Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware

A sophisticated cyber espionage campaign attributed to the Dust Specter threat actor group has been targeting government officials in Iraq through a series of malware attacks that combine social engineering, advanced evasion techniques, and potentially AI-assisted development.

The campaign, observed by Zscaler ThreatLabz in January 2026, employs two distinct infection chains that ultimately deploy a suite of custom malware tools designed to compromise Iraqi government infrastructure and exfiltrate sensitive data.

Campaign Overview

The attackers have been impersonating Iraq's Ministry of Foreign Affairs to deliver malicious payloads, leveraging compromised Iraqi government infrastructure to host their malware. The campaign demonstrates several concerning trends in modern cyber espionage, including the use of geofencing techniques, checksum verification for C2 communications, and sophisticated evasion methods.

According to Zscaler security researcher Sudeep Singh, "Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system. The C2 server also utilized geofencing techniques and User-Agent verification."

First Infection Chain: SPLITDROP and Associated Modules

The initial attack vector involves a password-protected RAR archive that contains a .NET dropper named SPLITDROP. This dropper serves as the entry point for deploying two additional modules:

TWINTASK - A worker module implemented as a malicious DLL ("libvlc.dll") that's sideloaded by the legitimate "vlc.exe" binary. This module operates by periodically polling a file located at "C:\ProgramData\PolGuid\in.txt" every 15 seconds for new commands. When commands are detected, they're executed using PowerShell, with the script output and errors captured in "C:\ProgramData\PolGuid\out.txt".

TWINTASK also establishes persistence on compromised systems through Windows Registry modifications, ensuring the malware remains active across reboots.

TWINTALK - A C2 orchestrator implemented as another malicious DLL ("hostfxr.dll") that's sideloaded by a legitimate binary ("WingetUI.exe") present in the extracted archive. This module's primary function is to communicate with the command-and-control server, coordinate tasks with TWINTASK, and exfiltrate results back to the attackers.

TWINTALK supports several capabilities including writing command bodies from C2 responses to the in.txt file, as well as downloading and uploading files to and from the compromised system. The module operates in a beaconing loop with random delays before polling the C2 server for new commands.

Second Infection Chain: GHOSTFORM Evolution

The second attack chain represents a more sophisticated evolution of the first, consolidating all functionality of TWINTASK and TWINTALK into a single binary dubbed GHOSTFORM. This consolidation offers several advantages:

• In-memory execution: GHOSTFORM uses in-memory PowerShell script execution to run commands retrieved from the C2 server, eliminating the need to write artifacts to disk and reducing forensic visibility.

• Hard-coded Google Forms URL: Some GHOSTFORM binaries embed a hard-coded Google Forms URL that automatically launches in the system's default web browser upon execution. The form, written in Arabic, masquerades as an official survey from Iraq's Ministry of Foreign Affairs, adding a layer of social engineering to the attack.

Technical Sophistication and AI Assistance

Zscaler's analysis of the TWINTALK and GHOSTFORM source code revealed the presence of placeholder values, emojis, and Unicode text, suggesting that generative artificial intelligence tools may have been used to assist with the malware's development. This represents a growing trend in cybercrime where AI tools are leveraged to accelerate malware creation and improve code quality.

Historical Context and Attribution

The campaign shows connections to previous Iranian cyber operations. The C2 domain associated with TWINTALK, "meetingapp[.]site," was previously used by Dust Specter actors in a July 2025 campaign to host a fake Cisco Webex meeting invitation page. This page instructed users to copy, paste, and run a PowerShell script to join the meeting - a tactic that mirrors ClickFix-style social engineering attacks.

The PowerShell script used in the earlier campaign created directories on compromised hosts, attempted to fetch unspecified payloads from the same domain, and created scheduled tasks to run malicious binaries every two hours.

Zscaler attributes the campaign to Dust Specter with "medium-to-high confidence," citing several factors:

1. Iranian hacking groups have a history of developing custom lightweight .NET backdoors
2. The use of compromised Iraqi government infrastructure has been observed in past campaigns linked to threat actors like OilRig (APT34)
3. The campaign's targeting of Iraqi government officials aligns with known Iranian geopolitical interests

Broader Implications

This campaign reflects several broader trends in the cybersecurity landscape:

• ClickFix-style techniques: The use of social engineering to trick users into executing malicious PowerShell scripts
• AI-assisted development: The potential use of generative AI tools in malware creation
• Geopolitical targeting: Continued focus on government officials in strategically important regions
• Evasion sophistication: Advanced techniques to avoid detection and maintain persistence

The combination of social engineering, legitimate software sideloading, in-memory execution, and AI-assisted development makes this campaign particularly challenging to detect and mitigate. Organizations in Iraq and other Middle Eastern countries should be particularly vigilant, especially government agencies and officials who may be targeted by similar impersonation attempts.

For defenders, this campaign underscores the importance of:

• Monitoring for unusual PowerShell activity and in-memory execution
• Implementing application allowlisting to prevent unauthorized software execution
• Training users to recognize social engineering attempts, particularly those impersonating government agencies
• Maintaining updated threat intelligence on emerging malware families and attack techniques

The Dust Specter campaign represents a significant evolution in targeted cyber espionage, combining traditional attack methods with emerging technologies and sophisticated evasion techniques to achieve its objectives.