A campaign linked to the Iran-nexus Dust Specter APT is targeting Iraqi government officials with new malware families delivered via phishing emails, according to Zscaler ThreatLabz. Threat actors impersonated Iraq’s Ministry of Foreign Affairs in January 2026 to lure victims, with two infection chains described: one uses a password-protected archive named mofa-Network-code[.]rar containing SPLITDROP, TWINTASK and TWINTALK, and the other consolidates the same capabilities in a single binary called GHOSTFORM.
TWINTALK serves as a C2 orchestrator while TWINTASK runs PowerShell commands, and the malware uses registry persistence, DLL sideloading with VLC and WingetUI, and randomized delays to evade detection. GHOSTFORM operates in memory to reduce filesystem traces and even opens a fake Google Form posing as a survey from Iraq’s Ministry of Foreign Affairs to deceive victims.
ThreatLabz notes possible use of generative AI elements in developing TWINTALK and GHOSTFORM, and highlights the broader trend of AI-assisted malware alongside ClickFix-style techniques. The report also states that Dust Specter activity was observed in January 2026, and that attribution to an Iran-nexus actor is considered with medium-to-high confidence.