Suspected Iranian espionage actors have been observed deploying backdoors such as TWOSTROKE and DEEPROOT as part of an ongoing campaign targeting aerospace, aviation, and defense industries in the Middle East.
The activity is believed to be due to a threat cluster tracked by Google-owned Mandiant as UNC1549 (also known as Nimbus Manticore or Subtle Snail), and was first documented by the threat intelligence firm early last year.
Researchers Mohamed El Banna, Daniel Lee, Mike Stockel, and Josh Goddard said, “UNC1549, which was active from late 2023 to 2025, employed sophisticated initial access vectors, including exploiting third-party relationships (service provider to customer transition), VDI breakout from third parties, and highly targeted role-related phishing.”
The disclosure comes nearly two months after Swiss cybersecurity firm PRODAFT linked a hacking group to a campaign targeting European telecom companies as part of a recruitment-themed social engineering attack via LinkedIn, successfully infiltrating 11 organizations in the process.
According to Google, the infection chain includes a combination of phishing campaigns aimed at stealing credentials and distributing malware, as well as phishing campaigns that leverage trust relationships with third-party suppliers and partners. The second approach has proven to be a particularly smart strategy when attacking defense contractors.
While these organizations tend to have robust defenses in place, this may not be the case with third-party partners. UNC1549 weaponizes weak links in the supply chain to its advantage by gaining access to the first connected entity to infiltrate the primary target.
This often involves the misuse of credentials associated with services such as Citrix, VMWare, and Azure Virtual Desktop and Applications (VDAs) harvested from these external entities to establish an initial foothold and then break through the virtualization session limits to access the underlying host systems and initiate lateral movement activity within the target network.
Another initial access vector involves the use of spear phishing emails that claim to be related to employment opportunities, enticing the recipient to click on a fake link and download malware onto their machine. UNC1549 has also been observed targeting IT staff and administrators in these attacks in order to obtain credentials with elevated privileges that allow deeper access to the network.
Once an attacker finds a way inside, post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, with the systematic collection of network/IT documents, intellectual property, and emails.
Below are some of the custom tools used by threat actors as part of this effort.
MINIBIKE (also known as SlugResin) is a known C++ backdoor that collects system information, obtains additional payloads for reconnaissance, logs keystrokes and clipboard contents, steals Microsoft Outlook credentials, collects web browser data from Google Chrome, Brave, Microsoft Edge, and takes screenshots. LIGHTRAIL, a backdoor that supports executing Linux shell commands, enumerating system information, and manipulating files, a custom tunneler possibly based on Lastenzug, an open-source Socks4a proxy GHOSTLINE that communicates using the Azure cloud infrastructure, POLLBLEND, a Golang-based Windows tunneler that uses a hardcoded domain for communication, registers itself using a hardcoded command and control (C2) server, and downloads tunneler configurations. C++ Windows tunneler DCSYNCER.SLICK, DCSyncer-based Windows utility CRASHPAD that performs DCSync attacks for privilege escalation, C++ Windows utility SIGHTGRAB that extracts credentials stored within web browsers, C++ Windows utility TRUSTTRAP that is selectively deployed to periodically capture screenshots and save them to disk, Malware that provides a Windows prompt to trick users into entering their Microsoft account credentials
Attackers also leverage public programs such as AD Explorer that query Active Directory. Atelier Web Remote Commander (AWRC) establishes remote connections and performs reconnaissance, credential theft, and malware deployment. SCCMVNC for remote control. Additionally, the attackers allegedly took steps to thwart the investigation by deleting registry keys for RDP connection history.
“The UNC1549 campaign is characterized by a focus on predicting investigators and ensuring long-term continuity after discovery,” Mandiant said. “They install backdoors that silently beacon for months, and only activate the backdoor to regain access after the victim has attempted eradication.”
“They maintain stealth and command and control (C2) using extensive reverse SSH shells (limiting forensic evidence) and domains that strategically mimic the victim’s industry.”
Source link
