2 malware familiesExploits CVEs in the wild

Frankenstein

Also known asFrankenstein

Frankenstein is a threat actor/campaign tracked in the provided content under the name Frankenstein. The content associates it with spearphishing emails delivering trojanized Microsoft Word documents for initial compromise. Post-compromise, Frankenstein used PowerShell to run a series of base64-encoded commands that acted as a stager and enumerated hosts. The actor also used Empire to automatically gather the username, domain name, machine name, and other system information from compromised systems, including obtaining the compromised machine's name. For defensive evasion and environment awareness, Frankenstein used WMI queries to determine whether analysis tools were running on a compromised system. The content also states that Frankenstein communicated with command-and-control infrastructure via an encrypted RC4 byte stream and AES-CBC. No additional aliases or sub-groups are provided beyond the name Frankenstein.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.005

Visual Basic

TA0007

Discovery

1 technique

T1082

System Information Discovery

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EmpireAPT19 has obtained and used publicly-available tools like Empire.1May 26, 2026

IronWindFrom July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.1May 25, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionIn the wildEvidence2

...has exploited Office vulnerabilities such as CVE-2017-11882...

IOCS

Observables

22 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

22 IOCsView more in app

hash.sha256

18 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+10

Domains

3 total

••••••.com•••••••.ru••••••••.com

ip.v4

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

mitre attack websiteNews

Oct 21, 2021

Updates - Updates - October 2021 | MITRE ATT&CK®

Referenced in ATT&CK v10 release notes under 'Group changes'; no operational details provided in this content.

anvilogic blogNews

May 5, 2021

Abuse EQNEDT32.EXE CVE-2017-11882

Listed as a tagged threat actor associated with CVE-2017-11882 exploitation/detection use case context; no specific campaign details provided.

mitre attack websiteNews

Feb 1, 2017

Automated Collection, Technique T1119 - Enterprise | MITRE ATT&CK®

Activity cluster that used Empire to automate collection of host and user information.

mitre attack websiteNews

Mar 20, 2015

System Information Discovery, Technique T1082 - Enterprise | MITRE ATT&CK®

Used Empire to obtain compromised machine names during operations.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables22

Domains, IPs, and hashes tied to this actor, refreshed continuously.