Dust Specter APT Targets Government Officials in Iraq

    Wednesday, March 4, 2026 In: Threat Research Print

    Date: 03/04/2026

    Severity: Critical

    Summary

    In January 2026, ThreatLabz identified activity by a suspected Iran-linked threat actor targeting Iraqi government officials. The team uncovered previously undocumented malware: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Analysis revealed strong overlap in tools, techniques, procedures (TTPs), and victimology with known Iran-nexus APT operations. Based on this evidence, ThreatLabz assesses with medium-to-high confidence that the campaign was conducted by an Iran-nexus actor. ThreatLabz tracks this cluster internally under the name Dust Specter and will refine attribution as new indicators emerge. This blog details two attack chains: one leveraging SPLITDROP with TWINTASK and TWINTALK, and another deploying the GHOSTFORM RAT.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://ca.iq/packages/mofaSurvey_20_30_oct.zip

    https://meetingapp.site/webexdownload

    https://meetingapp.site/webexdownload'

    afterworld.store

    girlsbags.shop

    lecturegenieltd.pro

    meetingapp.site

    onlinepettools.shop

    web14.info

    web27.info

    Hash : 

    19ab3fd2800f62a47bf13a4cc4e4c124

    63702bd6422ec2d5678d4487146ea434

    70a9b537b9b7e1b410576d798e6c5043

    78275f3fc7e209b85bff6a6f99acc68a

    7f17fa22feaced1a16d4d39c545cdb16

    809139c237c4062baecab43570060d67

    8f44262afaa171b78fc9be20a0fb0071

    a7561eb023bb2c4025defcfe758d8ac2

    aa887d32eb9467abba263920e55d6abe

    b19add5ccaa17a1308993e6f3f786b06

    b8254efd859f5420f1ce4060e4796c08

    d5ddf40ba2506c57d3087d032d733e08

    1debc4c512ded889464e386739d5d2f61b87ff13

    369b56a89b2fce2cbdc36f5a23bdec6067242911

    51a746c85bd486f223130173b7e674379a51b694

    682c043443cb81b6c2fde8c5df43333f5d1fec53

    8621be9e1aa730d1ac8eb06fa8f66d9da70ff293

    8735ee29c409b8d101eb3170f011455be41b7a91

    ad97e1bba1d040a237727afdb2787d6867d72b74

    c79c261457def606c3393dde77c82832a5c0ded3

    c7dff3a0675f330feb9a7c469f8340369451d122

    cb1760c90fb6c399e0125c7aa793efe37c4ce533

    df04e36c106691f9fe88e5798e4ae86438bd4f1d

    fc08f8403849c6233978a363f4cdc58cd7041823

    293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779

    3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39

    69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc

    6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47

    6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce

    797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96

    903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74

    a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2

    ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d

    eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c

    f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef

    fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "afterworld.store" or url like "afterworld.store" or siteurl like "afterworld.store" or domainname like "meetingapp.site" or url like "meetingapp.site" or siteurl like "meetingapp.site" or domainname like "onlinepettools.shop" or url like "onlinepettools.shop" or siteurl like "onlinepettools.shop" or domainname like "https://meetingapp.site/webexdownload" or url like "https://meetingapp.site/webexdownload" or siteurl like "https://meetingapp.site/webexdownload" or domainname like "girlsbags.shop" or url like "girlsbags.shop" or siteurl like "girlsbags.shop" or domainname like "web27.info" or url like "web27.info" or siteurl like "web27.info" or domainname like "https://ca.iq/packages/mofaSurvey_20_30_oct.zip" or url like "https://ca.iq/packages/mofaSurvey_20_30_oct.zip" or siteurl like "https://ca.iq/packages/mofaSurvey_20_30_oct.zip" or domainname like "https://meetingapp.site/webexdownload" or url like "https://meetingapp.site/webexdownload" or siteurl like "https://meetingapp.site/webexdownload" or domainname like "lecturegenieltd.pro" or url like "lecturegenieltd.pro" or siteurl like "lecturegenieltd.pro" or domainname like "web14.info" or url like "web14.info" or siteurl like "web14.info"

    Detection Query 2 :

    md5hash IN ("a7561eb023bb2c4025defcfe758d8ac2","7f17fa22feaced1a16d4d39c545cdb16","809139c237c4062baecab43570060d67","70a9b537b9b7e1b410576d798e6c5043","d5ddf40ba2506c57d3087d032d733e08","19ab3fd2800f62a47bf13a4cc4e4c124","63702bd6422ec2d5678d4487146ea434","78275f3fc7e209b85bff6a6f99acc68a","8f44262afaa171b78fc9be20a0fb0071","aa887d32eb9467abba263920e55d6abe","b19add5ccaa17a1308993e6f3f786b06")

    Detection Query 3 :

    sha1hash IN ("8735ee29c409b8d101eb3170f011455be41b7a91","51a746c85bd486f223130173b7e674379a51b694","df04e36c106691f9fe88e5798e4ae86438bd4f1d","fc08f8403849c6233978a363f4cdc58cd7041823","369b56a89b2fce2cbdc36f5a23bdec6067242911","b8254efd859f5420f1ce4060e4796c08","1debc4c512ded889464e386739d5d2f61b87ff13","682c043443cb81b6c2fde8c5df43333f5d1fec53","8621be9e1aa730d1ac8eb06fa8f66d9da70ff293","ad97e1bba1d040a237727afdb2787d6867d72b74","c79c261457def606c3393dde77c82832a5c0ded3","c7dff3a0675f330feb9a7c469f8340369451d122","cb1760c90fb6c399e0125c7aa793efe37c4ce533")

    Detection Query 4 :

    sha256hash IN ("3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39","eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c","6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce","a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2","69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc","293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779","6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47","797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96","903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74","ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d","f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef","fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb")

    Reference:     

    https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq#introduction   

    https://otx.alienvault.com/pulse/69a5cc7cdc9811f61e3cde58


    Tags

    Threat ActorIraqIranAPTGovernment Services and FacilitiesMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.