top of page
perceptive_background_267k.jpg

Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware

Published:

5 maart 2026 om 12:01:00

Alert date:

5 maart 2026 om 13:01:19

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Critical Infrastructure

Iranian-linked threat actor Dust Specter has been conducting targeted attacks against Iraqi government officials by impersonating the Ministry of Foreign Affairs. The campaign, observed in January 2026, deploys two previously unknown malware families: SPLITDROP and GHOSTFORM. The attacks represent a sophisticated espionage operation against Iraqi government infrastructure. Zscaler ThreatLabz identified and tracked this threat cluster, which demonstrates advanced social engineering techniques combined with custom malware development targeting Middle Eastern government entities.

Technical details

Dust Specter campaign uses two infection chains targeting Iraqi government officials. First chain: password-protected RAR archive containing SPLITDROP (.NET dropper), TWINTASK (malicious DLL libvlc.dll sideloaded by vlc.exe), and TWINTALK (C2 orchestrator as hostfxr.dll sideloaded by WingetUI.exe). TWINTASK polls C:\ProgramData\PolGuid\in.txt every 15 seconds for commands and outputs to out.txt. Second chain: GHOSTFORM consolidates functionality into single binary using in-memory PowerShell execution. C2 uses randomly generated URI paths with checksums, geofencing, and User-Agent verification. Some GHOSTFORM variants launch hardcoded Google Forms URLs in Arabic impersonating Iraq's Ministry of Foreign Affairs. Analysis suggests use of generative AI in development based on placeholder values and emojis in source code.

Mitigation steps:

Monitor for DLL sideloading activities involving vlc.exe and WingetUI.exe. Watch for file creation in C:\ProgramData\PolGuid\ directory. Implement network monitoring for randomly generated URI paths with checksum values. Block access to suspicious domains like meetingapp[.]site. Be vigilant for ClickFix-style social engineering attacks involving fake Cisco Webex meeting invitations. Monitor for scheduled tasks created every two hours. Implement email security controls to detect impersonation of Ministry of Foreign Affairs communications.

Affected products:

VLC Media Player (vlc.exe)
WingetUI (WingetUI.exe)
Windows Registry
PowerShell

Related links:

https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq#threat-attribution
https://thehackernews.com/2026/02/clickfix-campaign-abuses-compromised.html
https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html

Related CVE's:

Related threat actors:

IOC's:

libvlc.dll, hostfxr.dll, C:\ProgramData\PolGuid\in.txt, C:\ProgramData\PolGuid\out.txt, meetingapp[.]site

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page