Full Report
2025-04-17 • Kaspersky Labs • GReAT • win.mystery_snail Open article on Malpedia
Analysis Summary
# Threat Actor: IronHusky
## Attribution & Identity
* **Name:** IronHusky
* **Associated Groups:** The actor is associated with the updated/reused **MysterySnail RAT**. The analysis is attributed to Kaspersky Labs' GReAT team.
## Activity Summary
IronHusky has been observed updating and redeploying the older **MysterySnail RAT** for ongoing operations specifically targeting entities in Russia and Mongolia.
## Tactics, Techniques & Procedures
* **TTPs:** Updating and using the previously known MysterySnail Remote Access Trojan (RAT).
* **MITRE ATT&CK IDs:** Not explicitly listed in the context provided.
## Targeting
* **Sectors:** Not explicitly detailed, but inferred to be entities of intelligence interest based on geopolitical targeting patterns.
* **Geography:** Russia and Mongolia.
* **Victims:** Specific victim organizations are not mentioned in the context summary.
## Tools & Infrastructure
* **Malware Families used:** MysterySnail RAT (updated version).
* **Infrastructure (C2, domains, IPs):** Not detailed in the provided summary context.
## Implications
The re-emergence and updating of the MysterySnail RAT by IronHusky signifies a sustained threat actor with persistent interest in Eastern European/Central Asian geopolitical targets (Russia and Mongolia). The reuse of older tools suggests operational efficiency or a desire to maintain low-profile activity by using previously known (but perhaps forgotten) loaders/malware.
## Mitigations
* Monitor network traffic for communication patterns associated with the known MysterySnail RAT command and control protocols.
* Ensure robust endpoint detection and response (EDR) capabilities are in place to detect behavior associated with RATs, especially known variants.