IntroductionIn January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. As additional high-confidence indicators become available, ThreatLabz will update our attribution accordingly.In this blog post, ThreatLabz examines the technical details of two attack chains: Attack Chain 1, which involves the newly identified SPLITDROP dropper and the TWINTASK and TWINTALK backdoors, and Attack Chain 2, which involves the GHOSTFORM remote access trojan (RAT).Key TakeawaysIn January 2026, ThreatLabz observed activity by a suspected Iran-nexus threat actor, tracked as Dust Specter, targeting government officials in Iraq by impersonating Iraq’s Ministry of Foreign Affairs.Iraq government–related infrastructure was compromised and used to host malicious payloads distributed as part of this campaign.Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system. The C2 server also utilized geofencing techniques and User-Agent verification.ThreatLabz observed several fingerprints in the codebase indicating that Dust Specter leveraged generative AI for malware development.ThreatLabz identified two attack chains with different previously undocumented malware tooling. The first attack chain includes SPLITDROP, a .NET-based dropper that drops TWINTASK and TWINTALK to continue the next stage of the attack.The second attack chain uses GHOSTFORM, a .NET-based RAT that consolidates all the functionality of the first attack chain into one binary and uses in-memory PowerShell script execution.GHOSTFORM uses creative evasion techniques such as invisible Windows forms along with timers to delay its own execution.ThreatLabz attributes this campaign to Dust Specter with moderate confidence, based on the code, victimology, and TTP overlaps.Technical AnalysisThe following sections cover Attack Chain 1 and Attack Chain 2, which ThreatLabz observed in-the-wild during this campaign. Attack Chain 1 uses a split architecture with two components, a worker module (TWINTASK) and a C2 orchestrator (TWINTALK), that coordinate through a file-based polling mechanism. Attack Chain 2 consolidates the same functionality into a single binary (GHOSTFORM).Attack Chain 1Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint. This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK. SPLITDROPUpon being launched, SPLITDROP displays a dialog box prompting the victim to enter a password to extract an archive file. SPLITDROP checks for the presence of C:\ProgramData\PolGuid.zip; if the file already exists, SPLITDROP does not continue execution. If the file does not exist and the correct password is entered in the password form, SPLITDROP proceeds to decrypt an embedded resource named CheckFopil.PolGuid.zip. Before decrypting the resource, SPLITDROP displays a message box stating, “The download did not complete successfully,” to distract the victim while it operates in the background.Because the embedded resource is encrypted using AES-256 in CBC mode with PKCS7 padding, SPLITDROP derives the salt, initialization vector (IV), and ciphertext as follows: the first 16 bytes of the embedded resource are used as the salt,the next 16 bytes are used as the IV,and the remaining bytes are the ciphertext.A key derivation function (KDF) is then used to derive the encryption key from the password entered by the victim in the password form. The KDF uses PBKDF2 with HMAC-SHA1 as the pseudorandom function, 10,000 iterations, and a 256-bit key size. The decrypted resource is written to the archive file at C:\programData\PolGuid.zip, and the contents of the ZIP archive are extracted to C:\programData\PolGuid\.The figure below shows the directory structure after extraction.Figure 1: Contents of C:\programData\PolGuid\ after extraction.Finally, a legitimate VLC.exe (the popular open source media player) binary is executed from C:\programData\PolGuid\VLC\VLC.exe to continue to the next stage of the attack chain.TWINTASKUpon being launched, VLC.exe sideloads the malicious DLL libvlc.dll which was extracted alongside VLC.exe in the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: