Pierluigi Paganini
March 06, 2026
Zscaler ThreatLabz researchers linked the Iran-nexus group Dust Specter to a campaign targeting Iraqi government officials. Threat actors impersonated the country’s Ministry of Foreign Affairs in phishing messages that delivered previously unseen malware, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, through multiple infection chains.
“In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq.” reads the report published by Zscaler. “Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. “
The researchers analyzed two attack chains used in the Dust Specter campaign targeting Iraqi officials.
Attack Chain 1 begins with a password-protected archive containing a dropper named SPLITDROP, disguised as a WinRAR application. Once executed, it decrypts and deploys two modules: TWINTASK, a worker component that executes PowerShell commands from a local file, and TWINTALK, a command-and-control (C2) orchestrator.
“Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint.” continues the report. “This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK. “
The malware establishes persistence through registry keys and uses DLL sideloading with legitimate software such as VLC and WingetUI. TWINTALK communicates with the C2 server using randomized delays, custom URI paths, and JWT tokens to evade detection. Commands allow attackers to execute scripts, upload files, or download additional payloads.
Attack Chain 2, called GHOSTFORM, consolidates the same functionality into a single binary that executes commands directly in memory, reducing filesystem traces. It also opens a fake Google Form posing as a survey from Iraq’s Ministry of Foreign Affairs to lure victims. The malware employs stealth techniques such as invisible Windows forms for delayed execution and mutex checks to avoid multiple instances.
ThreatLabz found indicators that generative AI may have been used to develop the TWINTALK and GHOSTFORM malware. During code analysis, researchers identified unusual elements such as emojis and Unicode text embedded in functions. They also observed placeholder values—like the seed 0xABCDEF—often associated with AI-generated code, suggesting automated tools may have assisted in malware development.
The campaign also used a ClickFix lure disguised as a Cisco Webex meeting page to trick victims into running malicious PowerShell commands that download and schedule malware execution.
“ThreatLabz found that the TWINTALK C2 domain, meetingapp[.]site, was also used by Dust Specter in July 2025 to host a web page disguised as a Cisco Webex meeting invitation.” states the report. “The web page included a link to download the legitimate Cisco Webex software and prompted the victim to choose the “Webex for Government” option. The web page also lures the victim into following the instructions shown in the figure below to retrieve the meeting ID.”
ThreatLabz attributes the activity to Dust Specter, an Iran-linked threat actor, citing targeting patterns, malware design, and tactics consistent with previous Iranian cyber-espionage operations.
“This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq’s Ministry of Foreign Affairs. ThreatLabz identified previously undocumented lightweight custom .NET-based droppers and backdoors used in this operation.” concludes the report. “The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)
