Middle East Governments Targeted in New Campaign Using IronWind Malware

    Campaign Overview

    From July to October 2023, Proofpoint identified new phishing campaigns targeting government entities in the Middle East. These campaigns deliver an initial access downloader named IronWind. Proofpoint attributes this activity to TA402, also known as Molerats and Gaza Cyber Gang. TA402 shares tactics with the pro-Hamas hacking group APT-C-23, or Arid Viper.


    A Persistent Middle Eastern Threat Joshua Miller, a senior threat researcher at Proofpoint, emphasizes the significance of TA402. While North Korea, Russia, China, and Iran often dominate discussions on state-aligned cyber threats, TA402, aligning with Palestinian Territories interests, has consistently showcased sophisticated espionage capabilities. Their primary focus is intelligence collection.

    Evolving Tactics of TA402

    IronWind marks a shift from TA402’s previous methods, which involved spreading a backdoor named NimbleMamba. These attacks targeted Middle Eastern governments and foreign policy think tanks. IronWind’s deployment methods have evolved, now utilizing Dropbox links, XLL file attachments, and RAR archives.

    Innovative Phishing Techniques

    TA402 has been using a compromised email account from the Ministry of Foreign Affairs. They send phishing emails with Dropbox links that deploy IronWind. This downloader contacts a server controlled by the attackers to fetch additional payloads, including a toolkit named SharpSploit. The campaigns in August and October 2023 employed XLL files and RAR archives in emails to launch IronWind. TA402 also uses geofencing to avoid detection.

    Persistence in Conflict

    Despite ongoing conflicts in the Middle East, TA402 continues to innovate in malware delivery. They focus on government entities in the Middle East and North Africa, using complex infection chains and new malware types.

    Additional Cybersecurity Concerns

    Cisco Talos recently uncovered that cybercriminals are exploiting Google Forms quizzes’ “Release scores” feature. They use this for orchestrating elaborate cryptocurrency scams. These emails, originating from Google’s servers, might bypass anti-spam protections more easily, as noted by security researcher Jaeson Schultz.

    Latest articles

    Related articles