Ironchain — Technical Analysis

IronChain 3.0 is a PyInstaller-packed Python-based malware analyzed as ransomware theater with destructive wiper functionality: it self-relocates to System32, establishes multi-layer persistence (including SafeBoot), disables recovery and security services, kills defensive processes, overwrites MBR/UEFI and performs AES-CTR MFT destruction, and applies intermittent AES‑GCM file encryption preceded by an irreversible byte-shift transformation and ephemeral RSA keys — together making recovery effectively impossible; the report includes hashes, IOCs, targeted services/processes, and MITRE ATT&CK mappings.