Threats Feed

UNC1549, a suspected Iran-nexus threat group, has conducted sustained cyber espionage campaigns since mid-2024 targeting the aerospace, aviation, and defense sectors across the Middle East and connected partner ecosystems. The group gained initial access through targeted spear-phishing and exploitation of trusted third-party relationships, including breakouts from Citrix and VMWare VDI environments. Once inside, UNC1549 deployed custom malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, and POLLBLEND, heavily relying on DLL search order hijacking, reverse SSH tunnels, and Azure-based C2. Their operations focused on long-term persistence, credential theft (including DCSync attacks), stealthy lateral movement, and extensive data collection from high-value defense networks.

Subtle Snail operators deploy the MINIBIKE backdoor via DLL sideloading to gain persistent, high-privilege access. The malware stages in Public Users Documents using CopyFile2 and BITS, enforces single-instance execution with a UUID mutex, and builds a unique USERID from username, hostname, and DLL timestamp for HTTP POST C2 over WinHTTP. Modular components include an LCG-obfuscated keylogger that writes encrypted extended0.log files, a browser stealer that uses a Chrome-App-Bound decryption tool with process hollowing, and a CredUI-based Outlook/Winlogon prompt that saves stolen credentials. Operators use Azure-proxied domains for C2, automated chunked exfiltration, WinRAR archiving, and anti-analysis techniques including control flow flattening and dynamic API resolution. Targeted sectors include telecommunications organizations.

This Proofpoint report details the escalating targeting of journalists and media organisations by state-sponsored advanced persistent threats (APTs). The report highlights how groups linked to China (TA412, TA459), North Korea (TA404), Iran (TA453, TA456, TA457), and Turkey (TA482) are using a variety of methods, including phishing emails with malicious attachments or web beacons for reconnaissance and social media credential harvesting, to achieve their intelligence and propaganda goals. The report highlights the persistent nature of the threat, the variety of tactics used, and the importance of enhanced security measures for journalists to protect their sources and the integrity of their reporting. Ultimately, it aims to raise awareness of this specific cybersecurity threat and encourage proactive protection measures within the media sector.

Tortoiseshell targeted military personnel and companies in the defense and aerospace industries, primarily in the United States and, to a lesser extent, the UK and Europe. The group used social engineering, phishing, and custom malware tools, including Syskit and a Liderc-like reconnaissance tool, to compromise and profile victims' systems. The campaign involved fake online personas, spoofed domains, and outsourced malware development to Tehran-based IT company Mahak Rayan Afraz (MRA), which has ties to the Islamic Revolutionary Guard Corps (IRGC).

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.