IceFire is a ransomware threat actor/operator associated with the ".ifire" file extension. Reporting cited in the content shows IceFire initially focused on Windows targets and later expanded to Linux, with SentinelLABS observing novel Linux variants deployed in enterprise intrusions against media and entertainment organizations worldwide in February 2023. Previous reporting noted targeting of technology companies, while the observed victims in the Linux campaign were located in Turkey, Iran, Pakistan, and the United Arab Emirates. The Linux IceFire campaign used exploitation of CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex, to gain initial access and deploy payloads onto vulnerable CentOS-based file servers. This differed from previously reported Windows delivery via phishing and post-exploitation pivoting. Payloads were downloaded with wget from infrastructure hosted on a DigitalOcean droplet at 159.65.217.216:8080 into /opt/aspera/faspex. Open-source reporting linked this infrastructure to prior Aspera Faspex activity, and the Tor-based payment portal matched infrastructure previously tied to IceFire Windows attacks. Observed tradecraft was consistent with big-game hunting ransomware, including double extortion, persistence mechanisms, and log deletion. The Linux encryptor appended the ".ifire" extension, dropped ransom notes into encrypted directories from an embedded resource, deleted its own binary after execution, and used a Tor hidden service for victim payment access. It skipped some extensions such as .sh and .cfg, excluded multiple system and operational file types, and avoided encrypting critical Linux paths including /boot, /dev, /etc, /lib, /proc, /sys, /usr, /var, and /run, while targeting user and shared directories such as /home, /mnt, /media, and /share. The content does not attribute IceFire to a nation state and does not identify any aliases or sub-groups beyond the name IceFire itself.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operators expanded from Windows-only activity to Linux, deploying IceFire in enterprise intrusions via exploitation of IBM Aspera Faspex. The activity is described as big-game hunting with double extortion and targeting large enterprises, including media and entertainment organizations.
Ransomware operation noted for adding Linux variants to expand attack surface.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.