Monday, May 5, 2025
HomeCyber Security NewsTA402 Group using Weaponized XLL and RAR Files to Deliver Malware

TA402 Group using Weaponized XLL and RAR Files to Deliver Malware

Published on

SIEM as a Service

Follow Us on Google News

Researchers have discovered a new phishing campaign that targets Middle Eastern and North African Government Entities to deliver a new initial access downloader termed “IronWind.” This downloader is followed by additional payload stages, which downloads a shellcode. 

Most campaigns were using Dropbox links, which then evolved to using XLL and RAR file attachments to evade detection mechanisms. Moreover, this threat actor activity overlaps with Molerats, Gaza Cybergang, Frankenstein, and WIRTE.

Weaponized XLL and RAR Files

The malicious actor employs a hijacked email account belonging to the Ministry of Foreign Affairs to launch phishing attacks against government entities in the Middle East.

- Advertisement - Google News

The email utilized phishing tactics to deceive its recipients with a message related to economic affairs. The email contained a hyperlink to a Dropbox file, which once clicked, downloaded a harmful Microsoft PowerPoint Add-in (PPAM) file.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

This file contains a macro that drops three files such as version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs.

The timeout.exe file was used to sideload IronWin, which sends an HTTP GET request to the C2 domain (theconomics[.]net), according to the analysis of August 2023.

Once the C2 receives this request, it responds back with a shellcode, which is the third stage of the infection chain.

Recent Campaign Flow (Source: Proofpoint)
Recent Campaign Flow (Source: Proofpoint)

This shellcode uses .NET loaders to perform WMI queries and also downloads the fourth stage of the malware, which was another .NET executable that uses SharSploit, a .NET post-exploitation library written in C#.

Shifting from PPAM to RAR

The attachments were observed to shift from PPAM to RAR file in October 2023. The RAR file consists of a tabcal.exe file, which sideloads the IronWind and propsys.dll. Other stages of the malware delivery remained the same.

A complete report about this IronWind infection has been published by Proofpoint which provides detailed information about the threat actor, path of compromise, and other vital information.

Indicators of Compromise

SHA256 Value

  • 9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47
  • 5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160
  • 19f452239dadcd7544f055d26199cb482c1f6ae5486309bde1526174e926146a
  • A4bf96aee6284effb4c4fe0ccfee7b32d497e45408e253fb8e1199454e5c65a3
  • 26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47
  • cbb89aac5a2c93a02305846f9353b013e6703813d4b6baff8eb89ee938647af3
  • c98dc0b930ea67992921d9f0848713deaa5bba8b4ba21effd0b00595dd9ed28c
  • ac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f
  • 6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368
  • e2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c
  • d8cde28cf2a5884daddf6e3bc26c80f66bc3737e426b4ba747d49d154999fbc1
  • 81fc4a5b1d22efba961baa695aa53201397505e2a6024743ed58da7bf0b4a97f
  • 3b2a6c7a39f49e790286185f2d078e17844df1349b713f278ecef1defb4d6b04
  • 7bddde9708118f709b063da526640a4132718d3d638505aafce5a20d404b2761
  • 883e035f893483b9921d054b3fa014cef90d90b10dcba7d342def8be2e98ce3c
  • 4b0a48d698240504c4ff6275dc735c8162e57f92224fb1d2d6393890b82a4206
  • 4018b462f2fcf1b0452ecd88ab64ddc5647d1857481f50fa915070f5f1858115
  • 3d80ea70b0c00d12f2ba2c7b1541f7d0f80005a38a173e6962b24f01d4a2a1de

Domains

  • inclusive-economy[.]com 
  • healthcaption[.]com 
  • theconomics[.]net

IP (C2)

  • 191.101.78[.]189

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...