A suspected Iranian state-sponsored group, UNC1549, launched a highly targeted espionage campaign against aerospace and defense companies using phishing, supply-chain attacks, and stealthy malware.

Who is behind the attack?

The group is attributed to Iran-nexus actors tracked as UNC1549. They demonstrate advanced operational security, custom tool development, and long-term strategic objectives.

What was the goal of the attack?

Their primary goal was espionage: stealing credentials, internal documents, intellectual property, and using compromised networks to access other related targets.

Which organizations were targeted?

Aerospace, aviation, and defense companies in the Middle East, especially those with high-value intellectual property or strategic partnerships.

How did the attackers break in?

They used spear-phishing emails and exploited relationships with third-party service providers like Citrix or VMware to gain access and move laterally within networks.

What made this attack sophisticated?

They used stealthy tools (e.g., reverse SSH tunnels, DLL hijacking), custom malware with unique hashes, and even signed their malware with valid code-signing certificates to bypass defenses.

How can organizations defend against this type of threat?

Organizations should audit third-party access, enable advanced endpoint detection, limit credential reuse, monitor for privilege escalation, and validate signed binaries.

Is this part of a larger campaign?

Yes. The activity spans late 2023 to 2025 and shows signs of broader espionage objectives across industries tied to defense and aviation.

Threats Feed|UNC1549|Last Updated 24/11/2025|AuthorCertfa Radar|Publish Date18/11/2025

UNC1549’s Advanced Espionage Campaign Against the Aerospace and Defense Ecosystem

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Spear Phishing,Compromised software
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

UNC1549, a suspected Iran-nexus threat group, has conducted sustained cyber espionage campaigns since mid-2024 targeting the aerospace, aviation, and defense sectors across the Middle East and connected partner ecosystems. The group gained initial access through targeted spear-phishing and exploitation of trusted third-party relationships, including breakouts from Citrix and VMWare VDI environments. Once inside, UNC1549 deployed custom malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, and POLLBLEND, heavily relying on DLL search order hijacking, reverse SSH tunnels, and Azure-based C2. Their operations focused on long-term persistence, credential theft (including DCSync attacks), stealthy lateral movement, and extensive data collection from high-value defense networks.

Reference and Credit: Google Mandiant - November 2025

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

Detected Targets

Type	Description	Confidence
Sector	Defense	Verified
Sector	Aerospace	Verified
Region	Middle East Countries	Verified

FAQs

Understanding the UNC1549 Espionage Campaign

: A suspected Iranian state-sponsored group, UNC1549, launched a highly targeted espionage campaign against aerospace and defense companies using phishing, supply-chain attacks, and stealthy malware.
: The group is attributed to Iran-nexus actors tracked as UNC1549. They demonstrate advanced operational security, custom tool development, and long-term strategic objectives.
: Their primary goal was espionage: stealing credentials, internal documents, intellectual property, and using compromised networks to access other related targets.
: Aerospace, aviation, and defense companies in the Middle East, especially those with high-value intellectual property or strategic partnerships.
: They used spear-phishing emails and exploited relationships with third-party service providers like Citrix or VMware to gain access and move laterally within networks.
: They used stealthy tools (e.g., reverse SSH tunnels, DLL hijacking), custom malware with unique hashes, and even signed their malware with valid code-signing certificates to bypass defenses.
: Organizations should audit third-party access, enable advanced endpoint detection, limit credential reuse, monitor for privilege escalation, and validate signed binaries.
: Yes. The activity spans late 2023 to 2025 and shows signs of broader espionage objectives across industries tied to defense and aviation.

About Affiliation

UNC1549