Iran-Linked “Dust Specter” APT Targets Iraqi Government Officials with Custom .NET Malware and AI-Assisted Tooling

CyberDefender 10 mins0

In January 2026, security researchers identified a sophisticated cyber-espionage operation targeting high-value individuals — explicitly government officials with ties to Iraq’s Ministry of Foreign Affairs. The campaign was conducted using previously undocumented custom malware and command-and-control infrastructure, and is attributed with medium-to-high confidence to a suspected Iran-nexus APT threat actor tracked by ThreatLabz as Dust Specter.

This technical article examines the attack chains, malware components, command-and-control (C2) behavior, persistence mechanisms, evasion techniques, and attribution evidence disclosed in the analysis.

Campaign Overview

The Dust Specter operation leveraged two distinct attack chains to gain execution on victim systems:

  1. Attack Chain 1 — a split architecture involving a dropper (SPLITDROP) and dual backdoors (TWINTASK and TWINTALK).
  2. Attack Chain 2 — a consolidated remote access trojan (RAT) named GHOSTFORM, which compresses all functionality into a single binary executable.

All malware analyzed was .NET-based, deliberately lightweight, with minimal obfuscation. TTP (Tools, Techniques, and Procedures) analysis showed strong overlap with known Iran-linked APT behaviors, such as use of custom HTTP beaconing, JWT authentication tokens, and social engineering lures masquerading as official government assets.

Attack Chain 1: SPLITDROP + TWINTASK + TWINTALK

SPLITDROP — Dropper Component

The initial vector in Attack Chain 1 is delivered inside a password-protected RAR archive (mofa-Network-code.rar). Inside sits a 32-bit .NET binary posing as a legitimate WinRAR application; it acts as a dropper and is internally dubbed SPLITDROP by researchers.

Key behaviors of SPLITDROP:

  • Displays a password prompt to extract an embedded encrypted ZIP resource.
  • Upon correct password entry, decrypts a resource named CheckFopil.PolGuid.zip using AES-256-CBC with PKCS7 padding.
  • Writes and extracts this ZIP to C:\ProgramData\PolGuid\.
  • Executes a legitimate VLC.exe binary to proceed to the next stage while sideloading malicious libraries.

This technique allows the threat actor to blend malicious execution with trusted binaries, increasing chances of bypassing heuristic defenses.

TWINTASK — Worker Module

Once SPLITDROP executes VLC.exe from the extraction directory, the legitimate executable unwittingly sideloads a malicious DLL named libvlc.dll. This DLL, dubbed TWINTASK, serves as the worker module.

TWINTASK’s responsibilities include:

  • Polling a local file (C:\ProgramData\PolGuid\in.txt) every 15 seconds for commands.
  • Upon detecting data in in.txt, TWINTASK Base64-decodes a PowerShell script (skipping the first character) and executes it with a 600-second timeout.
  • Outputs and errors from PowerShell execution are captured in out.txt, which TWINTALK later exfiltrates to the threat actor.

This polling model creates a file-mediated command pipeline between modules with minimal network exposure.

TWINTALK — C2 Orchestrator

The second malicious component, TWINTALK, is executed when another benign binary (WingetUI.exe) is launched and sideloads a malicious DLL (hostfxr.dll). TWINTALK functions as the command and control orchestrator.

Notable features of TWINTALK:

  • Beaconing loop: TWINTALK periodically contacts C2 servers using randomized delays (108–180 seconds) to evade detection.
  • Dynamic URI generation: Instead of static endpoints, TWINTALK generates a 10-character random hex string, appends a 6-character checksum (seeded with constant 0xABCDEF), and uses this as the request path.
  • Bearer token authentication: A JSON Web Token (JWT) with bot ID and version is sent in the Authorization header. A weak secret (“_”) is used to sign the JWT, suggesting basic encryption aimed at evasion rather than robust security.
  • User-Agent mimicry: TWINTALK sets a spoofed User-Agent string mirroring a modern web browser to blend with normal traffic.

TWINTALK supports three primary C2 commands:

Command TypeAction Description
Type 0Write decoded PowerShell payload to in.txt (executes via TWINTASK)
Type 1File download from C2 to a specified local path
Type 2File upload from local system back to C2

By parsing JSON responses by position rather than keys, TWINTALK defeats simple signature-based inspection.

Attack Chain 2: GHOSTFORM – Unified RAT

In contrast to the split architecture above, GHOSTFORM consolidates all functionality in a single .NET binary. Key differentiators include:

  • Invisible UI delay mechanism: Utilizes an invisible Windows form to delay execution with randomized jitter, thwarting static analysis.
  • In-memory PowerShell execution: Commands from the C2 are executed directly in memory, reducing file system artifacts.
  • Social engineering lure: GHOSTFORM opens a Google Form URL disguised in Arabic as an official Ministry survey to prompt user interaction.
  • Mutex locking: Ensures only a single instance runs at once.
  • Bot ID generation: Rather than a random ID, GHOSTFORM derives its bot identifier from the assembly’s creation timestamp.

GHOSTFORM supports the same remote command framework as TWINTALK, but its unified structure and in-memory scripting simplify deployment and make detection harder.

Generative AI Usage in Malware Development

One notable discovery was use of emojis and Unicode strings in the malware code — a hallmark of generative AI-assisted coding. Examples found in checksum routines and error returns strongly suggest that malware authors employed AI tools during development.

This trend of leveraging AI for malware authorship is increasingly observed and poses new detection challenges.

ClickFix and Additional Lures

Researchers also identified artifacts indicating previous use of ClickFix-style social engineering, where the C2 domain (meetingapp[.]site) hosted fake Cisco Webex invitations. A PowerShell script further established persistence via scheduled tasks.

Attribution

ThreatLabz attributes the Dust Specter campaign to an Iran-nexus APT based on:

  • Victim targeting (Iraqi government officials).
  • Similar tool design and network behaviors to known Iran-linked groups (e.g., APT34).
  • Compromise of Iraqi government infrastructure for hosting malicious payloads.
  • Social engineering techniques consistent with past Iran-nexus operations.

These indicators collectively support medium-to-high confidence in attribution.

Indicators of Compromise (IOCs)

File Indicators

Multiple hashes of SPLITDROP, TWINTASK, TWINTALK, GHOSTFORM binaries, and associated archives were provided in the ThreatLabz report to aid detection and response.

Network Indicators

Known C2 domains associated with the campaign include:

  • lecturegenieltd[.]pro
  • meetingapp[.]site
  • afterworld[.]store
  • girlsbags[.]shop
  • onlinepettools[.]shop
  • web14[.]info / web27[.]info
  • Hosting URL: hxxps://ca[.]iq/packages/mofaSurvey_20_30_oct.zip

Defensive Recommendations

Organizations with exposure to Middle East-region diplomatic networks should consider:

  • Enabling detection signatures for Win32.Dropper.SPLITDROP, Win32.Trojan.TWINTASK, Win32.Backdoor.TWINTALK, and Win32.RAT.GHOSTFORM on endpoint defenses.
  • Monitoring for anomalous JWT-based HTTP beaconing traffic.
  • Blocking communication to the listed C2 domains.
  • Educating users on social engineering tactics involving fake surveys and meeting invitations.

Conclusion

The Dust Specter APT campaign represents a targeted espionage threat with both sophisticated custom tooling and evolving social engineering tactics. By combining file-less execution, dynamic C2 communication, and AI-driven code inconsistencies, this threat underscores the need for modern defenses that correlate behavior, not just signatures.

CyberDefender