Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link.

The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

https://counter.social/@ecksmc/113335079089027236

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

From Nov 2023

TA402 (aka Molerats and Frankenstein), which has been active for more than a decade, rolled out a new sophisticated tool named IronWind, which it used in three campaigns aimed at compromising systems within government agencies throughout the Middle East and Northern Africa, security firm Proofpoint stated in an analysis published on Nov. 14.

https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government