 server, coordinates tasks with TWINTASK, and supports reading commands from in.txt as well as file upload/download operations.
The second attack chain consolidates TWINTASK and TWINTALK into a single binary, GHOSTFORM. It runs PowerShell commands entirely in memory, avoiding disk artifacts. Some GHOSTFORM binaries embed a hard-coded Google Forms URL that opens automatically in the victim’s browser, presenting an Arabic-language survey disguised as an official Ministry of Foreign Affairs form.
Analysis revealed placeholder values, emojis, and Unicode text within the TWINTALK and GHOSTFORM source code, suggesting possible use of generative AI tools during malware development.
Historically, Dust Specter has used domains like meetingapp[.]site to host fake Cisco Webex invitations, instructing victims to copy and execute PowerShell scripts, a tactic resembling ClickFix-style social engineering attacks. The scripts create directories, fetch malicious payloads, and schedule execution tasks to maintain persistence.
Connections to Iran are inferred from Dust Specter’s use of custom lightweight .NET backdoors, a technique linked to Iranian threat actors. Compromising Iraqi government infrastructure mirrors past campaigns from groups such as OilRig (APT34).
Zscaler concluded that the campaign likely targeted officials with convincing social engineering lures while demonstrating broader trends in AI-assisted malware development and ClickFix-style attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
