MalwareUsed by 1 actor

GHOSTFORM

GHOSTFORM is a .NET-based remote access trojan used by the suspected Iran-nexus threat actor Dust Specter in a January 2026 campaign targeting Iraqi government officials. The operation used phishing and social engineering lures impersonating Iraq’s Ministry of Foreign Affairs. GHOSTFORM was delivered as one of several newly identified malware families in the campaign, alongside SPLITDROP, TWINTASK, and TWINTALK.

GHOSTFORM consolidates functionality that in another infection chain was split between TWINTASK and TWINTALK into a single binary. It executes commands directly in memory and uses in-memory PowerShell script execution to run commands retrieved from command-and-control infrastructure, reducing filesystem traces. Reported stealth features include delayed execution via invisible Windows forms, including near-zero-opacity windows hidden from the taskbar, and mutex checks to prevent multiple instances.

As part of its social engineering, some samples open a hard-coded Google Forms lure in Arabic posing as an official survey or questionnaire from Iraq’s Ministry of Foreign Affairs while the malware runs in the background. Reporting also describes related ClickFix-style lures in the broader Dust Specter campaign, including a fake Cisco Webex meeting page that tricked victims into running malicious PowerShell.

High-confidence reporting associates GHOSTFORM with targeted espionage against Iraqi government personnel. Zscaler ThreatLabz assessed the campaign with medium-to-high confidence as Iran-nexus based on overlaps in TTPs and victimology. Analysts also noted unusual code artifacts in GHOSTFORM, including emojis, Unicode text, and placeholder-style values, which they said may indicate generative-AI-assisted development. A related C2 domain reported in the broader campaign was meetingapp[.]site.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Dust Specter

GHOSTFORM consolidates this functionality into a single binary featuring in-memory execution and a Google Form lure.

via centripetal threat researchcentripetal.ai

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence2

"Threat actors impersonated the country’s Ministry of Foreign Affairs in phishing messages that delivered previously unseen malware..."

Execution

4 techniques

T1053Scheduled Task/JobEvidence1

"...ClickFix lure... to trick victims into running malicious PowerShell commands that download and schedule malware execution."

T1059Command and Scripting InterpreterEvidence2

Attack Chain 2 delivered GHOSTFORM, consolidating all functionality into a single binary using an invisible Windows form for delayed execution, in-memory PowerShell command execution

T1059.001PowerShellEvidence6

TWINTASK maintains persistence by polling C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands.

T1574.001DLLEvidence1

"...uses DLL sideloading with legitimate software such as VLC and WingetUI."

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

"...ClickFix lure... to trick victims into running malicious PowerShell commands that download and schedule malware execution."

T1547.001Registry Run Keys / Startup FolderEvidence1

"The malware establishes persistence through registry keys..."

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

"...ClickFix lure... to trick victims into running malicious PowerShell commands that download and schedule malware execution."

T1547.001Registry Run Keys / Startup FolderEvidence1

"The malware establishes persistence through registry keys..."

Stealth

8 techniques

T1027Obfuscated Files or InformationEvidence1

“constructs a unique URI path at runtime… random 10-character hex string… 6-character checksum… server… randomizing JSON key names on each response… parses fields by position rather than by JSON key name.”

T1036MasqueradingEvidence1

"...sideloaded by the legitimate \"vlc.exe\" binary..."; "...masquerades as an official survey from Iraq's Ministry of Foreign Affairs."; "...host a fake Cisco Webex meeting invitation page..."

T1480Execution GuardrailsEvidence1

"The C2 server also utilized geofencing techniques..."

T1480.002Mutual ExclusionEvidence1

“Mutex: Creates a mutex with the name Global\_ to ensure that only one instance of GHOSTFORM runs at any given time.”

T1564.003Hidden WindowEvidence2

“launched an invisible Windows form with near-zero opacity, hidden from the taskbar — to delay its own execution”

T1574.001DLLEvidence1

"...uses DLL sideloading with legitimate software such as VLC and WingetUI."

T1612Build Image on HostEvidence1

“The C2 server also utilized geofencing techniques and User-Agent verification.”

T1620Reflective Code LoadingEvidence4

GHOSTFORM consolidates this functionality into a single binary featuring in-memory execution and a Google Form lure.

Collection

1 technique

T1074.001Local Data StagingEvidence1

"...mutex checks to avoid multiple instances."

Command and Control

1 technique

T1071.001Web ProtocolsEvidence2

TWINTALK, a C2 orchestrator that beacons via JWT-authenticated HTTPS with randomized delays (108–180 seconds).

Exfiltration

1 technique

T1567Exfiltration Over Web ServiceEvidence1

"other attack chain with the GhostForm RAT entailed Google Forms exploitation"

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

centripetal threat researchNews

Mar 20, 2026

Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A single-binary malware family that consolidates Dust Specter functionality, supports in-memory execution, and uses a Google Form lure.

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

A .NET RAT used by Dust Specter; consolidates functionality and uses in-memory PowerShell execution plus evasion (invisible forms, delayed execution).

security affairsNews

Mar 6, 2026

Iran-nexus APT Dust Specter targets Iraq officials with new malware

Single-binary backdoor that executes attacker commands in-memory to reduce filesystem artifacts; uses social engineering (fake Google Form) and stealth (invisible forms, delayed execution, mutex checks).

risky biz rssNews

Mar 6, 2026

Iranian hackers are scanning for security cameras to aid missile strike

Malware used in suspected Iranian APT activity targeting Iraqi government officials.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.