campaign targeting Iraqi government officials by impersonating the Iraqi Ministry of Foreign Affairs. The campaign leveraged targeted social engineering techniques and malicious archives to deliver previously undocumented malware families, SPLITDROP and GHOSTFORM. SPLITDROP acts as the initial dropper responsible for deploying additional components and establishing persistence within compromised environments. The secondary payload, GHOSTFORM, executes PowerShell commands directly in memory to evade detection and minimize forensic artifacts. The attackers also employ DLL sideloading, geofencing controls, and covert command-and-control communications to maintain long-term access while bypassing conventional security monitoring mechanisms.
The campaign begins with the delivery of a password-protected RAR archive containing SPLITDROP, a . NET-based dropper responsible for initiating the infection chain and deploying additional malicious modules. During execution, SPLITDROP extracts legitimate applications such as VLC media player and WingetUI, which are then abused to perform DLL sideloading operations.
Through this mechanism, SPLITDROP loads malicious components identified as TWINTASK and TWINTALK. TWINTASK operates as a worker module that periodically reads commands stored within a local file and executes them using PowerShell, while also maintaining persistence through modifications to the Windows Registry.
The TWINTALK component functions as the command-and-control (C2) orchestrator, coordinating tasks with TWINTASK while enabling file upload and download capabilities. Communication with the attacker infrastructure is conducted using arbitrary URI paths to evade detection. In later phases of the campaign, operators introduced GHOSTFORM, which consolidates multiple functions into a single binary capable of executing PowerShell instructions directly in memory. This fileless approach significantly reduces disk artifacts and enhances operational stealth. The details and technicalities of the attack campaign are discussed further,
The campaign begins with targeted social engineering operations in which attackers impersonate Iraq’s Ministry of Foreign Affairs to persuade government officials to open a password-protected RAR archive. The archive contains SPLITDROP, a malicious .NET dropper disguised alongside legitimate software components. In certain cases, attackers also distributed fraudulent meeting invitations hosted on attacker-controlled infrastructure that mimicked legitimate collaboration platforms. These invitations prompted victims to execute PowerShell commands, enabling the download of additional malicious payloads. These delivery techniques heavily rely on user interaction and trusted institutional branding to bypass early-stage security controls. The Infection chain was identified as follows,
The malware toolkit used in this campaign provides attackers with multiple capabilities designed to maintain persistent access and enable remote command execution on compromised systems. The initial dropper, SPLITDROP, deploys additional components that abuse DLL sideloading techniques through trusted applications such as VLC and WingetUI, allowing malicious code to execute under the guise of legitimate software.
The TWINTASK module functions as a worker component that periodically reads instructions from a local file and executes commands via PowerShell. The module also establishes persistence by modifying Windows Registry keys, allowing the malware to survive system reboots and maintain long-term access. This mechanism enables attackers to interact with the compromised host, execute commands, and collect system information while minimizing detection by traditional security tools.
The TWINTALK module handles communication with the command-and-control infrastructure, facilitating file uploads, downloads, and task coordination. The malware incorporates randomized URI paths and checksum validation to ensure that requests originate from legitimate infected systems. Additionally, geofencing mechanisms and User-Agent verification help restrict unauthorized access to attacker infrastructure and reduce exposure to security researchers.
In later campaign variants, attackers introduced GHOSTFORM, which consolidates the functionality of earlier modules into a single binary capable of executing PowerShell commands directly in memory. This fileless execution technique significantly reduces disk artifacts, improves stealth, and complicates detection by traditional security monitoring tools.
The campaign has been linked to the Iran-affiliated threat cluster Dust Specter, based on operational patterns and malware development techniques commonly associated with Iranian cyber operations. Indicators supporting this attribution include the use of compromised regional infrastructure, lightweight custom .NET backdoors, and tradecraft previously observed in OilRig-related operations.
The evolution from the modular TWINTASK/TWINTALK architecture toward the consolidated GHOSTFORM binary indicates ongoing improvements in operational efficiency, stealth, and attacker control.
The campaign was observed targeting Iraqi government officials and associated organizations in early 2026. Attackers utilized compromised Iraqi infrastructure to host malware payloads, increasing the credibility of the attack and improving delivery success rates. Although Iraq appears to be the primary target, the techniques and infrastructure used in this operation suggest potential expansion toward broader Middle Eastern government agencies or diplomatic institutions.
This campaign demonstrates how Iran-aligned cyber operators continue to combine custom malware development, targeted social engineering, and covert execution techniques to conduct espionage operations. By leveraging trusted software binaries, in-memory execution techniques, and controlled command-and-control communications, the attackers were able to maintain persistence while minimizing the likelihood of detection.
Successful exploitation enables attackers to obtain long-term remote access to compromised systems, allowing for data exfiltration, surveillance, and potential lateral movement across government networks. Access to sensitive systems may expose diplomatic communications, internal policy discussions, and strategic intelligence information.
Consequently, the campaign presents a significant espionage risk for government institutions and highlights the importance of enhanced monitoring of PowerShell activity, DLL sideloading behavior, and suspicious outbound network communications.
https://malware.news/t/dust-specter-apt-targets-government-officials-in-iraq/104524
