
Dust Specter Targets Iraqi Officials with SPLITDROP and GHOSTFORM Malware
IranIraqGovernmentSocial EngineeringCustom MalwareAI-Assisted Development
A suspected Iran-nexus threat actor, tracked as Dust Specter, has been conducting sophisticated social engineering campaigns against Iraqi government officials since January 2026. The operation impersonates Iraq's Ministry of Foreign Affairs to deliver previously unknown malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign demonstrates advanced evasion techniques, compromised Iraqi government infrastructure for payload staging, and potential use of generative AI in malware development.
Indicators of Compromise
onlinepettools.shopSOCRadar2026-03-10
web14.infoSOCRadar2026-03-10
lecturegenieltd.proSOCRadar2026-03-10
web27.infoSOCRadar2026-03-10
this.isSOCRadar2026-03-10
meetingapp.siteSOCRadar2026-03-10
girlsbags.shopSOCRadar2026-03-10
afterworld.storeSOCRadar2026-03-10
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
T1566.001 - Spearphishing Attachment
ID | Data Source | Description |
|---|---|---|
DS0022 | File | Monitor for suspicious RAR archives and .NET executables with government-themed lures |
DS0029 | Network Traffic | Detect C2 communications with checksum-appended URI paths and geofencing patterns |
T1055 - Process Injection
ID | Data Source | Description |
|---|---|---|
DS0009 | Process | Monitor for DLL sideloading activities involving legitimate binaries (vlc.exe, WingetUI.exe) |
DS0011 | Module | Detect loading of suspicious DLLs (libvlc.dll, hostfxr.dll) in unexpected contexts |
T1053.005 - Scheduled Task/Job
ID | Data Source | Description |
|---|---|---|
DS0003 | Scheduled Job | Monitor creation of scheduled tasks with 2-hour intervals and suspicious executable paths |
DS0017 | Command | Detect PowerShell execution patterns associated with task creation and C2 communication |
Observed Countries1
IQ (482)