2 malware families

ALUMINUM THORN

Also known asALUMINUM THORN

ALUMINUM THORN is an espionage-focused threat group active since at least August 2018. It was first publicly disclosed by LAB52 in April 2019 and later by Cisco Talos in June 2019. Known aliases directly mentioned in the content include WIRTE and Frankenstein, with Cisco Talos referring to the activity as the Frankenstein campaign. The Frankenstein label was based on the group’s reuse of code and techniques from security blogs and open-source projects, including PowerShell Empire and FruityC2. Reported targeting is centered on the MENA region, with lure themes and VirusTotal submission locations suggesting targeting that includes Jordan and Egypt. Public reporting describes the group’s operations as small and narrowly focused, which may have limited broader research visibility. In 2024, Secureworks observed the group conducting targeted phishing operations against government and defense entities in the Middle East.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

government
defense

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Empire...use of a combination of code and techniques from security blogs and open source projects, such as FruityC2 and Powershell Empire...1Mar 18, 2026

FruityC2...use of a combination of code and techniques from security blogs and open source projects, such as FruityC2 and Powershell Empire...1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

secureworks threat profilesNews

Mar 18, 2026

ALUMINUM THORN

Espionage-focused activity cluster operating since at least Aug 2018, associated with the 'Frankenstein' campaign; conducts targeted phishing against government and defense entities in the Middle East/North Africa (MENA).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.