Dust Specter Campaign Delivers New SPLITDROP and GHOSTFORM Malware to Iraqi Officials

Overview

• Threat actor: Dust Specter, attributed to an Iran‑nexus group.
• Target: Government officials in Iraq, specifically those associated with the Ministry of Foreign Affairs.
• Method: Phishing emails spoofing the Iraqi Ministry of Foreign Affairs, delivering malicious attachments.
• Malware families: Two never‑before‑seen strains – SPLITDROP and GHOSTFORM.

Campaign Details

• Observation period: Activity recorded by Zscaler ThreatLabz in January 2026.
• Delivery mechanism: Email attachments disguised as official documents; once opened, they drop the SPLITDROP or GHOSTFORM payloads.
• Capabilities (as reported):
  • SPLITDROP: Designed to exfiltrate data and establish persistence via scheduled tasks.
  • GHOSTFORM: Utilizes file‑less techniques to evade detection and execute remote commands.

Attribution

• Zscaler ThreatLabz linked the campaign to Dust Specter based on code similarities, infrastructure overlap, and geopolitical targeting patterns consistent with prior Iran‑aligned operations.

Recommendations

• Verify the authenticity of any communication claiming to originate from the Ministry of Foreign Affairs.
• Deploy email security solutions that scan attachments for unknown malware families.
• Ensure endpoint detection and response (EDR) tools are updated to recognize SPLITDROP and GHOSTFORM behaviors.

The information is based on the source article dated 5 March 2026.