"Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system. The C2 server also utilized geofencing techniques and User-Agent verification."
"TWINTASK, for its part, is a malicious DLL ("libvlc.dll") that's sideloaded by the legitimate "vlc.exe" binary to periodically poll a file ("C:\ProgramData\PolGuid\in.txt") every 15 seconds for new commands and run them using PowerShell. This also includes commands to establish persistence on the host via Windows Registry changes."
"A notable aspect of the campaign is the compromise of the Iraqi government-related infrastructure to stage malicious payloads, not to mention the use of evasion techniques to delay execution and fly under the radar."
Dust Specter, an Iran-nexus threat actor, conducted a campaign in January 2026 targeting Iraqi government officials by impersonating the Ministry of Foreign Affairs. The attacks utilized two infection chains deploying previously unknown malware: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign compromised Iraqi government infrastructure to stage payloads and employed sophisticated evasion techniques including randomly generated URI paths with checksums, geofencing, and User-Agent verification for command-and-control communication. SPLITDROP acts as a dropper delivering TWINTASK, a worker module using DLL sideloading of legitimate binaries, and TWINTALK, a C2 orchestrator. The malware establishes persistence through Windows Registry modifications and executes commands via PowerShell.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]