IRONSQUIRREL
IRONSQUIRREL is an open-source framework originally developed by security researcher Zoltan Balazs in 2017 for encrypted malware delivery. Reporting cited here states that POISON CARP used code based on IronSquirrel for ECC Diffie-Hellman-encrypted delivery of an iOS exploit chain and spyware in a 2018–2019 campaign targeting senior members of Tibetan organizations via malicious WhatsApp messages and one-click mobile browser exploits. The same reporting links that campaign to infrastructure and tooling overlaps with Uyghur-targeting operations. Volexity also reported that the China-aligned threat actor it tracks as EvilBamboo / Evil Eye used IRONSQUIRREL in renewed 2020 activity targeting Uyghur communities through compromised Uyghur websites and malicious iframes to launch a WebKit-based iOS exploit chain against iOS 12.3, 12.3.1, and 12.3.2, resulting in installation of the INSOMNIA iOS implant. In that activity, IRONSQUIRREL was used as part of staged JavaScript exploit delivery with User-Agent filtering. High-confidence associations in the provided content tie IRONSQUIRREL to POISON CARP and EvilBamboo / Evil Eye, with targeting focused on Tibetan and Uyghur individuals and organizations. The content does not describe IRONSQUIRREL itself as the final spyware payload, but as a framework used to deliver encrypted exploit chains and malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The specific code for encrypted malcode delivery used by POISON CARP is based on a project called IronSquirrel developed by security researcher Zoltan Balazs in 2017.
In the latest activity identified by Volexity, the Evil Eye threat actor used an open source framework called IRONSQUIRREL to launch their exploit chain.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Project whose encrypted malcode delivery code was used as the basis for POISON CARP's iOS exploit delivery mechanism employing ECDH encryption between browser and server.
Open project used here as a basis for ECDH-encrypted exploit/payload delivery in the iOS exploitation flow, intended to hinder network-based detection and traffic-only reconstruction.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.