Iran-Linked “Dust Specter” Campaign Targets Iraqi Officials with New Malware Arsenal
A suspected Iran-linked cyber campaign impersonates Iraq’s Ministry of Foreign Affairs to deploy advanced malware and stealthy command-and-control infrastructure.
New Cyber Espionage Campaign Targets Iraqi Government
Security researchers have uncovered a sophisticated cyber espionage campaign targeting government officials in Iraq. The operation, attributed to a suspected Iran-linked threat actor tracked as Dust Specter, uses social engineering and newly discovered malware families to compromise victims.
Researchers observed the campaign in early 2026. The attackers impersonated Iraq’s Ministry of Foreign Affairs to deliver malicious payloads designed to infiltrate government systems and establish long-term access.
The operation ultimately deploys several previously undocumented malware tools, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, each playing a specific role in the attack chain.
This campaign highlights a growing trend where threat actors combine social engineering, infrastructure compromise, and stealthy malware techniques to target government networks.
Infection Chain Begins with Disguised Archive Files
The first attack sequence begins with a password-protected RAR archive sent to potential victims. Inside the archive, attackers include a .NET-based dropper named SPLITDROP.
Once executed, SPLITDROP deploys two additional components:
- TWINTASK – a worker module responsible for executing commands
- TWINTALK – a command-and-control (C2) orchestrator that communicates with attacker infrastructure
TWINTASK operates as a malicious DLL disguised as libvlc.dll. It is sideloaded through a legitimate application binary, which allows the malware to run while appearing legitimate.
After execution, TWINTASK periodically checks a local file every 15 seconds for commands. It then executes those commands using PowerShell. The malware also captures command outputs and errors, storing them locally for later retrieval.
Additionally, the malware establishes persistence by modifying Windows Registry entries, ensuring the attackers maintain access even after system reboots.
Coordinated Command-and-Control Operations
Meanwhile, the TWINTALK component manages communication with the attacker’s command-and-control infrastructure.
The malware retrieves instructions from remote servers and coordinates actions with the TWINTASK module. It can also upload stolen data, download additional payloads, and send execution results back to the attackers.
To avoid detection, the attackers implemented several evasion techniques, including:
- Randomized URI paths for C2 communication
- Checksum values appended to requests to verify legitimate infections
- Geofencing restrictions to limit access from certain locations
- User-Agent verification to filter unwanted connections
Additionally, TWINTALK introduces random execution delays, which helps the malware avoid triggering security alerts based on predictable behavior patterns. GHOSTFORM: A More Advanced Second Attack Chain
Researchers also discovered a second infection chain involving a more advanced malware variant called GHOSTFORM.
Unlike the earlier method that relied on multiple components, GHOSTFORM consolidates the functionality of TWINTASK and TWINTALK into a single binary. This evolution allows the malware to operate more efficiently while reducing detectable artifacts.
One key improvement involves in-memory PowerShell execution, which eliminates the need to store malicious commands on disk. As a result, security tools that rely on file-based detection may struggle to identify the activity.
Some GHOSTFORM samples also contain a hardcoded Google Forms link. When executed, the malware automatically opens the form in the victim’s browser.
The form, written in Arabic, masquerades as a legitimate survey from Iraq’s Ministry of Foreign Affairs. This tactic adds another layer of social engineering designed to reinforce the legitimacy of the attack.
AI-Assisted Malware Development Emerging
Researchers analyzing the malware code also identified unusual elements such as placeholder variables, emojis, and Unicode text embedded within the source code.
These artifacts suggest that generative AI tools may have assisted in the malware’s development process.
While AI-assisted coding does not automatically produce advanced malware, it can accelerate development, reduce manual effort, and help attackers experiment with new techniques more rapidly.
As AI capabilities expand, cybersecurity teams increasingly expect threat actors to incorporate AI into malware development and campaign planning.
Reused Infrastructure and Social Engineering Tactics
Investigators also connected the command-and-control domain meetingapp[.]site to earlier malicious activity. The same infrastructure hosted a fake Cisco Webex meeting invitation page in 2025.
That campaign used ClickFix-style social engineering, instructing victims to copy and run PowerShell commands in order to join a meeting.
Once executed, the script created directories, downloaded malicious payloads, and scheduled recurring tasks that launched malware every two hours.
Such techniques allow attackers to bypass traditional phishing defenses by persuading victims to execute malicious commands themselves.
A Reminder of Rising Cyber Threats in Government Sectors
The campaign appears to align with tactics previously used by Iranian-linked cyber groups. In particular, the use of lightweight .NET backdoors and compromised regional infrastructure mirrors methods associated with past espionage campaigns.
Targeting government officials also reflects a broader trend in cyber operations focused on intelligence gathering and geopolitical influence.
For cybersecurity leaders and government agencies, the Dust Specter campaign highlights the importance of:
- Monitoring supply chain and government infrastructure exposures
- Detecting DLL sideloading techniques
- Inspecting PowerShell activity across endpoints
- Strengthening defenses against social engineering attacks
As cyber espionage operations continue evolving, organizations must remain vigilant against sophisticated campaigns that blend malware innovation with psychological manipulation.