Dust Specter | Threat Actor Profile

An Iran-nexus threat actor that targeted Iraqi government officials in January 2026 by impersonating Iraq's Ministry of Foreign Affairs to deliver four previously undocumented malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Identified by Zscaler ThreatLabz, Dust Specter is notable for its use of AI-assisted malware development, ClickFix-style social engineering, compromised Iraqi government infrastructure as delivery staging, and geofenced C2 communication. The group's tooling, victimology, and operational style overlap with known Iranian APT activity, particularly APT34 (OilRig).

attributed originIran (state-nexus)

suspected sponsorIranian intelligence services

first observedJuly 2025 (ClickFix lure)

primary motivationRegional espionage / political intel

primary targetsIraqi government officials

attribution confidenceMEDIUM-HIGH

mitre att&ck groupUnassigned

target regionsIraq, Middle East

threat levelMEDIUM

Overview

Dust Specter is a newly identified Iran-nexus threat actor first reported by Zscaler ThreatLabz in March 2026. The group came to attention through a targeted campaign in January 2026 against government officials affiliated with Iraq's Ministry of Foreign Affairs. What makes Dust Specter significant beyond its immediate targeting is the combination of techniques it employs: compromised legitimate government infrastructure as delivery staging, geofenced and checksum-verified C2 communication, ClickFix-style social engineering, and evidence of generative AI tools being used in malware development.

Zscaler attributes the campaign to an Iran-nexus actor with medium-to-high confidence, based on overlapping tooling, victimology, and TTPs with established Iranian APT groups. Iraq's Ministry of Foreign Affairs has historically been a priority target for Iranian cyber operations, and the compromise of Iraqi government infrastructure (specifically the ca.iq domain) to host malicious payloads mirrors tactics previously documented in APT34 campaigns dating back to at least 2024.

The group deployed two distinct attack chains. The first uses a split-architecture approach with a dropper (SPLITDROP) that installs two cooperating modules: a worker (TWINTASK) and a C2 orchestrator (TWINTALK). The second chain consolidates all functionality into a single binary called GHOSTFORM that operates entirely in memory via PowerShell. Both chains use DLL sideloading through legitimate applications — VLC Media Player and WingetUI — to execute malicious code without requiring elevated privileges.

Evidence of AI-assisted development was found in the TWINTALK and GHOSTFORM codebases, including placeholder values like the seed 0xABCDEF, unusual Unicode text, and embedded strings consistent with patterns seen in AI-generated code. This aligns with broader reporting that Iranian APT groups are increasingly integrating generative AI into their tooling and tradecraft.

critical

Dust Specter's use of AI-assisted malware development represents a practical example of adversaries leveraging generative AI to accelerate tooling production. The presence of AI fingerprints in production malware deployed against real government targets signals that this is no longer theoretical — it is operational tradecraft.

Target Profile

Dust Specter's targeting is narrowly focused on Iraqi government infrastructure, consistent with Iran's regional intelligence priorities.

Iraqi Ministry of Foreign Affairs: The primary target. Social engineering lures impersonated official Ministry communications, and the password-protected RAR archive used as the delivery vehicle was named mofa-Network-code.rar to suggest an official network access package.
Iraqi government officials: The campaign's lures and targeting suggest specific individuals within or affiliated with Iraq's diplomatic apparatus. GHOSTFORM variants displayed fake Arabic-language surveys masquerading as official Ministry questionnaires.
Compromised Iraqi infrastructure: The legitimate Iraqi government website ca.iq was compromised and used to host the malicious GHOSTFORM archive, blurring the line between delivery infrastructure and target.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001	Spearphishing Attachment	Password-protected RAR archive disguised as Ministry of Foreign Affairs network code. The password itself (92,110-135_118-128) serves as an additional social engineering element suggesting legitimacy.
T1204.004	User Execution: Malicious Copy and Paste	ClickFix-style lure disguised as a Cisco Webex for Government meeting invite, instructing victims to copy and paste PowerShell commands that download and schedule malware execution every two hours.
T1574.002	DLL Side-Loading	SPLITDROP launches legitimate VLC.exe, which sideloads malicious libvlc.dll (TWINTASK). Then WingetUI.exe sideloads hostfxr.dll (TWINTALK). Neither requires elevated privileges.
T1059.001	PowerShell	TWINTASK polls a local file every 15 seconds for Base64-encoded PowerShell commands. GHOSTFORM executes PowerShell entirely in memory, eliminating disk artifacts.
T1071.001	Web Protocols (HTTPS C2)	TWINTALK and GHOSTFORM use HTTPS for C2 with randomized URI paths, appended checksum values for request authentication, geofencing, and hardcoded browser User-Agent strings to evade analysis.
T1547.001	Registry Run Keys	Persistence via Windows Registry Run keys pointing to VLC.exe and WingetUI.exe paths, ensuring both malicious sideloading chains survive reboots.
T1584.004	Compromise Infrastructure: Server	Compromised the legitimate Iraqi government domain ca.iq to host GHOSTFORM payloads, leveraging institutional trust to bypass URL reputation filters.
T1587.001	Develop Capabilities: Malware	Four custom .NET malware families developed for this campaign. Code analysis reveals AI-generated patterns including placeholder constants, unusual Unicode, and structural patterns consistent with LLM-assisted development.

Known Campaigns

Iraqi Ministry of Foreign Affairs CampaignJanuary 2026

Targeted operation against Iraqi government officials using two parallel attack chains. Attack Chain 1 delivered SPLITDROP via password-protected RAR, which installed TWINTASK and TWINTALK through DLL sideloading of VLC and WingetUI. Attack Chain 2 deployed GHOSTFORM as a consolidated RAT hosted on the compromised ca.iq government domain. Both chains used geofenced C2 communication with checksum-verified URI paths.

Read NoHacky briefing

Webex ClickFix OperationJuly 2025

Earlier operation using the domain meetingapp[.]site to host a web page disguised as a Cisco Webex for Government meeting invite. Used ClickFix social engineering to trick victims into executing PowerShell that downloaded a malicious binary and registered a scheduled task for persistent execution every two hours. Infrastructure overlap with the 2026 campaign confirmed the link between both operations.

Tools & Malware

All four malware families are custom .NET binaries with no code obfuscation — a hallmark of Iranian APT tooling.

SPLITDROP: .NET dropper disguised as a WinRAR application. Prompts for a password, then decrypts an embedded resource using AES-256-CBC with PBKDF2 key derivation (HMAC-SHA1, 10,000 iterations, 256-bit key). Displays a fake error message ("The download did not complete successfully") as a distraction while extracting TWINTASK and TWINTALK to C:\ProgramData\PolGuid\.
TWINTASK: Worker module sideloaded via VLC.exe as libvlc.dll. Polls a local text file (in.txt) every 15 seconds for Base64-encoded PowerShell commands, executes them with a 600-second timeout, and writes output to out.txt. Establishes persistence through Registry Run keys.
TWINTALK: C2 orchestrator sideloaded via WingetUI.exe as hostfxr.dll. Beacons to remote servers at randomized intervals (108-180 seconds) to avoid pattern-based detection. Generates dynamic URI paths with appended checksums. Uses geofencing and User-Agent verification to ensure requests originate from genuine infections in target regions.
GHOSTFORM: Consolidated .NET RAT that merges SPLITDROP, TWINTASK, and TWINTALK functionality into a single binary. Uses in-memory PowerShell execution to eliminate disk artifacts. Employs creative evasion: spawns a near-invisible Windows form (10x15 pixels, near-zero opacity, hidden from taskbar) with a timer to delay execution. Derives bot ID from assembly creation time. Variants embed hardcoded Google Forms URLs displaying fake Arabic-language Ministry surveys as social engineering lures.

Mitigation & Defense

Organizations in Dust Specter's target profile should focus on the social engineering entry points and the DLL sideloading persistence mechanism.

Block password-protected archives from untrusted sources: SPLITDROP is delivered in a password-protected RAR that bypasses content inspection. Configure email gateways and endpoint protection to flag or quarantine encrypted archives from external senders.
Monitor DLL sideloading: Detect VLC.exe and WingetUI.exe loading unexpected DLLs from non-standard locations. Application allowlisting should prevent legitimate binaries in ProgramData directories from executing sideloaded DLLs.
ClickFix awareness training: Train staff to recognize ClickFix-style lures that instruct users to copy and paste commands into PowerShell or command prompts. Block execution of PowerShell from user-initiated paste operations where technically feasible.
Registry Run key monitoring: Alert on new Registry Run key entries pointing to binaries in C:\ProgramData\ or other non-standard locations. Both attack chains rely on this persistence mechanism.
Geofencing as a detection signal: Dust Specter's C2 servers respond only to requests from specific geographic regions. If your security team operates outside the target region, C2 analysis may fail silently. Use in-region analysis infrastructure or VPN exit nodes in target geographies for dynamic analysis.
Audit government domain integrity: Organizations operating government web infrastructure should monitor for unauthorized file uploads and content changes. Dust Specter hosted GHOSTFORM on the compromised ca.iq domain.

analyst note

Dust Specter's attribution remains at medium-to-high confidence. Zscaler notes that the group's tooling, targeting of Iraq's Foreign Ministry, use of compromised Iraqi government infrastructure, lightweight custom .NET backdoors with no obfuscation, and ClickFix-style lures are all consistent with documented Iranian APT behavior — particularly APT34 (OilRig). However, Dust Specter has not been formally merged into any existing APT cluster. As additional indicators become available, attribution may be refined. The AI-assisted development fingerprints in the codebase warrant particular attention as a potential future attribution marker across Iranian APT tooling.

Sources & Further Reading

— end of profile