A cyber threat group with ties to Iran has recently targeted government officials in Iraq by masquerading as Iraq's Ministry of Foreign Affairs, utilizing advanced AI tools in their operations.
This campaign managed to compromise government-related infrastructure in Iraq, which was subsequently used to host malicious payloads.
In January 2026, Zscaler ThreatLabz detected this campaign and has linked it to an actor they refer to as Dust Specter, attributing the activity to Iran with medium to high confidence. The researchers uncovered the use of several previously undocumented malware variants during their investigation. These included Split Drop, TwinTask, TwinTalk, and GhostForm.
Additionally, the researchers noted several indicators in the codebase suggesting that Dust Specter employed generative AI in the development of the malware.
Overview of Dust Specter’s January 2026 Attack Campaign
This malicious operation unfolded through two distinct attack chains.
The first chain involved delivering a password-protected RAR archive named mofa-Network-code.rar. Inside this archive was a 32-bit .NET binary disguised as a WinRAR application, which initiated the attack on the target system. ThreatLabz identified this binary as SplitDrop.
SplitDrop serves as a dropper for two malicious dynamic-link library (DLL) files, TwinTask and TwinTalk.
The primary function of TwinTask is to poll a file for new commands that it can execute using PowerShell, ensuring persistence within the compromised environment.
TwinTalk acts as a command-and-control (C2) orchestrator, responsible for polling the C2 server for new commands, coordinating with the worker module, and exfiltrating the results of command executions.
Both TwinTask and TwinTalk operate concurrently to implement a file-based polling mechanism for executing code.
In a report published on March 2, ThreatLabz noted that the TwinTalk C2 domain had been previously utilized by Dust Specter in July 2025. During that instance, it hosted a webpage that masqueraded as a Cisco Webex meeting invitation.
This webpage contained a link to download the legitimate Cisco Webex software and encouraged the victim to select the “Webex for Government” option, enticing them to follow instructions to retrieve the meeting ID.
Such tactics are typical social engineering methods used by threat actors to conduct ClickFix-style attacks.
The second attack chain consolidates all the functionalities of the first into a single binary.
This method employs Google Forms as a lure and executes commands received from the C2 server using in-memory PowerShell scripts, thereby minimizing the footprint on the filesystem.
