"The infection chains, per Google, involve a combination of phishing campaigns designed to steal credentials or distribute malware and leveraging trusted relationships with third-party suppliers and partners. The second approach signals a particularly clever strategy when striking defense contractors. While these organizations tend to have robust defenses, that may not be the case with third-party partners - a weak link in the supply chain that UNC1549 weaponizes to its advantage by first gaining access to a connected entity in order to infiltrate its main targets."
"Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. Often, this entails abusing credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) harvested from these external entities to establish an initial foothold and subsequently break out of the confines of the virtualized sessions to gain access to the underlying host system and initiate"
Suspected Iranian espionage-driven threat actors deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. The activity is attributed to threat cluster UNC1549, also tracked as Nimbus Manticore or Subtle Snail, operating from late 2023 through 2025. Initial access methods included abusing third-party relationships, pivoting from service providers to customers, VDI breakout techniques, and highly targeted role-relevant phishing. Campaigns combined credential-stealing phishing with exploitation of trusted suppliers and partners to exploit weaker third-party defenses. The group also leveraged social engineering via LinkedIn to breach European telecommunications organizations.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]