A campaign attributed to a suspected Iran-nexus threat actor, named Dust Specter by Zscaler ThreatLabz, targeted Iraqi government officials by impersonating Iraq’s Ministry of Foreign Affairs and deploying a set of new malware two infection chains. The activity, observed in January 2026, culminates in malware families called SPLITDROP, TWINTASK, TWINTALK and GHOSTFORM, with the latter two representing an evolution that consolidates functionality into a single binary and uses in-memory PowerShell for code execution.
The first chain uses a password-protected RAR containing a .NET dropper (SPLITDROP) that facilitates TWINTASK as a worker module and TWINTALK as a C2 orchestrator; the second chain replaces these with GHOSTFORM, eliminating disk writing by running commands in memory.
According to Zscaler ThreatLabz, the campaigns exhibit randomised URI paths with checksum values for C2 requests, geofencing, User-Agent verification and a file-based polling mechanism, and include a hard-coded Google Forms URL masquerading as an official Ministry of Foreign Affairs survey in some binaries.
The report notes that the attacks compromised Iraqi government infrastructure to stage payloads and that the dust Specter operators have reused techniques akin to ClickFix-style social engineering and AI-assisted development.