Iran‑Nexus APT ‘Dust Specter’ Hits Iraqi Officials with AI‑Assisted Malware and Novel RATs

In January 2026, a targeted cyberattack emerged against government officials in Iraq. The threat group, tracked as Dust Specter, impersonated Iraq’s Ministry of Foreign Affairs to trick high-value targets into downloading malicious files.

The campaign introduced four previously undocumented malware tools — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM — each reflecting the precision of a seasoned, state-linked actor.

Researchers attribute this campaign with medium-to-high confidence to an Iran-nexus threat actor, based on consistent overlaps in tools, techniques, and victim selection with known Iranian APT groups.​

Dust Specter’s first attack chain was delivered through a password-protected RAR archive named mofa-Network-code.rar, disguised as an official Ministry document.

When opened, a .NET binary masquerading as a WinRAR application — SPLITDROP — decrypted an embedded payload using AES-256 encryption and dropped malicious files onto the victim’s machine.

SPLITDROP displayed a false error message, “The download did not complete successfully,” while operating silently.

The second chain used GHOSTFORM, which opened a fake Arabic Google Form survey posing as a government questionnaire while malware ran undetected.​

Zscaler ThreatLabz researchers identified fingerprints in the codebase pointing to the use of generative AI during malware development. Emojis and unicode characters embedded inside both TWINTALK and GHOSTFORM source code match a pattern tied to AI-generated programming.

A hardcoded seed value of 0xABCDEF — a placeholder found in AI-written code — was also uncovered inside TWINTALK’s checksum generation function.

This marks a shift in how threat actors approach development, with AI now used not just for planning but for writing functional malicious code.​

The same group was also connected to a ClickFix-style attack from July 2025, where a webpage mimicking a Cisco Webex Government meeting invitation directed victims to run a PowerShell command.

That command downloaded a malicious binary and registered a scheduled task to execute every two hours. Iraq’s Ministry of Foreign Affairs has historically been a priority target for Iran-linked groups like APT34, and this campaign follows that established pattern closely.​

Inside the Infection: DLL Sideloading and Persistent Access

The infection mechanism in Attack Chain 1 was designed to blend into legitimate system activity without raising alarms. After SPLITDROP extracted its payload into a local directory, it launched a genuine VLC Media Player binary, which automatically sideloaded a malicious DLL named libvlc.dll placed in the same folder.

This DLL sideloading technique exploits the trust that Windows places in recognized applications and does not require elevated privileges to run.

The malicious DLL, named TWINTASK, functioned as a worker module that polled a local text file every 15 seconds, reading and executing Base64-encoded PowerShell commands received from the C2 orchestrator.​

TWINTASK then launched WingetUI.exe, which sideloaded a second malicious DLL named hostfxr.dll — the component called TWINTALK.

This acted as the C2 orchestrator, beaconing to remote servers at randomized intervals between 108 and 180 seconds to avoid pattern-based network detection rules.

To verify that requests came from genuinely infected machines rather than automated scanners, TWINTALK generated dynamic URI paths with appended checksum values.

The C2 server added verification through a hardcoded browser User-Agent string and applied geofencing to restrict responses to traffic from specific geographic regions only.​

Persistence was established through Windows Registry Run keys, ensuring both VLC.exe and WingetUI.exe relaunched automatically after every system restart, keeping the infection alive across reboots.

GHOSTFORM took a more creative approach — it launched an invisible Windows form with near-zero opacity, hidden from the taskbar — to delay its own execution without calling any Windows API that could trigger behavioral analysis tools.​

Security teams should enforce strict application allowlisting to prevent unauthorized DLL sideloading through trusted binaries. Email and web gateways should be configured to block password-protected archives from unverified senders.

Enabling PowerShell script block logging and monitoring Windows Registry Run keys for unexpected new entries are critical defensive steps against this type of intrusion.

Network teams should flag outbound HTTPS traffic with randomized URI patterns and non-standard JWT authorization headers, as these behavioral indicators align with the C2 communication profile observed in this campaign.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.