Cyber Threat Actor Targets Iraqi Government Officials with Impersonation Tactics
A sophisticated cyber threat actor, linked to Iran, has been actively targeting government officials in Iraq by impersonating the nation’s Ministry of Foreign Affairs. The campaign employs the use of advanced artificial intelligence tools, highlighting a growing trend in cyber warfare techniques.
In a disturbing development, various government infrastructures in Iraq have been compromised and repurposed to host malicious payloads as part of this intricate cyber campaign. Detected in January 2026 by Zscaler ThreatLabz, a cybersecurity firm, the actor has been designated as "Dust Specter." With medium to high confidence, ThreatLabz has attributed this dangerous campaign to Iranian operatives.
The researchers uncovered the deployment of several previously undocumented types of malware during this campaign, including tools named Split Drop, TwinTask, TwinTalk, and GhostForm. As they delved deeper into the attack methodologies, they identified numerous code fingerprints suggesting that Dust Specter had incorporated generative AI for the malware’s development, underscoring the increasingly sophisticated tools available to cybercriminals.
Understanding Dust Specter’s Attack Campaign
The malicious undertakings were characterized by two distinct attack chains, each revealing different strategies employed by the attackers to infiltrate their targets.
The first attack chain initiates with a password-protected RAR archive labeled mofa-Network-code.rar. Within this archive lies a 32-bit .NET binary disguised to look like a WinRAR application, which serves as the entry point for the attack. This binary, referred to as SplitDrop, not only acts as a dropper but also launches two dynamic-link library (DLL) files—TwinTask and TwinTalk—essential for the execution of the broader strategy.
TwinTask operates by polling a designated file for new executable commands, which are then executed using PowerShell to maintain persistence within the targeted environment. Meanwhile, TwinTalk functions as the command-and-control (C2) orchestrator, polling the C2 server for new directives and coordinating with the worker module to exfiltrate the results of executed commands.
These two components work seamlessly in tandem, utilizing a file-based polling mechanism that allows them to execute code while remaining largely undetected.
In a report published on March 2, ThreatLabz researchers elaborated on the tactics employed by Dust Specter. They outlined that the TwinTalk C2 domain had previously been employed in a July 2025 operation, where a web page disguised as a Cisco Webex meeting invitation was used to lure victims. This page prompted users to download legitimate Cisco Webex software and led them into selecting the “Webex for Government” option, effectively facilitating a classic social engineering scheme aimed at obtaining sensitive information.
The second attack chain takes a more streamlined approach by consolidating all functionalities of the first into a single binary. This approach represents a significant shift in tactics, allowing for rapid execution and reducing the threat actor’s digital footprint. By utilizing Google Forms as a social engineering lure, the threat actor executed commands from the C2 server through in-memory PowerShell scripts, further masking the malicious activity.
In this second methodology, there was a notable absence of the split architecture prevalent in the first attack chain. Instead, the operatives developed a .NET-based remote access trojan (RAT), named GhostForm by the researchers, which encapsulated all the previous functionalities, streamlining the operation.
When ThreatLabz examined the codebases of TwinTalk and GhostForm, they noted the presence of emojis and Unicode text, an unusual coding style that points to the utilization of generative AI tools during malware development. This observation aligns with an upward trend in the use of advanced coding techniques in various cyber campaigns, reflecting the increasing sophistication and capabilities of cybercriminal actors.
Conclusion
The ongoing cyber campaign conducted by Dust Specter serves as a stark reminder of the evolving nature of cyber threats and the challenges faced by nations in safeguarding sensitive government infrastructure. As the use of artificial intelligence in cyber operations becomes more commonplace, governments and cybersecurity agencies must remain vigilant, implementing robust defensive measures against such multifaceted and evolving threats. This episode underscores the critical need for heightened cybersecurity awareness and resilience, particularly for governmental and institutional bodies.