Content
Iranian cyber espionage groups have ramped up their attacks against aerospace, aviation, and defense sectors in the Middle East using sophisticated malware such as TWOSTROKE and DEEPROOT. These operations have been linked to the threat cluster UNC1549, also known as Nimbus Manticore or Subtle Snail, identified by Google-owned cybersecurity firm Mandiant. UNC1549's activity spans from late 2023 and is expected to continue through 2025, employing complex methods to infiltrate targeted networks. They exploit third-party relationships, often starting with service providers to access their actual targets, and use virtual desktop infrastructure (VDI) breakouts to move laterally within networks. Spear-phishing with job opportunity lures is another key tactic to gain initial access.
The group’s attack strategy is particularly clever as they leverage weaknesses in third-party suppliers and partners rather than attacking heavily defended primary targets directly. By hijacking credentials tied to services like Citrix, VMWare, and Azure Virtual Desktop, they establish initial footholds before breaking out of virtual sessions to gain full system access. Targeting IT staff and administrators is another tactic to harvest credentials with elevated privileges, enabling deeper network penetration. Once inside, UNC1549 conducts extensive post-exploitation activities such as reconnaissance, credential theft, lateral movement, and defense evasion while extracting valuable network documentation, intellectual property, and emails.
UNC1549 uses a range of custom-built tools to carry out their attacks. MINIBIKE (aka SlugResin) is a C++ backdoor capable of gathering system info, stealing Outlook credentials, logging keystrokes, and performing screenshots. TWOSTROKE is similarly a C++ backdoor with capabilities for DLL loading and file manipulation. DEEPROOT, a Golang-based Linux backdoor, supports shell command execution and file operations. They also use several tunneling utilities like LIGHTRAIL, GHOSTLINE, and POLLBLEND to maintain stealthy communications with their command-and-control servers. Additional tools include utilities designed for credential extraction, privilege escalation, and screenshot grabbing.
Besides their malware arsenal, UNC1549 also leverages publicly available software such as AD Explorer to query Active Directory and remote administration tools like Atelier Web Remote Commander (AWRC) and SCCMVNC for reconnaissance and control. They take deliberate steps to hinder forensic investigations by deleting Remote Desktop Protocol (RDP) connection history from registry keys. Mandiant highlights the group’s emphasis on stealth and persistence, with backdoors that remain dormant for months, activating only to regain access after victims attempt to eradicate them. Their command-and-control infrastructure mimics legitimate industry domains to further avoid detection.
This campaign is notable not only for its technical sophistication but also for how it exploits supply chain weaknesses, a vulnerability increasingly targeted by state-sponsored threat actors. The approach reflects a growing trend in cyber espionage, where attackers focus on peripheral entities to reach high-value targets. Recent reports from Swiss cybersecurity firm PRODAFT also link UNC1549 to attacks against European telecommunications firms, showing the group’s wide geographical reach and diverse targeting. As these operations continue, defense and aerospace industries must boost security not just within their own networks but across their entire supply chains to defend against such persistent and adaptive threats.
