Cyber: Dust Specter Targets Iraqi Officials With New Splitdrop And...

A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country's Ministry of Foreign Affairs to deliver a set of never-before-seen malware.

Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter. The attacks, which manifest in the form of two different infection chains, culminate in the deployment of malware dubbed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.

"Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system," security researcher Sudeep Singh said. "The C2 server also utilized geofencing techniques and User-Agent verification."

A notable aspect of the campaign is the compromise of the Iraqi government-related infrastructure to stage malicious payloads, not to mention the use of evasion techniques to delay execution and fly under the radar.

The first attack sequence begins with a password-protected RAR archive, within which there exists a .NET dropper named SPLITDROP, which acts as a conduit for TWINTASK, a worker module, and TWINTALK, a C2 orchestrator.

TWINTASK, for its part, is a malicious DLL ("libvlc.dll") that's sideloaded by the legitimate "vlc.exe" binary to periodically poll a file ("C:\ProgramData\PolGuid\in.txt") every 15 seconds for new commands and run them using PowerShell. This also includes commands to establish persistence on the host via Windows Registry changes. The script output and errors are captured in a separate text file ("C:\ProgramData\PolGuid\out.txt").

TWINTASK, upon first launch, is designed to execute another legitimate binary present in the extracted archive ("WingetUI.exe"), causing it to sideload the TWINTALK DLL ("hostfxr.dll"). Its primary goal is to reach out to the C2 server for new commands, coordinate tasks with TWINTASK, and exfiltrate the results back to the server. It supports the ability to write the command body from the C2 response to "in.txt," as well as download and upload files.

"The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution," Singh said. "Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands."

The second attack chain represe

Source: The Hacker News