In January 2026 a suspected Iran-nexus actor impersonated Iraq’s Ministry of Foreign Affairs to target government officials and deliver four previously unseen payloads named SPLITDROP, TWINTASK, TWINTALK and GHOSTFORM.
KEY FACTS
- Targets Iraqi government officials
- Timing Activity observed in January 2026
- Malware SPLITDROP, TWINTASK, TWINTALK, GHOSTFORM
- Delivery Password protected RAR archives and social engineering impersonating the foreign ministry
In a technical analysis by Zscaler ThreatLabz, the author said the cluster, tracked as Dust Specter, used compromised Iraqi government infrastructure to stage payloads and employed evasion techniques including geofencing and User Agent checks for command and control communications.
The first infection chain begins with a password protected RAR that contains a .NET dropper named SPLITDROP. SPLITDROP installs a worker DLL called TWINTASK as libvlc.dll which is sideloaded by the legitimate vlc.exe binary.
TWINTASK polls C:\ProgramData\PolGuid\in.txt every 15 seconds for commands and runs them through PowerShell. Command output and errors are written to C:\ProgramData\PolGuid\out.txt and persistence is established through registry changes. A second component, TWINTALK, is sideloaded by a legitimate executable and acts as the C2 orchestrator.
The campaign used randomly generated URI paths with appended checksum values for C2 requests and implemented delay and beaconing behavior. A later evolution consolidated worker and orchestrator functions into a single binary called GHOSTFORM which executes retrieved commands via in-memory PowerShell to avoid disk artifacts.
Some GHOSTFORM samples embed a hard coded Google Forms URL that opens a form in Arabic masquerading as an official survey. Code artifacts such as placeholder values and Unicode text suggest the use of generative AI tools in development.
WHY IT MATTERS
The campaign shows an operational shift toward consolidated, fileless tooling and the use of legitimate services and compromised government sites for distribution. Those features increase the difficulty of detection and raise risk for targeted officials.