{ "id": "d456d71f-bc36-4606-822c-95dbdbbe9097", "created_at": "2026-04-06T00:21:20.176853Z", "updated_at": "2026-04-10T03:38:03.480944Z", "deleted_at": null, "sha1_hash": "4f951fa1b359c7dfb615f571f96077ba2cb3881d", "title": "TA402 Targets Middle East Entities with IronWind Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 422253, "plain_text": "TA402 Targets Middle East Entities with IronWind Malware |\r\nProofpoint US\r\nBy November 14, 2023 Joshua Miller and the Proofpoint Threat Research Team\r\nPublished: 2023-11-07 · Archived: 2026-04-05 17:29:57 UTC\r\nKey takeaways \r\nFrom July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns\r\nthat delivered a new initial access downloader dubbed IronWind. The downloader was followed by\r\nadditional stages that consisted of downloaded shellcode.  \r\nDuring the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using\r\nXLL and RAR file attachments, likely to evade detection efforts.  \r\nThis threat actor has consistently engaged in extremely targeted activity, pursuing less than five\r\norganizations with any single campaign. They have also maintained a strong focus on government entities\r\nbased in the Middle East and North Africa.  \r\nProofpoint has tracked TA402 since 2020. Our researchers assess the threat actor is a Middle Eastern\r\nadvanced persistent threat (APT) group that historically has operated in the interests of the Palestinian\r\nTerritories and overlaps with public reporting on Molerats, Gaza Cybergang, Frankenstein, and WIRTE.  \r\nOverview \r\nIn mid-2023, Proofpoint researchers first identified TA402 (Molerats, Gaza Cybergang, Frankenstein, WIRTE)\r\nactivity using a labyrinthine infection chain to target Middle Eastern governments with a new initial access\r\ndownloader Proofpoint has dubbed IronWind. From July through October 2023, TA402 utilized three variations of\r\nthis infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant\r\nconsistently leading to the download of a DLL containing the multifunctional malware. In these campaigns,\r\nTA402 also pivoted away from its use of cloud services like Dropbox API, which Proofpoint researchers observed\r\nin activity from 2021 and 2022, to using actor-controlled infrastructure for C2 communication.  \r\nAs of late October 2023, Proofpoint researchers had not observed any changes in targeting by   TA402, an APT\r\ngroup that historically has operated in the interests of the Palestinian Territories, nor identified any indications of\r\nan altered mandate despite the current conflict in the region. It remains possible that this threat actor will redirect\r\nits resources as events continue to unfold.   \r\nCampaign details and IronWind \r\nJuly 2023 Activity: In July 2023, Proofpoint researchers observed the first of TA402’s new, more convoluted\r\ninfection chain as compared to prior campaign activity from 2021 and 2022 (Figures 1 and 2).  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 1 of 6\n\nFigure 1. TA402 infection chain used from November 2021 to January 2022.  \r\nFigure 2. TA402 infection chain used in July 2023 campaign. \r\nTA402 engaged in a phishing campaign using a compromised Ministry of Foreign Affairs email account to target\r\nMiddle Eastern government entities. The emails used an economic-themed social engineering lure (\"التعاون برنامج\r\n2024-2023 الخليجي التعاون مجلس دول مع اإلقتصادي\" ]Machine Translation: Economic cooperation program with the\r\ncountries of the Gulf Cooperation Council 2023-2024\"]) to deliver a Drobox link that downloaded a malicious\r\nMicrosoft PowerPoint Add-in (PPAM) file. The PPAM file contained a macro that dropped three files: version.dll\r\n(IronWind), timeout.exe, and gatherNetworkInfo.vbs. Timeout.exe was used to sideload IronWind. Once\r\nsideloaded, IronWind sent an HTTP GET request to a known TA402 C2 domain, theconomics[.]net, which was\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 2 of 6\n\nhosted on 191.101.78[.]189 at the time of analysis in August 2023. Proofpoint researchers have observed TA402\r\nleveraging Dropbox for malware delivery since at least December 2021. \r\nAfter receiving the HTTP GET request, the C2 responded with shellcode that represented the third stage of the\r\ninfection chain. During Proofpoint’s analysis, the shellcode used reflective .NET loaders to conduct WMI queries.\r\nThe shellcode also served as a multipurpose loader, downloading the fourth stage—a .NET executable that used\r\nSharpSploit, a .NET post-exploitation library written in C#.  \r\nThe .NET executable continued to use HTTPS POSTs and GETs to theconomics[.]net for C2 and received JSON\r\nresponses. It passed authentication via a custom UserAgent string, \"Mozilla/5.0 (Windows NT 10.0; Win64; x64;\r\nrv:\u003ctag\u003e) Gecko/\u003cauth\u003e Firefox/3.15\" and almost certainly would have downloaded additional shellcode\r\npayloads. Based on Proofpoint analysis, this UserAgent is unique enough to be used for detection purposes.\r\nProofpoint researchers did not observe the fifth stage at the time of analysis but took note that the last stage\r\npayload contained unused code, suggesting TA402 may be making further updates and adjustments to the\r\nmalware.  \r\nAugust 2023 activity: In August 2023, TA402 shifted to sending an attached XLL file to load IronWind using\r\na using of instead lure a as” قائمة األشخاص والكيانات )المصنفة إرهابية( من قبل هيئة مكافحة غسيل األموال وتمويل اإلرهاب”\r\nmalicious PPAM file delivered via Drobox. The machine translation of the lure is as follows: “List of persons and\r\nentities (designated as terrorists) by the Anti-Money Laundering and Terrorist Financing Authority.” TA402 used\r\nthe same compromised Ministry of Foreign Affairs email account observed in the July activity. As part of the\r\ninitial infection process, TA402 sent a base64 encoded check in to Request Inspector—a third-party service for\r\ncreating endpoints for HTTP requests—to exfiltrate some system information. \r\nOctober 2023 activity: In October 2023, TA402 shifted a portion of its infection chain yet again. This time the\r\nthreat actor sent a RAR file attachment that contained a renamed version of tabcal.exe for sideloading IronWind\r\nand propsys.dll (IronWind) instead of using a malicious PPAM file delivered via Dropbox or an attached XLL file\r\nto load the malware. The delivered malware again used Request Inspector for initial check in and a new TA402 C2\r\ndomain, inclusive-economy[.]com.  \r\nTA402 also continued to leverage a compromised Ministry of Foreign Affairs email account to send phishing\r\nemails with the lure \"غزة على الحرب بخصوص( 110 )الـدورة وتوصيــات تقريــر, “which translates to “Report and\r\nRecommendations of the 110th Session on the War on Gaza.” Currently, TA402 only appears to be using the\r\nconflict for lure purposes. Additionally, TA402 continues to phish, indicating the conflict has not significantly\r\ndisrupted the group’s operations. \r\nIronWind: PDB analysis  \r\nDuring malware analysis, Proofpoint researchers identified TA402 had failed to sanitize the group’s PDB paths\r\nduring malware development for multiple stages. A YARA rule for hunting purposes is attached at the end of this\r\nblog.  \r\nBased on the following PDB paths, Proofpoint researchers assess with moderate confidence that the IronWind\r\nmalware project name is \\tornado\\ and malware development is broken out by function, including IA (the\r\nIronWind dropper), stager (the stager DLL), and payloads.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 3 of 6\n\nVT Stage 1: C:\\Users\\Win\\Desktop\\Reno\\NewTor\\27-07-\r\n2023\\tornado\\tornado\\Payloads\\BAR_33\\I.A\\out\\IA.pdb \r\nJuly 2023 Stage 2: C:\\Users\\User\\Desktop\\tornado\\Payloads\\WKS_10\\I.A\\out\\stagerx64.pdb \r\nAugust 2023 Stage 1: C:\\Users\\Win\\Desktop\\Reno\\NewTor\\27-07-\r\n2023\\tornado\\tornado\\Payloads\\BAR_38\\I.A\\out\\IA.pdb \r\nAugust 2023 Stage 2: C:\\Users\\Win\\Desktop\\Reno\\NewTor\\NewIA-Tornado-WithStealer\\Payloads\\KIL_03\\I.A\\out\\stagerx64.pdb \r\nStage 4: K:\\prj\\WIP\\C# - Payload\\Client-Side\\https\\client-Divided\\KALV\\obj\\Release\\KALV.pdb \r\nGeofencing \r\nTA402 regularly employs geofencing techniques to make detection of its malicious activity more difficult. This\r\naspect of the threat actor’s tactics, techniques, and procedures has remained consistent since at least 2020. Even\r\nwith the more elaborate infection chains observed in 2023, TA402 continues to include URLs that will at times\r\nredirect to decoy documents hosted on legitimate document hosting platforms if the geofencing is not bypassed.   \r\nAttribution \r\nProofpoint researchers attributed the campaigns to TA402 based on tactics, techniques, and victimology. The 2023\r\ncampaigns share similarly themed lures as historical TA402 activity and retain a focus on Arabic-speaking targets\r\nlocated in the Middle East. Over the years, TA402 has consistently targeted government entities based in the\r\nMiddle East and North Africa, at times going after the same targets repeatedly. TA402’s use of compromised\r\nMinistry of Foreign Affairs email accounts, geofencing, and decoy documents additionally contributed to the\r\nattribution. \r\nProofpoint researchers also assess TA402 operates in support of Palestinian espionage objectives with a focus on\r\nintelligence collection. This is consistent with prior Proofpoint published reports on this threat actor. While\r\nProofpoint recognizes that TA402 overlaps with a number of publicly reported threat actors, including Molerats,\r\nWIRTE, and Frankenstein, Proofpoint researchers cluster independently based on internal malware analysis and\r\ninvestigations.  \r\nConclusion \r\nBased on Proofpoint’s tracking of this threat actor since 2020, TA402 remains a persistent and innovative threat\r\nactor that routinely retools its attack methods and malware in support of its cyber espionage mandate. Its ongoing\r\nuse of geofencing and decoy documents continues to serve its detection evasion efforts. While TA402 is an\r\nintelligence collection focused threat actor with a specific interest in Middle Eastern and North African\r\ngovernment entities, the group could find itself under direction to adjust its targeting or social engineering lures in\r\nreaction to the ongoing Israel-Hamas conflict.  \r\nIndicators of Compromise (IOCs) \r\nINDICATOR  TYPE \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 4 of 6\n\n9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47  \r\n5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160  \r\n19f452239dadcd7544f055d26199cb482c1f6ae5486309bde1526174e926146a  \r\nA4bf96aee6284effb4c4fe0ccfee7b32d497e45408e253fb8e1199454e5c65a3  \r\n26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47  \r\ncbb89aac5a2c93a02305846f9353b013e6703813d4b6baff8eb89ee938647af3 \r\nc98dc0b930ea67992921d9f0848713deaa5bba8b4ba21effd0b00595dd9ed28c  \r\nac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f  \r\n6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368  \r\ne2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c  \r\nd8cde28cf2a5884daddf6e3bc26c80f66bc3737e426b4ba747d49d154999fbc1  \r\n81fc4a5b1d22efba961baa695aa53201397505e2a6024743ed58da7bf0b4a97f  \r\n3b2a6c7a39f49e790286185f2d078e17844df1349b713f278ecef1defb4d6b04  \r\n7bddde9708118f709b063da526640a4132718d3d638505aafce5a20d404b2761 \r\n883e035f893483b9921d054b3fa014cef90d90b10dcba7d342def8be2e98ce3c \r\n4b0a48d698240504c4ff6275dc735c8162e57f92224fb1d2d6393890b82a4206 \r\n4018b462f2fcf1b0452ecd88ab64ddc5647d1857481f50fa915070f5f1858115 \r\n3d80ea70b0c00d12f2ba2c7b1541f7d0f80005a38a173e6962b24f01d4a2a1de \r\nSHA256 \r\ntheconomics[.]net |191.101.78[.]189  Domain | IP (C2) \r\ninclusive-economy[.]com \r\nhealthcaption[.]com \r\nDomains \r\nET Signatures \r\n2049153 - ET MALWARE Win32/TA402 CnC User-Agent\r\n2049154 - ET MALWARE Win32/TA402 CnC Response M1\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 5 of 6\n\n2049155 - ET MALWARE Win32/TA402 CnC Response M2\r\n2049158 - ET MALWARE Win32/TA402 Checkin\r\n2049159 - ET MALWARE Win32/TA402 Checkin M2\r\n2049160 - ET MALWARE TA402 CnC Domain in DNS Lookup\r\n2049161 - ET MALWARE Observed TA402 Domain in TLS SNI\r\n2049162 - ET MALWARE TA402 CnC Domain in DNS Lookup\r\n2049163 - ET MALWARE Observed TA402 Domain in TLS SNI\r\n2049164 - ET MALWARE Win32/TA402 CnC Activity (POST)\r\n2049165 - ET MALWARE Win32/TA402 CnC Activity (GET)\r\nYARA Rule \r\nrule TA402_PDB \r\n{ meta: \r\n    author = \"Proofpoint inc.\" \r\n    description = \"Finds TA402 related PDB paths\" \r\n    date = “2023-09-27” \r\n  strings: \r\n$pdb1 = \"C:\\\\Users\\\\Win\\\\Desktop\\\\Reno\\\\NewTor\" ascii wide  \r\n$pdb2 = \"C:\\\\Users\\\\User\\\\Desktop\\\\tornado\\\\\" ascii wide  \r\n$pdb3 = \"K:\\\\prj\\\\WIP\\\\C# - Payload\\\\Client-Side\\\\https\\\\client-Divided\\\\KALV\\\\obj\\\\Release\\\\KALV.pdb\" ascii\r\nwide  \r\n$pdb4 = \"K:\\\\prj\\\\WIP\\\\C# - Payload\\\\Client-Side\" ascii wide  \r\n  condition: \r\nany of them \r\n} \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-governme\r\nnt\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government\r\nPage 6 of 6\n\nET Signatures 2049153 - ET MALWARE Win32/TA402 CnC User-Agent \n2049154 -ET MALWARE Win32/TA402 CnC Response M1\n Page 5 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government" ], "report_names": [ "ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government" ], "threat_actors": [ { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434880, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f951fa1b359c7dfb615f571f96077ba2cb3881d.pdf", "text": "https://archive.orkl.eu/4f951fa1b359c7dfb615f571f96077ba2cb3881d.txt", "img": "https://archive.orkl.eu/4f951fa1b359c7dfb615f571f96077ba2cb3881d.jpg" } }