IronWind

IronWind is a custom loader malware that has been in use since at least 2023 by actors including WIRTE to target entities in the Middle East.^[1]

ID: S9029

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 20 April 2026

Last Modified: 22 April 2026

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	IronWind can used HTTP to send information to C2 about the targeted system.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	IronWind has used the Windows command shell to execute malicious files.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	IronWind can deobfuscate the next stage payload using Base64 and XOR operations with the key "53".^[1]
Enterprise	T1574	.001	Hijack Execution Flow: DLL	IronWind has used DLL sideloading for execution.^[1]
Enterprise	T1070		Indicator Removal	IronWind has used a .NET DLL named "exit-DN4-core.dll" to terminate malicious processes running on victim's systems.^[1]
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	IronWind has used Base64 encoding and XOR encryption with the key "53" to obfuscate command strings.^[1]
Enterprise	T1518		Software Discovery	IronWind can list installed software on targeted hosts.^[1]
Enterprise	T1082		System Information Discovery	IronWind can capture the OS version and computer name of the compromised host.^[1]
Enterprise	T1033		System Owner/User Discovery	IronWind can enumerate the username on victim's systems.^[1]

ID	Name	References
G0090	WIRTE	^[1]