Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportIn January 2026, a suspected Iran-nexus threat actor tracked as Dust Specter launched a sophisticated cyberattack campaign targeting government officials in Iraq by impersonating Iraq’s Ministry of Foreign Affairs. The Dust Specter APT group deployed two distinct attack chains using previously undocumented custom .NET-based malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, distributed via password-protected RAR archives and ClickFix-style social engineering lures designed to exploit victim trust in legitimate government communications.
The Dust Specter campaign demonstrates advanced operational security through exploitation of compromised Iraqi government infrastructure to host malicious payloads, providing an additional layer of legitimacy to the attack chain. Security researchers identified evidence of generative AI use in the Dust Specter malware development process, suggesting the Iran-linked threat group is incorporating AI-assisted coding techniques to accelerate malware creation and potentially evade detection through code obfuscation and variation techniques characteristic of AI-generated content.
The Dust Specter attack chains targeted Windows platforms within Iraqi government sectors, with the SPLITDROP dropper masquerading as legitimate WinRAR applications and deploying modular payloads through DLL sideloading techniques. The campaign’s command-and-control infrastructure utilized HTTPS communications with Chrome browser User-Agent impersonation, while the GHOSTFORM remote access trojan combined multiple malware functionalities into a single cohesive tool designed for persistent access and surveillance of Iraqi government officials aligned with Iranian intelligence collection priorities.
Dust Specter APT, a suspected Iran-linked threat group, launched a targeted campaign against Iraqi government officials using two related attack chains specifically designed to gain initial access and establish remote control over targeted individuals. In the first Dust Specter attack chain, the threat group distributed a password-protected RAR archive named “mofa-Network-code.rar”, meticulously crafted to appear as internal material from Iraq’s Ministry of Foreign Affairs. This Dust Specter social engineering approach targeted individuals connected to the ministry and exploited trust in government communications.
The malicious archive distributed by Dust Specter contained a 32-bit .NET file disguised as a WinRAR application, which functioned as the SPLITDROP dropper malware. When opened by victims, the Dust Specter SPLITDROP dropper displayed a password prompt and subsequently showed a message claiming the download had failed, effectively masking the malware’s actual execution and payload deployment activities occurring in the background.
Once active on compromised systems, the Dust Specter SPLITDROP dropper extracted additional malware files and launched a legitimate copy of VLC media player to further disguise malicious activity. This technique allowed the Dust Specter attackers to sideload a malicious DLL designated as TWINTASK, which then loaded the TWINTALK component responsible for command-and-control communications and managing the infected system through encrypted HTTPS channels.
The Dust Specter group also employed ClickFix-style social engineering tactics in their campaign. In July 2025, Dust Specter operators hosted a fake Cisco Webex for Government meeting page that instructed targets to execute a PowerShell command. This Dust Specter PowerShell command downloaded a malicious file and established a scheduled task to execute it repeatedly on the compromised system, providing persistent access for the Iran-linked threat actors.
The second Dust Specter attack chain relied on GHOSTFORM, a sophisticated single .NET remote access trojan that combined the functions of both TWINTASK and TWINTALK into a unified malware tool. The Dust Specter GHOSTFORM malware executed PowerShell commands directly in memory to reduce visible file artifacts on the compromised system, complicating forensic analysis and detection by endpoint security tools.
The GHOSTFORM malware deployed by Dust Specter ran inside an invisible Windows form application and employed timed delays before contacting its command-and-control server, helping the malware evade common sandbox analysis and behavioral detection methods. Dust Specter maintained persistence through Windows Run registry entries, ensuring GHOSTFORM would execute automatically upon system startup.
Both TWINTALK and GHOSTFORM malware components deployed by Dust Specter communicated with command-and-control servers over HTTPS connections while using User-Agent strings that imitated the Chrome browser to blend malicious traffic with legitimate web communications. The Dust Specter attackers also leveraged compromised Iraqi government infrastructure to host malicious payloads, including abuse of the legitimate domain ca[.]iq which delivered the ZIP archive containing the GHOSTFORM malware, providing additional legitimacy to the attack chain and evading domain reputation-based security controls.
Create comprehensive endpoint detection rules to flag unexpected DLL loads from C:\ProgramData\ directories, particularly when initiated by legitimate binaries such as VLC.exe or WingetUI.exe which are not expected to load DLLs from non-standard paths. This detection strategy will identify Dust Specter TWINTASK DLL sideloading attempts and similar techniques employed by Iran-linked threat actors.
Implement monitoring for new registry entries created under HKCU:\Software\Microsoft\Windows\CurrentVersion\Run by processes running from C:\ProgramData\ directories, which represents a non-standard persistence path indicative of Dust Specter campaign techniques. Alert on registry modifications that establish autostart mechanisms for executables located in uncommon directories associated with malware persistence.
Enforce security policies that quarantine or flag password-protected RAR and ZIP archives received via email or downloaded from external sources, as this delivery mechanism is central to Dust Specter’s Attack Chain 1. Implement email gateway controls that scan and alert on password-protected archives, particularly those masquerading as official government communications or internal ministry documents.
Configure network inspection tools to detect JWT tokens in HTTP Authorization headers that contain non-standard fields, particularly numeric iat values inconsistent with Unix timestamps, as employed by TWINTALK and GHOSTFORM malware for bot identification in Dust Specter campaigns. Deploy SSL/TLS inspection capabilities to analyze encrypted HTTPS traffic for anomalous authentication patterns characteristic of Dust Specter command-and-control communications.
Implement egress filtering policies that flag or block outbound HTTPS requests where the User-Agent is an exact static match to known malicious strings used by Dust Specter campaign malware. Apply geofencing controls to restrict unexpected outbound connections to infrastructure in unusual geolocations associated with Iran-nexus threat actor command-and-control infrastructure, providing additional detection opportunities for Dust Specter operations.
Resource Development:
Initial Access:
Execution:
Persistence:
Defense Evasion:
Discovery:
Command and Control:
Exfiltration:
MD5:
SHA256 (selected):
Filenames:
Malicious Domains:
Compromised Infrastructure:
Get through updates and upcoming events, and more directly in your inbox