A suspected Iran-aligned threat group known as Dust Specter is conducting a targeted cyber espionage campaign against Iraqi government officials and ministry staff, according to new research by Zscaler ThreatLabz. The actors impersonate Iraq’s Ministry of Foreign Affairs (MFA) and deploy previously undocumented .NET backdoors codenamed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
Targeted cyber espionage against Iraqi government networks
The campaign, observed in January 2026, relies on highly tailored phishing emails and documents that mimic genuine MFA notifications in Arabic. To increase credibility and bypass network defenses, Dust Specter also abuses compromised Iraqi government infrastructure to host malicious payloads, making traffic appear to originate from trusted domains.
The group’s command-and-control (C2) servers implement geofencing and strict User-Agent validation, accepting connections only from systems in specific regions and with expected browser or client signatures. C2 requests are sent to randomly generated URIs with embedded checksums, complicating static URL blocking and traditional indicator-based defenses.
.NET infection chain with SPLITDROP, TWINTASK and TWINTALK
Password-protected archives and DLL side-loading techniques
The first documented infection chain begins with a password-protected RAR archive, a common tactic to evade email security scanners. Inside, victims find a seemingly benign .NET executable, SPLITDROP, which acts as a dropper to deploy the TWINTASK and TWINTALK components.
TWINTASK is delivered as a malicious libvlc.dll and loaded via DLL side-loading by a legitimate vlc.exe binary included in the archive. Side-loading abuses the way Windows searches for libraries, allowing attackers to piggy-back on a trusted, digitally signed application and reduce suspicion from security tools and end users.
Once active, TWINTASK polls the file C:\ProgramData\PolGuid\in.txt every 15 seconds for commands, executes them through PowerShell, and writes output and errors to out.txt. Supported instructions include persistence mechanisms, such as modifying Windows Registry keys to ensure the malware survives reboots.
File-based C2 orchestration with TWINTALK
On first execution, TWINTASK launches another legitimate application from the archive, WingetUI.exe, which then side-loads TWINTALK masquerading as hostfxr.dll. TWINTALK functions as the primary C2 orchestrator, communicating with the remote server, receiving tasking, and passing it to TWINTASK via the shared text files.
TWINTALK periodically exfiltrates results back to the C2 and supports file upload and download, enabling lateral movement and data theft. To hinder network-based detection, it uses a beaconing schedule with pseudo-random delays, making traffic patterns less predictable and harder to correlate in SIEM and NDR tools.
GHOSTFORM: consolidation and fileless PowerShell execution
A newer infection chain replaces TWINTASK and TWINTALK with a single, more advanced backdoor dubbed GHOSTFORM. Instead of writing commands and responses to disk, GHOSTFORM relies heavily on fileless PowerShell execution in memory, substantially reducing on-disk artifacts and evading many signature-driven antivirus engines.
Abuse of Google Forms for phishing and data collection
Several GHOSTFORM samples contain a hard-coded link to a Google Forms page automatically opened in the victim’s browser after compromise. The form, in Arabic, pretends to be an official MFA survey or registration form. This dual-use social engineering tactic reinforces the legitimacy of the lure while also harvesting additional information about the victim and their organization.
Social engineering and ClickFix-style tactics
Infrastructure analysis shows that the C2 domain meetingapp[.]site, currently used by TWINTALK, was also leveraged in a July 2025 Dust Specter operation. At that time, the site hosted a spoofed Cisco Webex meeting invitation that instructed users to copy and run a PowerShell script to “join” a conference.
This pattern is reminiscent of so-called ClickFix social engineering, where attackers guide users step by step to execute malicious commands themselves, bypassing some technical controls. In that campaign, the script created a directory, downloaded a malicious payload from the same domain, saved it as an executable, and registered a Windows Scheduled Task to run every two hours, ensuring long-term persistence.
Attribution to Iranian actors and the role of generative AI
ThreatLabz assesses the campaign as medium to high confidence linked to Iranian state-aligned activity. Groups such as OilRig (APT34) have historically deployed custom lightweight .NET backdoors and abused compromised Iraqi government systems for espionage, closely mirroring Dust Specter’s current tactics, techniques and procedures (TTPs).
Source code analysis of TWINTALK and GHOSTFORM revealed unused stubs, emojis and atypical Unicode strings, suggesting the possible use of generative AI tools during development. Across the industry, multiple vendors have reported threat actors leveraging large language models to accelerate coding, generate variations of existing malware, and reduce reliance on easily identifiable code patterns.
The Dust Specter campaign illustrates the rapid evolution of state-aligned espionage: from classic DLL side-loading and file-based command exchange to fileless PowerShell operations, sophisticated C2 evasion and persuasive social engineering. Government agencies and operators of critical infrastructure should prioritize PowerShell and script monitoring, deploy modern EDR/XDR solutions, enforce controls around DLL loading, and conduct continuous security awareness training so employees can spot phishing—even when it abuses familiar platforms like Webex or Google Forms. Proactive detection, hardening and user education remain essential to staying ahead of such advanced threat actors.
