Dust Specter Campaign Deploys SPLITDROP and GHOSTFORM to Target Iraqi Officials

In the evolving landscape of nation-state cyber espionage, the Middle East remains a persistent focal point. Security Arsenal researchers have been tracking a concerning surge in activity attributed to a threat actor known as Dust Specter. This suspected Iran-nexus group has recently launched a sophisticated campaign specifically targeting high-ranking government officials in Iraq.

The Threat Vector: Diplomatic Impersonation

The Dust Specter operation is a textbook example of social engineering engineered for geopolitical gain. The attack begins with a phishing lure that impersonates the Ministry of Foreign Affairs of Iraq. By masquerading as a trusted diplomatic entity, the threat actors significantly increase the likelihood of initial engagement.

These emails are not generic spam; they are likely tailored to the recipient, referencing pending diplomatic matters or official communications to establish a veneer of legitimacy. Once the victim interacts with the lure—typically by opening a malicious attachment or clicking a compromised link—the infection chain begins.

Analysis: SPLITDROP and GHOSTFORM

What sets this campaign apart is the deployment of two distinct, never-before-seen malware families: SPLITDROP and GHOSTFORM. According to observations by Zscaler ThreatLabz in early 2026, these tools represent a leap in the actor's capability to maintain persistence and exfiltrate data.

SPLITDROP

SPLITDROP appears to function as a dropper or a transport mechanism. Its primary role is likely to establish a foothold on the victim's machine and facilitate the download of the heavier payload, GHOSTFORM. Droppers like SPLITDROP are often designed to be lightweight and evade signature-based detection by obfuscating the malicious code or using legitimate system processes to blend in.

GHOSTFORM

GHOSTFORM is the primary payload, likely designed for espionage. Given the context of the targets (government officials), GHOSTFORM probably features capabilities such as:

• Keylogging: Capturing keystrokes to steal credentials.
• Screen Capture: Recording activity on the infected endpoint.
• Data Exfiltration: Siphoning sensitive documents to command-and-control (C2) servers.

The use of custom malware suggests the Dust Specter group has significant resources and development skill, moving away from off-the-shelf tools to avoid detection by standard antivirus definitions.

Detection and Threat Hunting

To protect your organization against these sophisticated threats, Security Arsenal recommends the following detection queries and scripts. These tools focus on identifying the behavioral patterns of droppers and the anomalous PowerShell activity often associated with malware like SPLITDROP.

KQL for Sentinel/Defender

Hunt for suspicious process creation patterns, specifically where Office applications spawn PowerShell—a common technique used to execute droppers.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("DownloadString", "IEX", "Invoke-Expression", "FromBase64String")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Script for Persistence Checks

This script scans common persistence mechanisms (Registry Run keys and Startup folders) for anomalies that might indicate GHOSTFORM or similar implants.

function Get-SuspiciousPersistence {
    Write-Host "Checking Registry Run Keys..." -ForegroundColor Cyan
    $paths = @(
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    )

    foreach ($path in $paths) {
        if (Test-Path $path) {
            Get-ItemProperty -Path $path -ErrorAction SilentlyContinue | 
            Get-Member -MemberType NoteProperty | 
            Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSChildName" } | 
            ForEach-Object {
                $propName = $_.Name
                $value = (Get-ItemProperty -Path $path).$propName
                # Check for unusual paths (e.g., temp, appdata)
                if ($value -match "\\AppData\\Local\\Temp" -or $value -match ".\\") {
                    Write-Host "Suspicious Entry in $path : $propName -> $value" -ForegroundColor Red
                }
            }
        }
    }

    Write-Host "Checking Startup Folder..." -ForegroundColor Cyan
    $startupPath = [Environment]::GetFolderPath("Startup")
    Get-ChildItem $startupPath -ErrorAction SilentlyContinue | 
    Where-Object { $_.Extension -in @(".exe", ".vbs", ".js", ".ps1") } | 
    ForEach-Object { Write-Host "Suspicious file in Startup: $($_.FullName)" -ForegroundColor Yellow }
}

Get-SuspiciousPersistence

Python Script for File Hash Anomaly Detection

This utility helps identify recently created executables in user directories that do not have known signatures or are located in suspicious paths.

import os
import time
import hashlib

def scan_recent_executables(directory, hours=24):
    now = time.time()
    suspicious_files = []
    cutoff_time = now - (hours * 3600)

    for root, dirs, files in os.walk(directory):
        for file in files:
            if file.endswith(('.exe', '.dll', '.bat', '.ps1')):
                file_path = os.path.join(root, file)
                file_mtime = os.path.getmtime(file_path)
                if file_mtime > cutoff_time:
                    suspicious_files.append(file_path)
    return suspicious_files

if __name__ == "__main__":
    # Scan common user directories
    user_profile = os.environ['USERPROFILE']
    targets = [
        os.path.join(user_profile, 'Downloads'),
        os.path.join(user_profile, 'AppData', 'Local', 'Temp'),
        os.path.join(user_profile, 'Desktop')
    ]
    
    print("Scanning for recently created executables...")
    for target in targets:
        if os.path.exists(target):
            found = scan_recent_executables(target)
            for f in found:
                print(f"[!] Found recent file: {f}")

Mitigation Strategies

Defending against nation-state threats requires a defense-in-depth approach. Security Arsenal recommends the following immediate actions:

1. Email Filtering and Authentication: Implement strict DMARC, SPF, and DKIM policies. While internal spoofing is hard to stop, these protocols help filter out external impersonators trying to spoof the Ministry of Foreign Affairs.
2. Disable Macros: Attack vectors often rely on malicious macros in Office documents to initiate the PowerShell dropper. Ensure macros are disabled by default for all users.
3. Application Control (AppLocker): Restrict the execution of scripts and binaries in user-writable directories (e.g., C:\Users\*\AppData\Local\Temp). This prevents SPLITDROP from executing if it lands in a temporary folder.
4. User Education: Conduct specific training regarding diplomatic impersonation. Staff should be wary of unsolicited emails purporting to be from government ministries, especially those requesting urgent action or containing attachments.

Conclusion

The emergence of Dust Specter and the SPLITDROP/GHOSTFORM malware families underscores the continuous innovation by state-sponsored actors. Organizations operating in the government sector or within the Middle East must remain vigilant. By combining advanced threat hunting with robust user education, defenders can stay one step ahead of these sophisticated espionage campaigns.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub