Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
MS-Agent Flaw Lets Hackers Take Full System Control
March 6, 2026
Rewterz
Mirai Botnet aka Katana – Active IOCs
March 9, 2026

Iran-Linked Dust Specter Targets Government Entities in Espionage Campaign – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have uncovered a persistent cyber espionage campaign targeting government officials in Iraq. The activity has been attributed with medium-to-high confidence to a suspected Iran-linked threat actor dubbed Dust Specter. The campaign demonstrates a sophisticated blend of social engineering, infrastructure compromise, and custom malware to infiltrate high-value government targets.

One of the most notable aspects of the campaign is the abuse of legitimate national infrastructure to distribute malicious payloads. Researchers discovered that Iraqi government-related infrastructure had been compromised and leveraged to host malware used in the attacks. In particular, the legitimate Iraqi government website ca.iq was hijacked to host malicious archives. By distributing payloads through a trusted government domain, the attackers increased the credibility of their lures and significantly improved the chances of successful compromise.

The threat actor relied heavily on targeted social engineering techniques to deliver malware to victims. Attackers impersonated Iraq’s Ministry of Foreign Affairs by creating convincing documents that appeared to be official communications. In another tactic, they spoofed virtual meeting invitations by creating malicious pages masquerading as Cisco Webex for Government conference links. The group also used “ClickFix” social engineering techniques, which prompt users to resolve fake system errors by executing malicious commands on their systems.

Once a victim executed the malicious content, the attackers deployed a set of previously undocumented .NET-based tools designed to establish persistence and maintain remote access. These tools include SPLITDROP, a dropper used to deliver secondary payloads; TWINTASK and TWINTALK, backdoors that enable persistent access and data exfiltration; and GHOSTFORM, a custom remote access trojan that allows direct control of compromised systems.

To protect their command-and-control infrastructure, the attackers used randomly generated URI paths with checksum validation to ensure that only legitimate infected hosts could communicate with the server. Researchers also note that the techniques used in this campaign—particularly the compromise of government infrastructure—closely resemble tactics previously associated with APT34.

The report further highlights a growing regional trend where Iran-linked threat actors are integrating generative artificial intelligence into their attack lifecycle, likely accelerating malware development. Security teams are advised to strengthen protections for public-facing government infrastructure and closely monitor suspicious email lures impersonating official communications or government meeting platforms.

Impact

  • Unauthorized Access
  • Data Exfiltration
  • System Compromise
  • Malware Distribution

Indicators of Compromise

Domain Name

  • lecturegenieltd.pro
  • meetingapp.site
  • afterworld.store
  • girlsbags.shop
  • onlinepettools.shop
  • web14.info
  • web27.info

MD5

  • b8254efd859f5420f1ce4060e4796c08
  • 78275f3fc7e209b85bff6a6f99acc68a
  • d5ddf40ba2506c57d3087d032d733e08
  • 8f44262afaa171b78fc9be20a0fb0071
  • b19add5ccaa17a1308993e6f3f786b06
  • 7f17fa22feaced1a16d4d39c545cdb16
  • 70a9b537b9b7e1b410576d798e6c5043
  • a7561eb023bb2c4025defcfe758d8ac2
  • 809139c237c4062baecab43570060d67

SHA-256

  • 903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74
  • 6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce
  • 797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96
  • 293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779
  • 69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc
  • fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb
  • a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2
  • eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c
  • 3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39

SHA1

  • 8621be9e1aa730d1ac8eb06fa8f66d9da70ff293
  • Fc08f8403849c6233978a363f4cdc58cd7041823
  • 682c043443cb81b6c2fde8c5df43333f5d1fec53
  • 1debc4c512ded889464e386739d5d2f61b87ff13
  • 51a746c85bd486f223130173b7e674379a51b694
  • 369b56a89b2fce2cbdc36f5a23bdec6067242911
  • cb1760c90fb6c399e0125c7aa793efe37c4ce533
  • df04e36c106691f9fe88e5798e4ae86438bd4f1d
  • 8735ee29c409b8d101eb3170f011455be41b7a91

URL

  • https://ca.iq/packages/mofaSurvey_20_30_oct.zip

Remediation

  • Block and monitor all identified indicators of compromise across firewalls, web gateways, and endpoint security solutions to prevent communication with malicious infrastructure.
  • Conduct proactive threat hunting within SIEM and EDR platforms to detect traces of SPLITDROP, TWINTASK, TWINTALK, or GHOSTFORM activity in the environment.
  • Secure and continuously monitor public-facing government infrastructure to prevent attackers from hijacking legitimate domains for malware distribution.
  • Implement strong email security filtering to detect phishing attempts impersonating government agencies or video conferencing platforms.
  • Educate users to recognize social engineering tactics such as fake Webex invitations and “ClickFix” prompts requesting command execution.
  • Restrict execution of suspicious scripts and commands through endpoint security policies and application control mechanisms.
  • Enable multi-factor authentication (MFA) for sensitive accounts to reduce the impact of credential compromise.
  • Monitor outbound network traffic for unusual command-and-control communication patterns, including randomly generated URI paths.
  • Apply regular security patches and updates to operating systems, applications, and public-facing services to reduce exploitable vulnerabilities.
  • Implement network segmentation to limit attacker movement within compromised environments.
  • Deploy endpoint detection and response (EDR) tools capable of identifying custom .NET malware behavior and abnormal persistence mechanisms.
  • Maintain centralized logging and correlation through SIEM to detect suspicious activities across systems and networks.
  • Regularly back up critical data and ensure backups are securely stored and tested for recovery readiness.
  • Develop and regularly test an incident response plan to ensure rapid containment and remediation of potential intrusions.