Dust Specter APT Targets Gov’t Officials in Iraq

This technical analysis describes an active malware campaign with two variants: a split architecture (SPLITDROP drops TWINTASK and TWINTALK) that uses DLL sideloading, file-based command polling, and PowerShell execution, and a single-file variant (GHOSTFORM) that performs in-memory PowerShell execution and uses Google Forms as a social-engineering lure. The report documents persistence via registry Run keys, C2 beaconing with randomized URIs and weak JWT signing, command types (execute/download/upload), multiple evasion techniques (randomized JSON keys, checksum-protected URIs, delayed/invisible execution), and concrete indicators such as file paths and binaries.