Iranian Cyber Threat Actor Targets Iraqi Government Officials

An Iran-nexus cyber threat actor has been targeting government officials in Iraq by impersonating Iraq’s Ministry of Foreign Affairs, with the use of AI tools.

Government–related infrastructure in Iraq was compromised and used to host malicious payloads distributed as part of this campaign.

The campaign was detected in January 2026 by Zscaler ThreatLabz, which track the threat actor as Dust Specter and have attributed it to Iran “with medium to high confidence.”

ThreatLabz discovered the use of previously undocumented malware in this campaign, including Split Drop, TwinTask, TwinTalk and GhostForm.

The researchers also observed several fingerprints in the codebase indicating that Dust Specter leveraged generative AI for malware development.

Dust Specter’s January 2026 Attack Campaign Explained

The malicious campaign has been deployed following two distinct attack chains.

The first attack chain involves the delivery of a password-protected RAR archive named mofa-Network-code.rar. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint. ThreatLabz called this binary SplitDrop.

This binary functions as a dropper for TwinTask and TwinTalk, two malicious dynamic-link library (DLL) files.

TwinTask’s main purpose is to poll a file for new commands available for execution and run them using PowerShell to ensure persistence on the target environment.

TwinTalk functions as a command-and-control (C2) orchestrator, the main purpose of which is to poll the C2 server for new commands, coordinate with the worker module and exfiltrate the results of command execution.

TwinTask and TwinTalk work in parallel to implement a file-based polling mechanism used for code execution.

In the report about this campaign, published on March 2, the ThreatLabz researchers said that the TwinTalk C2 domain, was also used by Dust Specter in July 2025 to host a web page disguised as a Cisco Webex meeting invitation.

The web page included a link to download the legitimate Cisco Webex software and prompted the victim to choose the “Webex for Government” option, luring the victim into following the instructions to retrieve the meeting ID.

These instructions are a typical social engineering method employed by threat actors to implement ClickFix-style attacks.

The second attack chain consolidates all the functionality of the first attack chain into a single binary.

It uses Google Forms as a social engineering lure and in-memory PowerShell script execution to execute the commands received from the C2 server, reducing the filesystem footprint.

Google Form displayed by GhostForm to the victim as a social engineering lure. Source: Zscaler ThreatLabz

Unlike the first attack chain, the threat actor does not use a split architecture with DLL sideloading in this case. Instead, they use a .NET-based remote access trojan (RAT), dubbed GhostForm by ThreatLabz, that consolidates all the functionality of the first attack chain into one binary and uses in-memory PowerShell script execution.

ThreatLabz identified the use of emojis and unicode text in the codebase when decompiling TwinTalk and GhostForm.

“This unusual coding style strongly suggests that generative AI tools were utilized during the malware's development, and is a trend documented in other campaigns,” they wrote.

Iranian Cyber Threat Actor Targets Iraqi Government Officials in AI-Powered Campaign

Kevin Poireault

Dust Specter’s January 2026 Attack Campaign Explained

You may also like

China intensifies Cyber-Attacks on Taiwan as Energy Sector Sees Tenfold Spike

Russian Hacking Group Sandworm Deploys New Wiper Malware in Ukraine

Chinese Hackers Use 'BRICKSTORM' Backdoor to Breach US Firms

Iranian Hackers Deploy New Android Spyware Version

Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers

What’s Hot on Infosecurity Magazine?

Chrome Unveils Plan For Quantum-Safe HTTPS Certificates

Hybrid Middle East Conflict Triggers Surge in Global Cyber Activity

AI-powered Cyber-Attacks Up Significantly in the Last Year, Warns CrowdStrike

Expect Iran to Launch Cyber-Attacks Globally, Warns Google Head of Threat Intel

Ransomware Payments Decline 8% as Attacks Surge 50%

Cybersecurity M&A Roundup: Firms Focus on AI Agents, as Check Point Announces Three Acquisitions

AI-powered Cyber-Attacks Up Significantly in the Last Year, Warns CrowdStrike

Shai-Hulud-Like Worm Targets Developers via npm and AI Tools

Exploitable Vulnerabilities Present in 87% of Organizations

Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign

How To Enhance Security Operations with AI-Powered Defenses

Global Cyber Agencies Urge Immediate Patching of Cisco SD-WAN Zero Day

How To Enhance Security Operations with AI-Powered Defenses

What’s Next for AI Identity in 2026

Why Your Organisation Needs Trusted Time Synchronisation

Geopolitics: How to be a Cybersecurity Leader in an Unstable World

Securing the AI Era: A CISO’s Perspective

Redefining Risk Management for the 2026 Enterprise

The Intelligence Edge: Clarity, Context and the Human Advantage in Modern CTI

Future-Proofing Critical Infrastructure: National Gas CTO Darren Curley on IT/OT Security Integration

Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw

Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls

Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats

Psychology, AI and the Modern Security Program: A CISO’s Guide to Human Centric Defence

Iranian Cyber Threat Actor Targets Iraqi Government Officials in AI-Powered Campaign

Written by

Dust Specter’s January 2026 Attack Campaign Explained

You may also like

What’s Hot on Infosecurity Magazine?