Dust Specter: How an Iranian APT Used AI and Fake Government Portals to Compromise Iraq

Zscaler ThreatLabz uncovered the Dust Specter campaign (detected Jan 2026), an Iran-nexus APT operation targeting Iraqi Foreign Ministry officials that deployed four novel .NET toolsets (SPLITDROP, TWINTASK, TWINTALK, GHOSTFORM). The operation used compromised government infrastructure and trusted platforms (Google Forms, Cisco Webex decoys), advanced evasion (DLL sideloading via legitimate binaries, password-protected RARs, JWT iat abuse, geofenced C2s, Windows Forms timer evasion), and shows signs of AI-assisted code generation; detection and remediation require behavioral controls, threat-sharing, and architectural changes such as zero-trust diplomatic workspaces.