Ironwind

Threat Actor updated 3 days ago (2024-11-20T18:12:44.433Z)

Download STIX

Preview STIX

IronWind is a threat actor that has been active since at least October 2023, known for its use of sophisticated malware and encryption techniques to carry out cyber attacks. This group uses a unique variant of the IronWind loader as an infection vector, which enables communication with command and control (C2) servers and executes malicious code hidden within HTML elements. Notably, the encryption function in the IronWind sample bears striking similarities to MicrosoftEdge.exe wiper, suggesting an overlap in the codebase. The IronWind variant uses the key 'msasn1.dll', while the wiper uses the key 'Saturday, October 07, 2023, 6:29:00 AM'. A newer variant of the IronWind loader was found to use 'propsys.dll', indicating continuous evolution and adaptation by the threat actor. Since October 2023, multiple cases have observed the use of the IronWind loader in cyber attacks, further reinforcing its prevalence. IronWind's activities were first publicly disclosed in November 2023 as part of a TA402 operation, a pro-Palestinian advanced persistent threat (APT) group. The campaign utilized custom loaders like IronWind to target Middle East-based government entities. The group initially used 'tabcal.exe' to sideload its initial access downloader IronWind but later switched to other methods, showing their adaptive tactics to evade detection and maintain their operations.

Description last updated: 2024-11-15T15:55:10.177Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TA402 is a possible alias for Ironwind. TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently ret	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Loader

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ironwind Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 days ago	Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel
Checkpoint	8 days ago	Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research
Securelist	3 months ago	Kaspersky report on APT trends in Q2 2024
CERT-EU	8 months ago	Hackers Claim Accessing 740GB of Data from Viber Messaging App
InfoSecurity-magazine	a year ago	Pro-Palestine APT Group Uses Novel Downloader in New Campaign