Peach Sandstorm, an Iranian state-backed group, is employing a custom multi-stage backdoor named Tickler, targeting sectors like communications and oil from April to July 2024.
The malware, Tickler, gathers network data and communicates with the attacker's command and control (C2) server using obfuscated methods, enabling the attackers to navigate the compromised environments effectively.
The second variant of the malware, sold.dll, functions as a Trojan dropper to persistently embed additional payloads while mimicking legitimate activity to maintain stealth during operations.
Peach Sandstorm utilizes Azure infrastructure to facilitate command-and-control activities, including fraudulent subscriptions, showcasing a worrying trend in their operational sophistication and evasion strategies.
Collection
[
|
...
]