Ironwind

Threat Actor updated a month ago (2024-11-29T14:49:41.322Z)
Download STIX
Preview STIX
IronWind is a threat actor that has been active since at least October 2023, known for its use of sophisticated malware and encryption techniques to carry out cyber attacks. This group uses a unique variant of the IronWind loader as an infection vector, which enables communication with command and control (C2) servers and executes malicious code hidden within HTML elements. Notably, the encryption function in the IronWind sample bears striking similarities to MicrosoftEdge.exe wiper, suggesting an overlap in the codebase. The IronWind variant uses the key 'msasn1.dll', while the wiper uses the key 'Saturday, October 07, 2023, 6:29:00 AM'. A newer variant of the IronWind loader was found to use 'propsys.dll', indicating continuous evolution and adaptation by the threat actor. Since October 2023, multiple cases have observed the use of the IronWind loader in cyber attacks, further reinforcing its prevalence. IronWind's activities were first publicly disclosed in November 2023 as part of a TA402 operation, a pro-Palestinian advanced persistent threat (APT) group. The campaign utilized custom loaders like IronWind to target Middle East-based government entities. The group initially used 'tabcal.exe' to sideload its initial access downloader IronWind but later switched to other methods, showing their adaptive tactics to evade detection and maintain their operations.
Description last updated: 2024-11-15T15:55:10.177Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TA402 is a possible alias for Ironwind. TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently ret
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Loader
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Ironwind Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more