Dust Specter: Iran-Linked Hackers Weaponize Iraqi Government Sites in New Cyber Espionage Campaign
Ddos 
Cybersecurity researchers at Zscaler ThreatLabz have uncovered a persistent espionage campaign targeting government officials in Iraq. Attributed with “medium-to-high confidence” to a suspected Iran-nexus threat actor dubbed Dust Specter, the operation utilizes a suite of previously undocumented malware and clever social engineering to infiltrate high-value targets.
The campaign is a sophisticated example of how regional adversaries are leveraging compromised national infrastructure and artificial intelligence to sharpen their offensive capabilities.
One of the most alarming aspects of the Dust Specter campaign is the group’s ability to turn a nation’s own infrastructure against its leaders. Researchers found that “Iraq government-related infrastructure was compromised and used to host malicious payloads distributed as part of this campaign”.
Specifically, the legitimate Iraqi government website ca.iq was hijacked to host malicious archives. This tactic provides a layer of perceived legitimacy that makes the subsequent social engineering lures significantly more effective.
Dust Specter relies on highly tailored lures to trick officials into executing their payloads. The group has been observed:
- Impersonating the Ministry of Foreign Affairs: Creating convincing documents that appear to be official government communications.
- Spoofing Video Conferences: Creating web pages “masquerading as Cisco’s ‘Webex for Government’ meeting invite” to deliver malware.
- Deploying ClickFix Tactics: Utilizing “ClickFix” social engineering—a technique that prompts users to “fix” an error by running a malicious command—into their arsenal.
Once a target is hooked, Dust Specter deploys a variety of lightweight, custom-built .NET-based droppers and backdoors.
| Malware Name | Role |
| SPLITDROP |
A custom dropper used to deliver secondary payloads. |
| TWINTASK & TWINTALK |
Sophisticated backdoors designed for persistent access and data exfiltration. |
| GHOSTFORM |
A custom Remote Access Trojan (RAT) used for direct system control. |
To protect their command-and-control (C2) infrastructure, Dust Specter uses “randomly generated URI paths for command-and-control (C2) communication with checksum values appended” to ensure only legitimate infected hosts can communicate with the server.
ThreatLabz notes that the techniques used in this campaign—such as the compromise of Iraqi government infrastructure—align with tactics previously used by Iran-linked groups like APT34.
Furthermore, the operation reflects a growing trend in the region: the use of Generative AI for malware development. Recent intelligence indicates that “Iran-linked APT groups have integrated AI in their attack lifecycle,” likely using it to speed up the creation of the undocumented malware observed in this campaign.
As Dust Specter continues to evolve its TTPs, defenders are urged to prioritize the security of public-facing government infrastructure and implement rigorous email filtering for unauthorized “Webex” or official-looking lures.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
