A sophisticated cyberattack campaign, attributed with medium-to-high confidence to an Iran-nexus threat actor, has targeted Iraqi government officials. The group, identified as Dust Specter, leveraged novel malware and AI-assisted techniques in January 2026, impersonating Iraq’s Ministry of Foreign Affairs to compromise high-value targets. This campaign highlights a concerning evolution in cyber warfare, as Iran-nexus APT Dust Specter demonstrates advanced tactics and the integration of artificial intelligence into malware development.
The Dust Specter operation deployed four previously undocumented malware tools: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. These tools showcased advanced capabilities, including DLL sideloading, persistent access mechanisms, and AI-enhanced code generation. The consistent overlap in tools, techniques, and victimology with known Iranian advanced persistent threats (APTs) underpins the attribution to an Iran-nexus actor. This campaign’s focus on Iraqi officials underscores the ongoing geopolitical tensions manifested in the cyber domain.
Dust Specter Employs AI-Assisted Malware Against Iraqi Officials
The initial attack vector involved a password-protected RAR archive, cunningly named “mofa-Network-code.rar,” designed to appear as an official Ministry document. Upon opening, the archive deployed SPLITDROP, a .NET binary disguised as a WinRAR application. SPLITDROP utilized AES-256 encryption to decrypt an embedded payload, silently dropping malicious files onto the victim’s system while displaying a fabricated error message: “The download did not complete successfully.” This initial phase set the stage for deeper system compromise.
A second attack chain incorporated GHOSTFORM, which presented a deceptive Arabic Google Form survey that masqueraded as a government questionnaire. While users were engaged with the fake survey, the underlying malware operated undetected. Researchers at Zscaler ThreatLabz identified distinct fingerprints within the source code of TWINTALK and GHOSTFORM that strongly suggest the use of generative artificial intelligence during the malware development process. These AI fingerprints include specific emoji and Unicode character patterns, along with a hardcoded seed value of 0xABCDEF in TWINTALK’s checksum generation function, a placeholder frequently observed in AI-generated code.
This integration of AI into the development cycle marks a significant advancement for threat actors. It indicates that AI is now being used not only for strategic planning and reconnaissance but also for the generation of functional malicious code. This evolution poses a new challenge for cybersecurity defenses, potentially accelerating the pace of malware creation and increasing its sophistication.
Inside the Infection: DLL Sideloading and Persistent Access
The infection chain was meticulously designed to evade detection by blending in with legitimate system activities. In the first attack chain, after SPLITDROP extracted its payload, it launched a legitimate VLC Media Player executable. This legitimate binary then automatically sideloaded a malicious DLL named “libvlc.dll,” which had been placed in the same directory. This DLL sideloading technique exploits the trust Windows places in authorized applications and can be executed without requiring elevated user privileges.
The malicious DLL, identified as TWINTASK, acted as a worker module. It continuously polled a local text file every 15 seconds, reading and executing Base64-encoded PowerShell commands received from the command and control (C2) orchestrator. TWINTASK subsequently initiated the execution of WingetUI.exe, which in turn sideloaded another malicious DLL, “hostfxr.dll.” This component was identified as TWINTALK, serving as the primary C2 orchestrator.
TWINTALK’s C2 communication involved beaconing to remote servers at randomized intervals, ranging from 108 to 180 seconds, to circumvent network detection rules based on fixed patterns. To ensure that responses were directed only to genuinely compromised machines and not automated scanners, TWINTALK generated dynamic URI paths appended with checksum values. The C2 server further verified its authenticity by using a hardcoded browser User-Agent string and employed geofencing to restrict responses to traffic originating from specific geographic regions.
Persistence was achieved through the manipulation of Windows Registry Run keys, ensuring that both VLC.exe and WingetUI.exe would automatically relaunch after every system restart. This mechanism ensured the continued presence of the malware across reboots. GHOSTFORM employed a more subtle method for delaying its execution. It launched an invisible Windows form with near-zero opacity, hidden from the taskbar, and avoided calling Windows APIs that could trigger behavioral analysis tools.
The campaign also demonstrated a prior connection to a ClickFix-style attack from July 2025. In that instance, a webpage impersonating a Cisco Webex Government meeting invitation directed victims to execute a PowerShell command. This command downloaded a malicious binary and established a scheduled task to run every two hours. The consistent targeting of Iraq’s Ministry of Foreign Affairs aligns with historical patterns observed from Iran-linked groups such as APT34, further solidifying the attribution.
To counter such sophisticated threats, security teams are advised to implement stringent application allowlisting policies to prevent unauthorized DLL sideloading through trusted binaries. Email and web gateways should be configured to block password-protected archives from unverified senders. Furthermore, enabling PowerShell script block logging and vigilant monitoring of Windows Registry Run keys for unusual entries are crucial defensive measures against this class of intrusion. Network security teams should flag outbound HTTPS traffic exhibiting randomized URI patterns and non-standard JWT authorization headers, as these behavioral indicators are consistent with the C2 communication profile observed in this Dust Specter campaign.