Iran-linked APT Group "Dust Specter" Targets Iraqi Government with Advanced Malware
A recent campaign attributed to the Iran-connected Advanced Persistent Threat (APT) group known as "Dust Specter" has raised alarms within cybersecurity circles. This group is reportedly targeting Iraqi government officials utilizing AI-assisted custom malware built on the .NET framework. The sophisticated attacks employ dual attack chains that blend various techniques, including DLL sideloading, in-memory PowerShell execution, and the use of ClickFix-style lures to enhance the effectiveness of their operations.
In January 2026, the Zscaler ThreatLabz team closely monitored this new campaign. The group behind these attacks is said to impersonate officials from Iraq’s Ministry of Foreign Affairs, demonstrating a blatant misuse of compromised government infrastructure to host malicious payloads. This approach not only amplifies the credibility of the attack but also complicates detection efforts on the part of the targeted officials.
Through their research, ThreatLabz investigators uncovered four previously undocumented .NET components: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, which were integral to the twin attack chains. These findings also reveal that Dust Specter has reused infrastructure linking this campaign to a similar ClickFix operation conducted in July 2025, which exploited a Webex-themed lure via the domain meetingapp[.]site.
Internally, ThreatLabz has assigned the name "Dust Specter" to this APT group and assesses with medium-to-high confidence that its operations are tied to Iranian interests. This conclusion is drawn from overlapping tools, victimology, and tactics, techniques, and procedures (TTPs) which bear resemblance to previous Iranian APT activities targeting Iraq, particularly those linked to APT34.
Understanding the Components of the Malware
The first attack chain initiates with a password-protected RAR archive labeled “mofa-Network-code.rar,” which deceptively masquerades as legitimate correspondence from the Ministry of Foreign Affairs. Enclosed within this archive is a 32-bit .NET binary that feigns as a WinRAR file, serving as the SPLITDROP dropper. This dropper prompts the user for a password, subsequently decrypting an embedded AES‑256‑encrypted resource into the C:\ProgramData\PolGuid.zip directory.
Upon extraction, the PolGuid directory reveals a legitimate VLC.exe file, which is instrumental in executing DLL sideloading into the TWINTASK worker module. TWINTASK functions by continuously polling the in.txt file located in C:\ProgramData\PolGuid every 15 seconds. It base64-decodes commands and executes them through PowerShell, while simultaneously logging results in an out.txt file.
To establish persistence, the initial commands create Run-key entries for VLC.exe and a bundled application, WingetUI.exe, which further aids in the loading of hostfxr.dll, an orchestrator for TWINTALK. This component contacts its command and control (C2) server using a secure mechanism, utilizing randomly generated hex URI paths and a simple JWT for authorization, thus distinguishing legitimate bot traffic from potential sandbox analysis.
The GHOSTFORM Malware
The second attack chain diverges from the dual structure, opting instead for GHOSTFORM, a consolidated .NET remote access tool (RAT) that amalgamates the features provided by SPLITDROP, TWINTASK, and TWINTALK. Notably, GHOSTFORM places a strong emphasis on stealth and social engineering tactics. Some variants feature a hardcoded URL linked to Google Forms, which conspicuously presents a fake Arabic-language survey, purporting to be an official questionnaire from the Ministry of Foreign Affairs targeted at government personnel.
Despite utilizing jittered beaconing delays to evade detection, GHOSTFORM deploys innovative tactics by creating a nearly transparent Windows form with low opacity, rendering it nearly invisible within the taskbar. This behavior embodies a strategic delay before returning to its main loop, illustrating its designed invisibility to typical monitoring tools.
Moreover, GHOSTFORM enforces single-instance execution through a Global_ mutex construct and derives its bot ID from assembly creation time. This is a departure from conventional random value generation, thereby increasing the malware’s resilience against detection mechanisms.
ThreatLabz has observed that both TWINTALK and GHOSTFORM feature code imbued with emojis, unusual Unicode characters, and placeholder-like constants, suggesting a possible connection to patterns associated with generative AI tools in prior Iranian-linked campaigns. Such elements indicate that the actor may be delving into AI-assisted malware development, which aligns with broader reports indicating Iranian APTs are evolving by integrating AI into their operation methods and toolsets.
The infrastructure used in both campaigns, including the domain meetingapp[.]site, had previously hosted a ClickFix lure meant to compel victims into executing a PowerShell command, which would download a malicious payload disguised under the moniker WinWebex.exe.
Conclusion
As the cybersecurity landscape continues to evolve, the operations of the Dust Specter APT group represent a worrying trend, particularly given their advanced methodologies and targeted approach towards government entities. This situation raises significant concerns about governmental cybersecurity measures and the need for enhanced protective strategies against increasingly sophisticated threats. Analysts and security professionals are urged to remain vigilant and proactive in addressing such ramifications, especially as the integration of AI into cyber operations promises both new challenges and opportunities for malicious actors.