Connect with us

Hi, what are you looking for?



Iranian Hackers Target Aviation and Defense Sectors in Middle East

An Iranian threat actor tracked as UNC1549 is abusing Azure infrastructure in attacks targeting organizations in the Middle East.

Iranian hackers have been using Microsoft Azure cloud infrastructure in attacks targeting aerospace, aviation, and defense organizations in the Middle East, Mandiant reports.

As part of a campaign ongoing since at least June 2022, the hacking group, tracked as UNC1549, has been deploying two unique backdoors dubbed MiniBike and MiniBus, to spy on organizations in Israel and the United Arab Emirates (UAE), as well as Albania, India, and Turkey.

The group’s activities overlap with Smoke Sandstorm and Tortoiseshell, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that previously targeted defense contractors and IT providers.

“The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war,” Mandiant notes.

In November 2023, the cybersecurity firm discovered the MiniBus backdoor hosted on a fake recruiting website that used the same template as another fake job website employed by UNC1549 in 2022. Like other UNC1549 campaigns, a .NET application was used to deliver the malware.

Throughout the campaign, spear-phishing emails and social media messages were used to distribute links to staged websites containing fake job offers or Israel-Hamas related content.

The websites hosted the MiniBike and MiniBus backdoors, which were designed to establish communication with command-and-control (C&C) infrastructure hosted on Microsoft Azure.

“The access to the device can be leveraged for multiple purposes, including intelligence collection and as a stepping stone for further access into the targeted network,” Mandiant notes.

Advertisement. Scroll to continue reading.

UNC1549 was also seen deploying several evasion techniques to remain under the radar, including the use of domain naming schemes resembling legitimate sites, the use of job-themed lures, and the use of Azure and servers located in the targeted geographies to hide malicious traffic.

In addition to the MiniBike and MiniBus backdoors, the threat actor has employed LightTrail, a tunneling tool based on an open source Socks4a proxy.

Written in C++ and used since at least June 2022, the MiniBike backdoor is usually bundled with a launcher and a legitimate executable (SharePoint, OneDrive, or a fake Hamas-related .NET application).

The MiniBus backdoor is more advanced, but similar in functionality and code base with MiniBike. The main difference between the two is that MiniBus also supports payload execution and has a process enumeration feature.

LightRail shows code similarities with the backdoors, uses the same Azure C&C infrastructure, and has been deployed against the same targets.

Mandiant also observed UNC1549 using fake login pages to harvest victim credentials and identified job description documents for positions at a drone manufacturing company on the same infrastructure hosting MiniBus.

Related: Iran Ramps Up Cyberattacks on Israel Amid Hamas Conflict: Microsoft

Related: US Slaps Sanctions on ‘Dangerous’ Iranian Hackers Linked to Water Utility Hacks

Related: Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in...