UNC1549, a threat group possibly linked to Iran, has expanded its cyber-espionage activities across aerospace, aviation, and defense sectors using sophisticated techniques and customized malware. The group employs dual attack strategies, exploiting trusted third-party vendors and launching targeted spear-phishing campaigns for long-term intelligence gathering. #UNC1549 #IranThreatGroup
Keypoints
- UNC1549 is increasing its cyber-espionage operations since mid-2024.
- The group uses a dual intrusion strategy involving third-party compromise and spear-phishing.
- Custom malware payloads like TWOSTROKE and LIGHTRAIL are used for persistence and reconnaissance.
- They abuse DLL hijacking and legitimate enterprise tools such as RDP and SCCM to move laterally.
- Their primary goal is to steal sensitive data, including network details, IP, and emails.