Zscaler ThreatLabz uncovered a persistent espionage campaign targeting Iraqi government officials attributed with medium-to-high confidence to an Iran-nexus actor dubbed Dust Specter, which uses previously undocumented .NET droppers, backdoors, and a custom RAT for data theft and remote access. The group hijacked Iraqi government infrastructure—notably ca.iq—to host malicious payloads and employs tailored social engineering (impersonating the Ministry of Foreign Affairs, spoofing Webex invites, and ClickFix lures), protects C2 with randomized URI paths and checksum values, and appears to be leveraging generative AI to accelerate malware development. #DustSpecter #ca_iq #SPLITDROP #TWINTASK #GHOSTFORM
Keypoints
- Zscaler ThreatLabz attributes a targeted espionage campaign against Iraqi officials to a suspected Iran-nexus actor called Dust Specter.
- The attackers compromised Iraqi government infrastructure, including the ca.iq website, to host and distribute malicious payloads.
- Highly tailored social engineering—impersonating the Ministry of Foreign Affairs, spoofing Webex invites, and using ClickFix prompts—was used to trick victims into executing malware.
- Custom .NET tools observed include the SPLITDROP dropper, TWINTASK/TWINTALK backdoors, and the GHOSTFORM remote access trojan.
- Dust Specter protects C2 with randomized URI paths and checksums and appears to be using generative AI to speed malware development, so defenders should harden public-facing infrastructure and tighten email filtering.