A suspected Iranian cyber espionage group has launched a campaign targeting Iraqi government officials by impersonating the country’s Ministry of Foreign Affairs. The attacks, observed in January 2026, deploy two previously undocumented malware families designed to steal sensitive information.
The threat cluster, tracked as Dust Specter by cybersecurity researchers at Zscaler ThreatLabz, used sophisticated phishing lures to deliver the new malicious software. The campaign’s focus on diplomatic personnel highlights ongoing cyber tensions in the region.
Technical Details of the Attack
The operation involved impersonating the Iraqi Ministry of Foreign Affairs to gain the trust of targets. Attackers sent malicious emails containing documents that, once opened, initiated a multi-stage infection process.
This process ultimately installed two distinct malware payloads, named SPLITDROP and GHOSTFORM by analysts. These tools had not been seen in any prior cyber espionage activity, indicating a significant development in the threat actor’s capabilities.
Malware Functionality and Purpose
SPLITDROP malware acts as a downloader, a type of program designed to retrieve additional, more powerful malicious components from attacker-controlled servers. Its primary function is to establish a foothold on the compromised system.
GHOSTFORM is a more advanced information stealer. It is engineered to search infected computers for specific documents and data, exfiltrating them to remote servers operated by the Hackers. The combination allows for persistent access and data theft.
Attribution and Regional Context
Zscaler attributes the activity with moderate confidence to an advanced persistent threat, or APT, group with links to Iran. Such state-aligned groups often conduct espionage to gather intelligence that supports geopolitical interests.
Targeting Iraqi officials fits a historical pattern of cyber operations within the Middle East. Numerous groups affiliated with regional states have previously focused on government and critical infrastructure networks in neighboring countries.
Security Implications and Recommendations
The discovery of never-before-seen malware underscores the continuous evolution of cyber threats, particularly in espionage. Organizations, especially in government sectors, are advised to treat unsolicited communications with extreme caution.
Security experts recommend implementing robust email filtering, conducting regular employee training on phishing recognition, and maintaining updated endpoint detection systems. Vigilance against document-based lures remains a critical defense layer.
Researchers expect Dust Specter to continue refining its tools and tactics. The cybersecurity community is monitoring for further deployments of SPLITDROP and GHOSTFORM, or related variants, potentially against targets in other sectors or regions.
Source: Zscaler ThreatLabz
