Full Report
Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented by the threat
Analysis Summary
# Threat Actor: UNC1549 (Nimbus Manticore / Subtle Snail)
## Attribution & Identity
Attributed to **espionage-driven threat actors from Iran**.
Known Aliases: **Nimbus Manticore**, **Subtle Snail**.
First documented early last year (relative to the article's date).
## Activity Summary
UNC1549 has been observed deploying backdoors like `TWOSTROKE` and `DEEPROOT` as part of continued espionage operations. Activity tracked from late 2023 through 2025. They have historically targeted European telecommunications companies (recent activity profiled by PRODAFT involving recruitment-themed social engineering via LinkedIn). The current focus involves attacks aimed at aerospace, aviation, and defense industries in the Middle East.
## Tactics, Techniques & Procedures
- **Initial Access:** Employed sophisticated vectors including abuse of third-party relationships (pivoting from service providers to their customers), VDI breakouts from third parties, and highly targeted, role-relevant phishing.
- **Supply Chain Weaponization:** Leveraged trusted relationships with third-party suppliers and partners to infiltrate main targets (defense contractors).
- **VDI Abuse:** Abused credentials for services like Citrix, VMWare, and Azure Virtual Desktop (VDA) harvested from external entities. Subsequently, utilized breakouts from virtualized sessions to access the underlying host system.
- **Credential Harvesting Phishing:** Used spear-phishing emails related to job opportunities to steal credentials or distribute malware.
- **Privilege Escalation:** Targeted IT staff/administrators to obtain credentials with elevated privileges.
- **Post-Exploitation:** Included reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft.
- **Objective Tracking:** Systematically gathered network/IT documentation, intellectual property, and emails.
**Specific ATT&CK IDs (Inferred/Not Explicitly Listed in Text):** While direct IDs were not provided in the text, the observed activities map to: T1566 (Phishing), T1078 (Valid Accounts), T1550.002 (Use of Priveleged Cloud Software - relating to VDI abuse), T1021 (Lateral Movement), T1003 (OS Credential Dumping - implied by DCSYNCER use).
## Targeting
- **Sectors:** Aerospace, Aviation, Defense industries, and Telecommunications (previously).
- **Geography:** Middle East (current focus), Europe (previous activity).
- **Victims:** Defense contractors, third-party suppliers/partners, and 11 breached European telecommunications organizations (PRODAFT report). IT staff and administrators are targeted for credential theft.
## Tools & Infrastructure
- **Backdoors:**
- **TWOSTROKE:** C++ backdoor for system info collection, DLL loading, file manipulation, and persistence.
- **DEEPROOT:** Golang-based Linux backdoor supporting shell command execution, system enumeration, and file operations.
- **MINIBIKE (SlugResin):** C++ backdoor for system information gathering, payload fetching, reconnaissance, keystroke/clipboard logging, credential theft (Outlook), and browser data theft (Chrome, Brave, Edge).
- **Tunnelers/Proxies:**
- **LIGHTRAIL:** Custom tunneler, likely based on open-source `Lastenzug` (Socks4a proxy), communicating via Azure cloud infrastructure.
- **GHOSTLINE:** Golang-based Windows tunneler using a hard-coded domain for communication.
- **POLLBLEND:** C++ Windows tunneler using hard-coded C2 servers for registration and downloading configurations.
- **Utilities:**
- **DCSYNCER.SLICK:** Windows utility based on `DCSyncer` used for DCSync attacks (privilege escalation).
## Implications
UNC1549 demonstrates a sophisticated ability to exploit supply chain vulnerabilities (third-party partners and VDI environments) to gain access to highly sensitive defense and aerospace entities. Their usage of modular backdoors and custom tunneling tools, including relying on Azure infrastructure, suggests a dedicated, well-resourced espionage operation with a long dwell time (operating from late 2023 through 2025).
## Mitigations
- Harden third-party access controls, especially for service providers accessing internal/production networks.
- Implement strict segmentation between VDI environments and underlying host systems/production networks.
- Monitor for VDI breakouts that indicate a transition from virtualized sessions to host access.
- Employ robust credential monitoring, especially for IT administrators, given the actor's focus on obtaining privileged accounts.
- Monitor for the specific TTPs associated with their custom toolset, such as unusual network activity related to C2 infrastructure utilizing Azure cloud services (for LIGHTRAIL).