Malware News Dust Specter APT Targets Government Officials in Iraq

[Khushal]

Content source

https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq

In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.

Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. As additional high-confidence indicators become available, ThreatLabz will update our attribution accordingly.

In this blog post, ThreatLabz examines the technical details of two attack chains: Attack Chain 1, which involves the newly identified SPLITDROP dropper and the TWINTASK and TWINTALK backdoors, and Attack Chain 2, which involves the GHOSTFORM remote access trojan (RAT).

Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz

Dust Specter, a suspected Iran-nexus APT threat actor, targets officials in Iraq with newly discovered malware: SPLITDROP, TWINTASK, TWINTALK & GHOSTFORM.

www.zscaler.com

 

[Parkinsond]

ME is currently a big theater for cyberwar.

 

[Khushal]

ME is currently a big theater for cyberwar.

Not sure why APT groups are wasting time when superpower's strike eagles are self shot down.

 

[Parkinsond]

Not sure why APT groups are wasting time when superpower's strike eagles are self shot down.

I hope the current Iranian regime will be replaced soon with a more decent one.
They inflicted major to damage to our economy by supporing Houthis in Yemen.

 

[Parkinsond]

The United Kingdom's National Cyber Security Centre (NCSC) alerted British organizations to a heightened risk of Iranian cyberattacks amid the ongoing conflict in the Middle East.

UK warns of Iranian cyberattack risks amid Middle-East conflict

The United Kingdom's National Cyber Security Centre (NCSC) alerted British organizations to a heightened risk of Iranian cyberattacks amid the ongoing conflict in the Middle East.

www.bleepingcomputer.com

 

[Khushal]

I hope the current Iranian regime will be replaced soon with a more decent one.
They inflicted major to damage to our economy by supporing Houthis in Yemen.

Aramco's refinery incident is quite disappointing

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Telemetry from January 2026 identifies a suspected Iran-nexus threat actor ("Dust Specter") utilizing undocumented malware (SPLITDROP, TWINTASK, TWINTALK, GHOSTFORM) against government officials in Iraq.

Assessment
The operation employs modular, multi-stage attack chains involving DLL sideloading and in-memory PowerShell execution, indicating a resourced actor focused on persistent and targeted espionage.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1059.001
(Command and Scripting Interpreter: PowerShell)

T1574.002
(Hijack Execution Flow: DLL Side-Loading)

T1564.003
(Hide Artifacts: Hidden Window)

T1071.001
(Application Layer Protocol: Web Traffic)

CVE Profile
NVD Score: N/A (Custom Malware)
CISA KEV Status: Inactive.

Telemetry

Domains
hxxps://meetingapp[.]site

Files
programTemp.log
libvlc.dll
VLC.exe

Mutex
Global\_

Seed Algorithm Parameter
0xABCDEF

Constraint
The structure resembles a modular espionage toolkit relying heavily on .NET framework capabilities. The initial delivery vector is classified as Origin: Insufficient Evidence.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate geopolitical risk review if operating within or adjacent to the Middle East government sector.

DETECT (DE) – Monitoring & Analysis

Command
Hunt for unauthorized VLC.exe execution from anomalous or temporary directories.

Command
Alert on the creation of programTemp.log and monitor for the Global\_ mutex.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting hidden Windows form applications (e.g., opacity set to 0.001) executing PowerShell commands.

RECOVER (RC) – Restoration & Trust

Command
Validate clean state by verifying the absence of libvlc.dll in non-standard paths prior to network reconnection.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Harden .NET execution policies and restrict unsigned DLL loads to prevent sideloading techniques.

Remediation - THE HOME USER TRACK (Safety Focus)

Threat Level Downgraded to Theoretical/Low: VLC.exe is not a default Windows component, and targeting is geofenced to Iraqi government officials.

Priority 1: Safety

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for suspicious .NET binaries or anomalous VLC.exe shortcuts.

Hardening & References

Baseline
CIS Benchmarks for Windows 11 (AppLocker / Windows Defender Application Control).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Zscaler ThreatLabz

 

[Khushal]

 

[cartaphilus]

Link za Kaput