IronWind
IronWind is a custom initial-access downloader/loader used in phishing campaigns attributed to TA402 and assessed by Check Point to be primarily deployed by WIRTE, a Middle Eastern threat group overlapping with Gaza Cybergang/Molerats and linked in reporting to Hamas-aligned activity. It was observed in campaigns from July through October 2023 and continued in WIRTE operations during 2024. The malware enables communication with command-and-control infrastructure and executes malicious code hidden within HTML elements. Reported delivery chains included Dropbox-delivered PPAM files, XLL attachments, and RAR archives containing renamed legitimate executables and malicious DLLs for DLL sideloading, often accompanied by Arabic-language political or war-themed lure documents and phishing emails sent from compromised accounts. Targets were primarily government entities in the Middle East and North Africa, with reporting also tying WIRTE activity to targeting in the Palestinian Authority, Jordan, Egypt, Saudi Arabia, and Iraq.
IronWind uses multistage infection chains intended to frustrate analysis. Reported behaviors include initial victim metadata collection and check-in, use of Request Inspector for exfiltration of system information, geofencing, reflective/in-memory loading, and retrieval of encrypted payloads embedded in HTML tags. In one reported chain, IronWind sent HTTP GET requests to theconomics[.]net; later activity used inclusive-economy[.]com, and Check Point reported requestinspector.com as part of an IronWind chain. Proofpoint also reported a distinctive custom User-Agent format used for authentication. Subsequent stages included downloaded shellcode, reflective .NET loaders, WMI queries, and later-stage .NET payloads using SharpSploit. Check Point reported an IronWind chain in which a first-stage version.dll decrypted a next-stage propsys.dll via Base64 and XOR with key "53," and a stager internally named stagerx64 extracted encrypted payloads from HTML tags. A final-stage artifact observed in that chain was donut shellcode loading a .NET DLL named exit-DN4-core.dll that terminates the executing process.
Additional reported artifacts and indicators associated with IronWind activity include the use of renamed legitimate executables such as timeout.exe, tabcal.exe, and setup_wm.exe for sideloading; a hardcoded user agent in the stager; and actor infrastructure including theconomics[.]net, inclusive-economy[.]com, and requestinspector.com. Proofpoint reported unsanitized PDB paths suggesting the malware project name was "tornado." Check Point further reported code overlap between a newer IronWind loader variant (propsys.dll) and the SameCoin wiper, suggesting common development within WIRTE-linked operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.
From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesFrom July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind.
During the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.
The emails used an economic-themed social engineering lure ... to deliver a Dropbox link that downloaded a malicious Microsoft PowerPoint Add-in (PPAM) file.
Execution
3 techniquesDuring Proofpoint’s analysis, the shellcode used reflective .NET loaders to conduct WMI queries.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The PPAM file contained a macro that dropped three files: version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs.
Stealth
1 techniqueThis time the threat actor sent a RAR file attachment that contained a renamed version of tabcal.exe for sideloading IronWind
Discovery
1 techniqueAs part of the initial infection process, TA402 sent a base64 encoded check in to Request Inspector ... to exfiltrate some system information.
Command and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.
The shellcode also served as a multipurpose loader, downloading the fourth stage—a .NET executable that used SharpSploit, a .NET post-exploitation library written in C#.
Exfiltration
1 techniqueAs part of the initial infection process, TA402 sent a base64 encoded check in to Request Inspector ... to exfiltrate some system information.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
IronWind is a loader used by the Wirte APT to deliver additional malware through a multistage, memory-resident infection chain, designed to evade detection and frustrate analysis.
Custom loader used by WIRTE/TA402-linked activity to profile victims, beacon to C2 with a hardcoded user-agent, and retrieve/execute next-stage payloads embedded within HTML tags; observed delivered via RAR + DLL sideloading chains.
IronWind is a multifunctional initial access downloader/loader used by TA402 in targeted phishing campaigns against Middle East-based government entities. It is sideloaded via DLL files, checks in to actor-controlled C2 infrastructure, receives shellcode as follow-on stages, performs system reconnaissance, and downloads additional .NET payloads for post-exploitation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.