A sophisticated Iran associated threat group has been observed conducting extensive espionage activity against organizations in the aerospace, aviation, and defense sectors across the Middle East. The attackers have used custom backdoors, including TWOSTROKE and DEEPROOT, to maintain long term access and gather sensitive information. Mandiant has linked this campaign to a cluster known as UNC1549, also referred to as Nimbus Manticore or Subtle Snail.
Targeted Operations Across 2023 to 2025
UNC1549 has been active from late 2023 to 2025. According to Mandiant researchers Mohamed El Banna, Daniel Lee, Mike Stokkel, and Josh Goddard, the group relied on a mix of advanced entry methods. These included exploiting relationships with third party service providers, breaking out of virtual desktop infrastructure environments, and sending highly customized phishing messages crafted for specific roles and individuals.
Roughly two months before this report, PRODAFT linked the same group to attacks on European telecommunications firms, where at least eleven organizations were compromised through recruitment themed social engineering schemes that used LinkedIn as the lure.
Initial Access Techniques and Supply Chain Weaknesses
The attackers used two main pathways to compromise their targets. The first route involved phishing emails designed to obtain credentials or install malware on victim devices. The second route was more strategic, since it relied on trusted partners and suppliers. By compromising a connected third party, the group was able to move into the networks of defense contractors and other high value targets.
Credentials extracted from external partners were often associated with Citrix, VMware, Azure Virtual Desktop, or Azure Virtual Application accounts. After acquiring these, the attackers broke out of virtualized sessions to gain access to the underlying host systems and later moved laterally through internal networks.
The group has also targeted IT staff and system administrators to capture elevated credentials that grant deeper access to sensitive infrastructure.
Attack Lifecycle After Initial Entry
Once inside a targeted environment, the attackers carried out a full spectrum of post exploitation tasks. These included gathering internal network information, harvesting credentials, avoiding detection, moving between systems, and stealing intellectual property or emails.
Custom Tools Used in the Campaign
Below is a summary of the custom malware and utilities used by the threat actor:
- MINIBIKE (SlugResin), a C++ backdoor used for reconnaissance, keylogging, clipboard theft, Outlook credential harvesting, browser data theft from Chrome, Brave, and Edge, and screenshot capture.
- TWOSTROKE, a C++ backdoor used for gathering system details, loading DLLs, manipulating files, and maintaining persistence.
- DEEPROOT, a Golang Linux backdoor capable of shell command execution, file operations, and system information gathering.
- LIGHTRAIL, a tunneling tool likely derived from Lastenzug, a Socks4a proxy that communicates using Azure based infrastructure.
- GHOSTLINE, a Golang tunneler for Windows that relies on a hard coded domain.
- POLLBLEND, a C++ tunneler for Windows that communicates with fixed command and control servers.
- DCSYNCER.SLICK, a Windows tool based on DCSyncer for performing DCSync attacks aimed at privilege escalation.
- CRASHPAD, a C++ utility for extracting browser saved credentials.
- SIGHTGRAB, a C language tool deployed to take periodic screenshots and save them locally.
- TRUSTTRAP, a tool that presents a fake Windows login prompt to steal Microsoft account credentials.
The group also relied on publicly available tools including AD Explorer for querying Active Directory, AWRC for remote command execution and malware deployment, and SCCMVNC for remote control. To hinder investigations after intrusion, the attackers deleted RDP connection history from registry paths.
Long Term Persistence and Anti Investigation Tactics
Mandiant noted that UNC1549 is known for anticipating incident response activity and preparing for it. Their backdoors often remain silent for long periods, only activating again after the victim attempts to remove the intrusion. The group also uses reverse SSH shells to hide its operations and communicates through domains that resemble industry specific naming conventions, reducing the chances of suspicion.
