Threat Intelligence

Multiple tools harnessed in Iranian cyberespionage attacks against Middle East

Technology background with national flag of Iran. 3D rendering

Iranian hacking operation UNC1549, also known as Nimbus Manticore and Subtle Snail, has leveraged its extensive attack arsenal to compromise aerospace, aviation, and defense organizations across the Middle East since late 2023, reports The Hacker News.

After achieving initial network compromise through third-party software credential exploitation and spear-phishing emails, UNC1549 commenced reconnaissance efforts by deploying the MINIBIKE, TWOSTROKE, and DEEPROOT backdoors for Microsoft Outlook credential theft, persistence, and shell command execution, respectively, as well as the TRUSTTRAP malware for luring Microsoft account credential inputs, according to a Mandiant analysis. Intrusions also involved the LIGHTRAIL, GHOSTLINE, and POLLBLEND tunnelers, as well as the CRASHPAD, DCSYNCER.SLICK, and SIGHTGRAB Windows utilities.

"UNC1549's campaign is distinguished by its focus on anticipating investigators and ensuring long-term persistence after detection," said Mandiant researchers. UNC1549 was previously reported by PRODAFT to have compromised almost a dozen telecommunications firms in a social engineering campaign involving LinkedIn recruitment lures.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds