IRON TILDEN

IRON TILDEN, likely operating on behalf of the Russian government, conducts cyber espionage against Ukrainian targets of interest, primarily in the government and defense verticals. Active since at least 2013, the threat group's operations consist of aggressive spear phishing campaigns that utilize malicious VBA scripts inside attached Microsoft Word or Excel documents, designed to install information stealers on compromised hosts.

IRON TILDEN sacrifices some operational security in favor of high tempo operations, meaning that their infrastructure is identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques. This static set of characteristics, combined with the minimal use of obfuscation in their phishing attacks, may benefit organizations that are potential targets for IRON TILDEN.