Iran targets Iraqi government officials with multiple new malware strains

Infosecurity Magazine reports that Iranian threat operation Dust Specter has spoofed Iraq's Ministry of Foreign Affairs to compromise Iraqi government officials with the new SplitDrop, TwinTask, TwinTalk, and GhostForm payloads as part of an AI-powered intrusion campaign initially discovered in January.

Attacks were launched through a pair of different techniques, the first of which involved a password-protected RAR archive with the WinRAR app-spoofing .NET binary dubbed as "SplitDrop" that enabled the deployment of the TwinTask and TwinTalk DLL files, with the former polling new commands for PowerShell-based execution and the latter polling the command-and-control server for new commands, according to Zscaler ThreatLabz researchers.

Meanwhile, the other attack chain with the GhostForm RAT entailed Google Forms exploitation and in-memory PowerShell script execution. Both emojis and unicode text were evident in the codebases of TwinTalk and GhostForm, with researchers noting such similarities to be indicative of both payloads having been developed with generative AI tools.