Ethical Hacking News
In a recent discovery, Google-owned Mandiant has revealed that suspected espionage-driven threat actors from Iran have been utilizing advanced malware, including DEEPROOT and TWOSTROKE, to infiltrate aerospace and defense industries in the Middle East. The attack vector involves a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners. This highlights the importance of robust security measures within supply chains to prevent such attacks.
Iranian hackers have been using sophisticated tactics in cyberattacks on aerospace, aviation, and defense industries. A threat cluster, UNC1549 (Nimbus Manticore or Subtle Snail), has been identified as the source of these attacks. The attackers use initial access vectors such as pivoting from service providers to customers, VDI breakouts, and targeted phishing. They exploit weak links in supply chains by gaining access to connected entities to infiltrate main targets. The attackers also use spear-phishing emails to obtain credentials with elevated privileges. The post-exploitation activity involves reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft.
Iranian hackers have been making waves in the cybersecurity world with their sophisticated tactics, and a recent discovery has shed light on their latest scheme. According to Google-owned threat intelligence firm Mandiant, suspected espionage-driven threat actors from Iran have been observed deploying advanced backdoors like DEEPROOT and TWOSTROKE as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.
The activity has been attributed by Google to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented by the threat intelligence firm early last year. Researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard broke down the threat actors' tactics in a recent report.
"Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said.
The infection chains involve a combination of phishing campaigns designed to steal credentials or distribute malware and leveraging trusted relationships with third-party suppliers and partners. The second approach signals a particularly clever strategy when striking defense contractors.
While these organizations tend to have robust defenses, that may not be the case with third-party partners – a weak link in the supply chain that UNC1549 weaponizes to its advantage by first gaining access to a connected entity in order to infiltrate its main targets.
Often, this entails abusing credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) harvested from these external entities to establish an initial foothold and subsequently break out of the confines of the virtualized sessions to gain access to the underlying host system and initiate lateral movement activities within the target network.
Another initial access pathway concerns the use of spear-phishing emails claiming to be related to job opportunities to lure recipients into clicking on bogus links and downloading malware to their machines. UNC1549 has also been observed targeting IT staff and administrators in these attacks to obtain credentials with elevated privileges that would grant them deeper access to the network.
Once the attackers have found a way inside, the post-exploitation activity spans reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, systematically gathering network/IT documentation, intellectual property, and emails.
Some of the custom tools put to use by the threat actor as part of this effort are listed below.
Related Information:
https://www.ethicalhackingnews.com/articles/UNCOVERING-THE-DEEPEST-LIES-How-Iranian-Hackers-Utilize-Advanced-Malware-to-Infiltrate-Aerospace-and-Defense-Industries-ehn.shtml
https://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.html
https://securitricks.com/attackreports/frontline-intelligence-analysis-of-unc1549-ttps-custom-tools-and-malware-targeting-the-aerospace-and-defense-ecosystem
https://thehackernews.com/2025/09/unc1549-hacks-34-devices-in-11-telecom.html
https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://www.huntress.com/cybersecurity-101/topic/what-is-apt-group
Published: Tue Nov 18 09:51:43 2025 by llama3.2 3B Q4_K_M
