The Iranian-Nexus Cyberspy Group, known as UNC1549, has infiltrated 34 devices across 11 organizations as part of their recruitment efforts on LinkedIn, resulting in a new campaign targeting European telecom companies.
Swiss Cybersecurity Company Prodaft tracks clusters under the name of subtle snails. It is believed to be partnering with Iran’s Islamic Revolutionary Guard (IRGC). The 11 eligible companies are in Canada, France, the United Arab Emirates, the UK and the US.
“This group operates under the guise of HR representatives of legitimate entities to engage employees and then compromises them through the deployment of mini-bike backdoor variants that communicate with command and control (C2) infrastructures that have been proximized through proxy through an azure cloud service.
ENC1549 (aka TA455) is believed to have been active since at least June 2022, and overlaps with two other Iranian hacking groups known as Smoke and Crimson Sandstorms (aka Imperial Kitten, TA456, Tote Shell, Yellow Riderk). The threat actor was first documented in February 2024 by Google-owned Mandiant.
The use of job-themed lures by UNC1549 was later detailed by Israeli cybersecurity company Clearsky. It detailed targeting aerospace industry enemy in September 2023, offering malware families such as Katanresin and Slugresin.
“The group’s main motivation is to infiltrate telecoms entities while maintaining interest in aerospace and defense organizations, establishing long-term sustainability, removing sensitive data for strategic espionage, and maintaining interest in aerospace and defense organizations,” Prodaft said.
The attack chain includes extensive reconnaissance on platforms such as LinkedIn, identifying key personnel within the target organization, and focusing on researchers, developers and IT administrators who have access to critical systems and developer environments.
In the next stage, it is observed that threat actors will verify their email addresses and send spear phishing emails to collect additional information before enacting a fake recruitment drive, a critical part of the operation.
To achieve this, the attackers set up a compelling HR account profile on LinkedIn, reaching out to future goals with non-existent employment opportunities, gradually building trust and reliability to increase the chances of success in the scheme. The campaign is characterized by the meticulous efforts of subtle snail operators to coordinate the attacks of each victim.
If the victim expresses interest in the offer, they will then contact you by email and schedule an interview time by clicking on a fraudulent domain that mimics companies such as Telespazio or Safran Group. Enter the required information and the download of the ZIP archive will be automatically triggered.
An executable file that launches a malicious DLL called Minibike using an executable dll sideload that resides in a ZIP file, collects system information and waits for additional payloads in the form of Microsoft Visual C/C++ DLLs, and takes reconnaissance, log keystrokes, clipboard content, Googg, Googg Chrave, Steal Outlooks out, Steal out from chrave and chrave, and steal screenshots to collect data outside of reconnaissance, log keystrokes, clipboard content, and stealing out.
In particular, Web Browser Steeler incorporates a public tool called Chrome-App-Bound-Ryction-Decryption to bypass the app-bound encryption protection deployed by Google to decrypt and steal passwords stored in your browser.
“The subtle snail team builds and deploys a unique victim-specific DLL on the machine each time to collect network configuration information from the devices,” Prodaft said. “The malicious DLL files used by threat actors exhibit similar characteristics in the export section.”
“A legitimate DLL file is modified to facilitate seamless execution of DLL sideload attacks. Here, function names are replaced directly with string variables. This tactic allows attackers to bypass typical detection mechanisms by manipulating the export tables of the DLL.
Minibike is a fully functional modular backdoor that supports 12 different commands to facilitate C2 communication, enumerate files and directories, list running processes, terminate specific processes, upload files in chunks, and run exe, dll, bat, or cmd payloads.
In addition to blending C2 traffic with regular cloud communications using legitimate Azure Cloud Services and Virtual Private Servers (VPS) as proxy infrastructure, malware makes changes to the Windows registry and is automatically loaded after system boots.
It also has anti-prevention and sandboxing techniques to prevent analysis, and uses methods such as flattening control flow and custom hashing algorithms to resolve Windows API functions at runtime to resist reverse engineering and make it difficult to understand the overall functionality.
“Subtle snail operations combine intelligence collection with long-term access to critical communications networks, causing serious damage,” Prodaft said. “They don’t just infect their devices. They actively search for ways to keep sensitive data and access alive.”
“We’re focusing on using predefined paths to guide searches, steal emails, VPN configurations, and other information that helps us maintain control. We’re also looking for sensitive files stored in shared folders where we can publish business secrets and personal data.”
Muddywater’s diversified toolkit has been released
This disclosure shed light on the infrastructure and malware toolset by Group-IB, a tool set for another Iranian state-sponsored hacking group known as Muddywater, reducing its reliance on remote monitoring and management (RMM) tools that “significantly” and “significantly” rely on.
Bugsleep (first seen in May 2024), a Python-based backdoor designed to run commands to facilitate file transfers (first seen in February 2025), a portable executable injector Stealthcache (first seen in March 2025), a backdoor with a rich feature for creating files to read and create files, It uses loaders (first seen in April 2025), which can load, decrypt and execute encrypted payloads in Memory Phoenix (first seen in April 2025), malware used to deploy peeled variants of Bug Sleep Cannon Rats, malware, a malicious tool designed for remote control of basic backdoors using communications in complex systems UDPGANGSTOR.
Muddywater, which has been active since 2017, has been rated as a sub-component within Iran’s intelligence agency (MOIS). Also tracked as the swamp Serpen, Mango Sandstorm and TA450, the threat actor has a history targeting Middle Eastern communications, government, energy, defense and critical infrastructure organizations.
“Recent activities show that they still rely on phishing for delivery and are leveraging Maldoc with malicious macros for infection. Infrastructure analysis reveals the active use of Amazon Web Services (AWS) to host malicious assets, with CloudFlare services hiding infrastructure fingerprints, said Impede Almasour Almoud.
“Muddywater’s persistent campaign highlights its role in supporting Iran’s intelligence reporting requirements while maintaining plausible negativity towards state-oriented cyber operations against both regional competitors and Western targets.”
Source link
