Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.
The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented by the threat intelligence firm early last year.
“Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing,” researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said.
The disclosure comes about two months after Swiss cybersecurity company PRODAFT tied the hacking group to a campaign targeting European telecommunications companies, successfully breaching 11 organizations in the process as part of a recruitment-themed social engineering attack via LinkedIn.
The infection chains, per Google, involve a combination of phishing campaigns designed to steal credentials or distribute malware and leveraging trusted relationships with third-party suppliers and partners. The second approach signals a particularly clever strategy when striking defense contractors.
While these organizations tend to have robust defenses, that may not be the case with third-party partners – a weak link in the supply chain that UNC1549 weaponizes to its advantage by first gaining access to a connected entity in order to infiltrate its main targets.
Often, this entails abusing credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) harvested from these external entities to establish an initial foothold and subsequently break out of the confines of the virtualized sessions to gain access to the underlying host system and initiate lateral movement activities within the target network.
Another initial access pathway concerns the use of spear-phishing emails claiming to be related to job opportunities to lure recipients into clicking on bogus links and downloading malware to their machines. UNC1549 has also been observed targeting IT staff and administrators in these attacks to obtain credentials with elevated privileges that would grant them deeper access to the network.
Once the attackers have found a way inside, the post-exploitation activity spans reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, systematically gathering network/IT documentation, intellectual property, and emails.
Some of the custom tools put to use by the threat actor as part of this effort are listed below –
- MINIBIKE (aka SlugResin), a known C++ backdoor that gathers system information and fetches additional payloads to conduct reconnaissance, log keystrokes and clipboard content, steal Microsoft Outlook credentials, collect web browser data from Google Chrome, Brave, and Microsoft Edge, and take screenshots
- TWOSTROKE, a C++ backdoor that allows for system information collection, DLL loading, file manipulation, and persistence
- DEEPROOT, a Golang-based Linux backdoor that supports shell command execution, system information enumeration, and file operations
- LIGHTRAIL, a custom tunneler that’s likely based on Lastenzug, an open-source Socks4a proxy that communicates using Azure cloud infrastructure
- GHOSTLINE, a Golang-based Windows tunneler that uses a hard-coded domain for its communication
- POLLBLEND, a C++ Windows tunneler that uses hard-coded command-and-control (C2) servers to register itself and download tunneler configuration
- DCSYNCER.SLICK, a Windows utility based on DCSyncer to conduct DCSync attacks for privilege escalation
- CRASHPAD, a C++ Windows utility to extract credentials saved within web browsers
- SIGHTGRAB, a C Windows utility, selectively deployed to capture screenshots at regular intervals and save them to disk
- TRUSTTRAP, a malware that serves a Windows prompt to trick the user into entering their Microsoft account credentials
Also utilized by the adversary are publicly available programs like AD Explorer to query Active Directory; Atelier Web Remote Commander (AWRC) to establish remote connections, perform reconnaissance, credential theft, and malware deployment; and SCCMVNC for remote control. Furthermore, the threat actor is said to have taken steps to stymie investigation by deleting RDP connection history registry keys.
“UNC1549’s campaign is distinguished by its focus on anticipating investigators and ensuring long-term persistence after detection,” Mandiant said. “They plant backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.”
“They maintain stealth and command-and-control (C2) using extensive reverse SSH shells (which limit forensic evidence) and domains strategically mimicking the victim’s industry.”
