AN Iran-nexus cyber threat actor has been targeting Iraqi government officials by impersonating Iraq’s Ministry of Foreign Affairs, with the campaign leveraging AI tools.
Government-related infrastructure in Iraq was compromised and used to host malicious payloads distributed as part of the operation, detected in January 2026 by Zscaler ThreatLabz, which track the threat actor as Dust Specter and attribute it to Iran “with medium to high confidence.” ThreatLabz identified new malware families in this campaign, including Split Drop, TwinTask, TwinTalk and GhostForm, and observed fingerprints in the code suggesting the use of generative AI for malware development.
The campaign unfolds through two attack chains: the first delivers a password-protected mofa-Network-code[.]rar containing a 32-bit .NET binary disguised as a WinRAR application, named SplitDrop, which acts as a dropper for TwinTask and TwinTalk. The second chain consolidates functionality into a single binary, deploying a .NET-based RAT dubbed GhostForm via Google Forms and in-memory PowerShell, with ThreatLabz noting an unusual coding style that implies AI assistance.