Full Report
A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country's Ministry of Foreign Affairs to deliver a set of never-before-seen malware. Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter. The attacks, which manifest in the form of two different
Analysis Summary
# Threat Actor: Dust Specter
## Attribution & Identity
* **Actor Identification:** Dust Specter (tracked by Zscaler ThreatLabz).
* **Aliases:** None explicitly listed, though classified as a "cluster" of activity.
* **Known Associations:** Suspected Iran-nexus threat actor.
## Activity Summary
* **January 2026 Campaign:** Targeting Iraqi government officials by impersonating the Ministry of Foreign Affairs (MFA). This campaign involved the delivery of custom malware via password-protected RAR archives.
* **July 2025 Campaign:** Used a fake Cisco Webex meeting invitation page (ClickFix-style) to trick users into executing PowerShell scripts to establish persistence.
## Tactics, Techniques & Procedures
* **T1566.001 (Phishing: Spearphishing Attachment):** Delivering password-protected RAR archives.
* **T1574.002 (Hijack Execution Flow: DLL Side-Loading):**
* Using `vlc.exe` to sideload `libvlc.dll` (TWINTASK).
* Using `WingetUI.exe` to sideload `hostfxr.dll` (TWINTALK).
* **T1059.001 (Command and Scripting Interpreter: PowerShell):** Using PowerShell for command execution and in-memory script execution (GHOSTFORM).
* **T1053.005 (Scheduled Task/Job: Scheduled Task):** Establishing persistence via tasks to run binaries every two hours.
* **Evasion & Stealth:**
* Use of geofencing and User-Agent verification on C2 servers.
* Randomly generated URI paths with appended checksums for C2 validation.
* In-memory execution to minimize disk artifacts.
* **Social Engineering:** Impersonating official government surveys using Google Forms in Arabic.
* **AI-Assisted Development:** Inclusion of placeholder values, emojis, and Unicode text suggesting the use of Generative AI in the development of TWINTALK and GHOSTFORM.
## Targeting
* **Sectors:** Government / Public Sector.
* **Geography:** Iraq.
* **Victims:** Government officials; specifically impersonating the Iraqi Ministry of Foreign Affairs (MFA).
## Tools & Infrastructure
* **Malware Families:**
* **SPLITDROP:** A .NET-based dropper.
* **TWINTASK:** A worker module for executing commands and managing local files.
* **TWINTALK:** A C2 orchestrator for beaconing and task coordination.
* **GHOSTFORM:** A consolidated, evolutional version of TWINTASK/TWINTALK with fileless capabilities.
* **Infrastructure:**
* **C2 Domains:** `meetingapp[.]site`
* **Legitimate Services:** Google Forms (used for lure content and surveys).
* **File Paths:** `C:\ProgramData\PolGuid\in.txt`, `C:\ProgramData\PolGuid\out.txt`
## Implications
Dust Specter demonstrates a high level of regional focus and technical sophistication, particularly in its ability to compromise Iraqi government infrastructure to stage payloads. The transition from a multi-stage file-based architecture to the fileless GHOSTFORM indicates an actor that is actively evolving to bypass traditional EDR and disk-based detection mechanisms. The suspected use of Generative AI for malware development suggests a trend of threat actors leveraging emerging technology to increase development speed and bypass linguistic barriers in social engineering.
## Mitigations
* **DLL Side-Loading Protection:** Implement strict application control policies to prevent known legitimate binaries (like VLC or WingetUI) from being run from non-standard directories or where associated DLLs are untrusted.
* **System Hardening:** Monitor for the creation of unusual directories in `C:\ProgramData\` and the use of PowerShell to read/write to `.txt` files in these locations.
* **Network Defense:** Block access to unauthorized C2 domains like `meetingapp[.]site` and monitor for anomalous outbound traffic to cloud services like Google Forms when masquerading as official government surveys.
* **Email Security:** Use advanced sandboxing for password-protected archives and monitor for lures utilizing "ClickFix" social engineering patterns.