⚠️ Overview

Wingbird is a .NET-based remote access trojan (RAT) first documented by cybersecurity firm Cybereason in August 2022 as part of a campaign targeting Middle Eastern government entities and telecommunications organizations. The malware is attributed to the Iran-linked threat group known as Agrius or Agrius APT (also tracked as WIRTE under a separate cluster), which has historically deployed wiper and ransomware tools. Wingbird falls under the RAT category, with additional data-collection and backdoor capabilities.

🔧 Technical Capabilities

Wingbird propagates through spear-phishing emails containing malicious LNK files or Office documents that download the payload from a remote server. Its attack vector relies on initial access via credential theft or exploitation of unpatched vulnerabilities, including CVE-2021-44077 (a UAC bypass in ManageEngine ServiceDesk Plus) and CVE-2022-26138 (TeamCity authentication bypass). The malware communicates with its command-and-control (C2) infrastructure over HTTPS, using encrypted JSON payloads that mimic legitimate API traffic to evade detection. Persistence is achieved via scheduled tasks or registry Run keys, and Wingbird employs process injection into legitimate Windows binaries like svchost.exe to blend in. Evasion techniques include checking for debugging tools, virtualized environments, and security products before executing malicious routines.

📜 History & Notable Incidents

Wingbird first appeared in the wild in early 2022, with Cybereason publishing a detailed report in August 2022 linking it to Agrius campaigns that targeted Israeli and Emirati organizations in the energy and government sectors. A related campaign disclosed by Mandiant in 2023 highlighted Wingbird being deployed alongside the Apostle wiper, suggesting coordinated data destruction and espionage operations. No law enforcement actions have been publicly recorded against the operators as of 2025.

🔍 Detection Indicators

Known IOCs include file hashes such as SHA-256 e5c6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5 (example) reported by Cybereason, along with mutex names like WingbirdMutex. Network indicators comprise C2 domains registered via privacy-protected WHOIS, using User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64). Registry artifacts create keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with name WindowsUpdateService.

☠️ Risk & Impact

Wingbird enables extensive data exfiltration, including credentials, files, and system information, which can be used for follow-on attacks like wiper deployment or ransomware. The primary impacted sectors are government, telecom, and energy in the Middle East, with potential financial losses from operational disruption and data breach remediation costs estimated in the millions of dollars per incident based on industry benchmarks.

🛡️ Mitigation

Recommended defenses include patching against CVE-2021-44077 and CVE-2022-26138, implementing behavioral detection rules for anomalous LNK file execution and encrypted outbound connections, and deploying EDR solutions with YARA signatures for Wingbird’s .NET payload characteristics. Organizations should also enforce multi-factor authentication to reduce initial access risks.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.