Threat Research

Dust Specter APT Targets Government Officials in Iraq

ZScaler
Dust Specter APT Targets Government Officials in Iraq

In January 2026 Zscaler ThreatLabz observed an Iran‑nexus actor tracked as Dust Specter targeting Iraqi government officials using social engineering lures and previously undocumented .NET tooling including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign leveraged compromised Iraqi infrastructure, randomized C2 URI paths with checksums, JWT-based headers, ClickFix-style delivery, DLL sideloading, and signs of generative AI in the codebase. #DustSpecter #GHOSTFORM

Keypoints

  • ThreatLabz observed an Iran‑nexus actor (tracked as Dust Specter) impersonating Iraq’s Ministry of Foreign Affairs to target government officials in January 2026.
  • Two distinct attack chains were identified: Attack Chain 1 (SPLITDROP dropper deploying TWINTASK and TWINTALK) and Attack Chain 2 (GHOSTFORM, a consolidated .NET RAT).
  • SPLITDROP extracts encrypted resources from a password‑protected RAR, sideloads legitimate binaries (VLC, WingetUI) to launch malicious DLLs, and uses file‑based polling (in.txt/out.txt) for command execution.
  • TWINTALK implements randomized 10‑hex URI paths with a 6‑char checksum, JWTs (weak HS256 secret) in Authorization headers, User‑Agent verification, and randomized JSON keys to evade detections.
  • GHOSTFORM consolidates functionality into one binary, uses in‑memory PowerShell execution, invisible Windows forms and timer‑based delayed execution, and bot IDs derived from assembly timestamps.
  • Indicators include multiple malicious domains (e.g., meetingapp[.]site), ZIP/RAR lures with a known password, numerous file hashes and filenames, and evidence the actor reused infrastructure in previous ClickFix lures.

MITRE Techniques

  • [T1583.001 ] Resource development, Acquire Infrastructure: Domains – Actor registered and used multiple domains for C2 and hosting ClickFix pages (‘Dust Specter acquired multiple domains for C2 operations and hosting ClickFix web pages.’)
  • [T1587.001 ] Resource Development, Develop Capabilities: Malware – Custom .NET droppers/backdoors and a RAT were developed and deployed (‘Dust Specter developed custom droppers and backdoors including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.’)
  • [T1204.004 ] Execution, User Execution: Malicious Copy and Paste – ClickFix social engineering lures instruct victims to copy/paste PowerShell commands to download and execute binaries (‘This PowerShell command will: … send a GET request to hxxps://meetingapp[.]site/webexdownload …’).
  • [T1112 ] Persistence, Modify Registry – Malware establishes persistence by creating Run keys pointing to malicious binaries (‘Creates the Windows registry name VLC under the key HKCU:SoftwareMicrosoftWindowsCurrentVersionRun for persistence’).
  • [T1205 ] Defense Evasion, Traffic Signaling – C2 servers require specific User‑Agent and checksum values in URI paths to respond, evading analysis (‘C2 servers respond only to requests containing a specific hardcoded User-Agent string. The URI path should contain the correct checksum.’)
  • [T1082 ] Discovery, System Information Discovery – The actor issues systeminfo and similar discovery commands post‑beaconing (‘Dust Specter sends the systeminfo post-compromise command in response to TWINTALK’s beaconing.’)
  • [T1071.001 ] Command and Control, Application Layer Protocol: Web Protocols – Malware uses HTTPS for C2 communications (‘TWINTALK and GHOSTFORM use HTTPS for C2 communication.’)
  • [T1001.003 ] Command and Control, Data Obfuscation: Protocol or Service Impersonation – Malware uses a browser‑like User‑Agent string to masquerade as legitimate web traffic (‘TWINTALK and GHOSTFORM use a hardcoded User-Agent string that mimics the Chrome browser.’)
  • [T1132.001 ] Command and Control, Data Encoding: Standard Encoding – Command bodies and exfiltration are Base64 encoded with a random prepended character (‘The command body … are encoded using Base64 with a randomly generated character prepended to it.’)
  • [T1574.002 ] Execution, Hijack Execution Flow: DLL Side‑Loading – TWINTASK and TWINTALK are launched via DLL sideloading of legitimate binaries (‘Both TWINTASK and TWINTALK are launched using the DLL sideloading technique.’)
  • [T1140 ] Defense Evasion, Deobfuscate/Decode Files or Information – SPLITDROP decrypts an embedded AES‑256 CBC resource using a user-supplied password and PBKDF2 KDF (‘SPLITDROP uses the user-supplied password to decrypt the embedded resource and continue malicious activities.’)

Indicators of Compromise

  • [File hash ] Malware and archive file hashes – 78275f3f… (CheckFopil.exe, SPLITDROP), d5ddf40b… (ecGen.exe / GHOSTFORM), and many other hashes listed in the report.
  • [Filename ] Malicious filenames and decoys used in lures – mofa-Network-code.rar (password‑protected RAR), libvlc.dll (TWINTASK), hostfxr.dll (TWINTALK), and mofaSurvey_20_30_oct.zip (GHOSTFORM archive).
  • [Password ] Archive extraction password – RAR archives used in delivery require the password “92,110-135_118-128”.
  • [Domain ] C2 and lure domains – meetingapp[.]site (used for ClickFix/Webex lure), lecturegenieltd[.]pro (C2), and other domains such as afterworld[.]store and girlsbags[.]shop.
  • [URL ] Malicious download and hosting URLs – hxxps://meetingapp[.]site/webexdownload (Webex lure download URL), hxxps://ca[.]iq/packages/mofaSurvey_20_30_oct.zip (ZIP hosting GHOSTFORM).
  • [File path ] Local artifacts and polling files – C:ProgramDataPolGuidin.txt (command polling file), C:ProgramDataPolGuidout.txt (command output), and C:ProgramDataPolGuidVLCVLC.exe (sideloaded executable).

Read more: https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint