Campaigns
Dust Specter Targets Iraqi Officials with SPLITDROP and GHOSTFORM Malware

Dust Specter Targets Iraqi Officials with SPLITDROP and GHOSTFORM Malware

IranIraqGovernmentSocial EngineeringCustom MalwareAI-Assisted Development
A suspected Iran-nexus threat actor, tracked as Dust Specter, has been conducting sophisticated social engineering campaigns against Iraqi government officials since January 2026. The operation impersonates Iraq's Ministry of Foreign Affairs to deliver previously unknown malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign demonstrates advanced evasion techniques, compromised Iraqi government infrastructure for payload staging, and potential use of generative AI in malware development.

Indicators of Compromise

onlinepettools.shop
web14.info
lecturegenieltd.pro
web27.info
this.is
meetingapp.site
girlsbags.shop
afterworld.store

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTION

T1566.001 - Spearphishing Attachment


ID

Data Source

Description

DS0022

File

Monitor for suspicious RAR archives and .NET executables with government-themed lures

DS0029

Network Traffic

Detect C2 communications with checksum-appended URI paths and geofencing patterns


T1055 - Process Injection


ID

Data Source

Description

DS0009

Process

Monitor for DLL sideloading activities involving legitimate binaries (vlc.exe, WingetUI.exe)

DS0011

Module

Detect loading of suspicious DLLs (libvlc.dll, hostfxr.dll) in unexpected contexts


T1053.005 - Scheduled Task/Job


ID

Data Source

Description

DS0003

Scheduled Job

Monitor creation of scheduled tasks with 2-hour intervals and suspicious executable paths

DS0017

Command

Detect PowerShell execution patterns associated with task creation and C2 communication

Observed Countries1

IQ (482)