Threats Feed|Peach Sandstorm|Last Updated 25/01/2025|AuthorCertfa Radar|Publish Date28/08/2024

Peach Sandstorm Targets US and UAE Critical Sectors with Tickler Malware

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Compromised Credentials,Backdoor,Malware,Spear Phishing
  • Attack Complexity: Very High
  • Threat Risk: High Impact/High Probability

Threat Overview

Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.

Reference and Credit: Microsoft - August 2024

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Detected Targets

TypeDescriptionConfidence
SectorDefense
Verified
SectorGovernment Agencies and Services
Verified
SectorAerospace
Verified
SectorEducation
Verified
SectorOil and Gas
Verified
SectorTelecommunication
Verified
RegionAustralia
Verified
RegionUnited Arab Emirates
Verified
RegionUnited States
Verified

Extracted IOCs

  • centersoftwaresupports.azurewebsites[.]net
  • getsdervicessupoortss.azurewebsites[.]net
  • getservicessuports.azurewebsites[.]net
  • getservicessupports.azurewebsites[.]net
  • getsupportsservices.azurewebsites[.]net
  • nodetestservers.azurewebsites[.]net
  • satellite2.azurewebsites[.]net
  • satellitegardens.azurewebsites[.]net
  • satellitespecialists.azurewebsites[.]net
  • satservicesdev.azurewebsites[.]net
  • servicessupports.azurewebsites[.]net
  • softwareservicesupport.azurewebsites[.]net
  • softwareservicesupports.azurewebsites[.]net
  • subreviews.azurewebsites[.]net
  • supportsoftwarecenter.azurewebsites[.]net
  • websupportprotection.azurewebsites[.]net
  • 22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4
  • 56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6
  • 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b
  • 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350
  • 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198
  • ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4
  • dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8
  • e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
  • fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f
download

Tip: 25 related IOCs (0 IP, 16 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.

About Affiliation
Peach Sandstorm
View Peach Sandstorm's Insights