UNC1549 targeted aerospace, aviation, and defense sectors using spear-phishing and compromised third‑party relationships to gain access, then deployed custom backdoors (TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, MINIBIKE) and tunneling tools to maintain stealthy persistence and C2 using Azure and SSH reverse tunnels. The group used credential theft (DCSYNCER.SLICK, CRASHPAD, TRUSTTRAP), DLL search order hijacking, and long-lived stealth techniques to exfiltrate sensitive data and pivot through suppliers. #UNC1549 #TWOSTROKE
Keypoints
- UNC1549 conducted targeted campaigns since mid‑2024 against aerospace, aviation, and defense organizations, exploiting vendor/third‑party trust relationships for initial access.
- The group combined role‑relevant spear‑phishing and VDI/Citrix/VMware/Azure Virtual Desktop breakouts to escape virtual sessions and reach host networks.
- They deployed custom backdoors and tools—TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, MINIBIKE—and used DLL search order hijacking to execute them stealthily.
- UNC1549 performed credential theft and privilege escalation using DCSYNCER.SLICK (DCSync), CRASHPAD (browser credentials), SIGHTGRAB (screenshots), and TRUSTTRAP (credential prompts).
- Command and control relied on Azure Web Apps, hardcoded domains, and reverse SSH tunnels (plus ZEROTIER/NGROK redundancies) to limit forensic artifacts and retain access after remediation.
- They engaged in espionage‑oriented data collection (IP, network docs, emails) and used lateral movement tools such as RDP, PowerShell Remoting, AWRC, and SCCMVNC to move within networks.
- UNC1549 used code signing for some malware binaries and deliberately customized payload hashes per victim to evade detection and complicate investigations.
MITRE Techniques
- [T1199 ] Trusted Relationship – UNC1549 used trusted third party vendor accounts for both initial access and lateral movement. Quote: ‘UNC1549 used trusted third party vendor accounts for both initial access and lateral movement.’
- [T1078 ] Valid Accounts – UNC1549 used valid compromised accounts to gain initial access. Quote: ‘UNC1549 used valid compromised accounts to gain initial access.’
- [T1574.001 ] Hijack Execution Flow: DLL Search Order Hijacking – UNC1549 used Search Order Hijacking to execute payloads like LIGHTRAIL and DCSYNCER.SLICK. Quote: ‘UNC1549 was observed using Search Order Hijacking to execute both LIGHTRAIL and DCSYNCER.SLICK.’
- [T1113 ] Screen Capture – UNC1549 was observed making screenshots from sensitive data using SIGHTGRAB. Quote: ‘UNC1549 was observed making screenshots from sensitive data.’
- [T16561598.003 ] Phishing for Information – UNC1549 used third party vendor accounts to obtain privileged accounts using a Password Reset portal theme. Quote: ‘UNC1549 used third party vendor accounts to obtain privileged accounts using a Password Reset portal theme.’
- [T1110.003 ] Brute Force: Password Spraying – UNC1549 was observed performing password spray attacks against the Domain. Quote: ‘UNC1549 was observed performing password spray attacks against the Domain.’
- [T1003.006 ] OS Credential Dumping: DCSync – UNC1549 was observed using DCSYNCER.SLICK to perform DCSync on domain controller level to extract NTLM hashes. Quote: ‘UNC1549 was observed using DCSYNCER.SLICK to perform DCSync on domain controller level.’
- [T1213.002 ] Data from Information Repositories: SharePoint – UNC1549 browsed Microsoft Teams and SharePoint to download files used for extortion. Quote: ‘UNC1549 browsed Microsoft Teams and SharePoint to download files used for extortion.’
Indicators of Compromise
- [Network ] SSH tunneling infrastructure – 104.194.215[.]88, 13.60.50[.]172 (observed used for SSH tunneling)
- [Network ] Azure Web Apps / C2 domains – ac-connection-status105.azurewebsites[.]net (GHOSTLINE), active-az-check-status45.azurewebsites[.]net (POLLBLEND)
- [Network ] Phishing domains – airbus.usa-careers[.]com (phishing for initial access), mydocs.qatarcentral.cloudapp.azure[.]com (phishing for lateral movement)
- [Network ] Malware-associated domains – airlinecontrolsite.westus3.cloudapp.azure[.]com (DEEPROOT), automationagencybusiness[.]com (TWOSTROKE)
- [File paths ] Hardcoded output paths used by tools – C:userspublicLOG.txt, C:Program FilesVMwareVMware ToolsVMware VGAuthLOG.txt (DCSYNCER.SLICK outputs)
- [File names ] Configuration/log filenames – config.txt, crash.log (CRASHPAD), and example screenshot file names like C:UsersPublicVideos2025-3-7-10-171.jpg (SIGHTGRAB)