Dust Specter is a suspected Iran-nexus APT group that conducted a targeted cyber espionage campaign against Iraqi government officials in January 2026. The attackers impersonated the Iraqi Ministry of Foreign Affairs to increase credibility and used compromised government infrastructure to host malicious payloads, enhancing stealth and persistence. The campaign utilized two distinct attack chains deploying previously undocumented malware families: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. These malware tools incorporate advanced evasion techniques, including file-based polling mechanisms for command execution, which reduce network detection opportunities. Notably, the malware development leveraged generative AI, indicating a novel approach to malware creation and adaptation. The campaign also employed ClickFix-style attacks, a known exploitation technique involving patching or fixing vulnerabilities in a way that aids malware persistence or privilege escalation. Social engineering was a key vector, with lures crafted to deceive high-value targets. Attribution to an Iranian-linked group is supported by code similarities, victimology focused on Iraqi government officials, and overlapping tactics, techniques, and procedures (TTPs) with known Iranian APT groups. The campaign demonstrates a high degree of operational security and technical sophistication, targeting sensitive government communications and data. No known public exploits or patches are available, and the malware families are newly identified, complicating detection and response efforts.

The Dust Specter campaign poses significant risks to the confidentiality and integrity of sensitive government information in Iraq, potentially compromising diplomatic communications and national security data. Successful compromise of government officials' systems could enable espionage, data exfiltration, and long-term surveillance. The use of compromised government infrastructure for hosting malware increases the difficulty of detection and mitigation, potentially allowing the attackers to maintain persistence and evade traditional security controls. The innovative use of generative AI in malware development may accelerate the evolution of attack tools, making future variants harder to detect. The social engineering component increases the likelihood of successful initial compromise, especially in environments with limited cybersecurity awareness. While availability impact appears limited, the overall campaign threatens the operational security of targeted entities and could have cascading effects on regional stability and diplomatic relations. Organizations with similar profiles or geopolitical ties to Iraq and Iran may also be at risk of similar campaigns.

Organizations should implement targeted threat hunting focused on detecting the specific malware families SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, including monitoring for file-based polling behaviors and unusual command execution patterns. Enhancing email and communication security to detect and block social engineering lures is critical, including user training tailored to recognize impersonation of government entities. Network segmentation and strict access controls on government infrastructure can limit attackers' ability to host malicious payloads internally. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying novel malware and AI-generated code signatures. Regularly audit and monitor government infrastructure for unauthorized changes or suspicious activity, especially related to web servers and file hosting services. Collaborate with regional cybersecurity agencies to share intelligence and indicators of compromise (IOCs) once available. Given the use of generative AI in malware, invest in AI-based detection tools that can identify anomalous code patterns. Finally, develop incident response plans specifically addressing APT scenarios involving sophisticated evasion and persistence techniques.