Threat Research

When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors | Mandiant

GoogleCloudIntel

Mandiant attributes an ongoing espionage campaign since June 2022 to suspected Iran-nexus actor UNC1549, which uses tailored job- and Israel-Hamas-themed lures to deliver two custom backdoors, MINIBIKE and MINIBUS, and a tunneler named LIGHTRAIL. The operators rely heavily on Microsoft Azure web apps and dozens of Azure subdomains for C2, plus search-order-hijacking and registry Run keys for persistence. #UNC1549 #MINIBIKE

Keypoints

  • Attribution: Mandiant assesses with moderate confidence the activity is linked to UNC1549 (overlapping with Tortoiseshell/IRGC-linked clusters).
  • Initial access: Spear-phishing and social-engineered lures (fake job sites and Israel-Hamas themed sites) delivered compressed payloads (IMG/ZIP) that contained decoys and malicious DLLs.
  • Primary malware: Two custom backdoors—MINIBIKE (C++ backdoor, since June 2022) and MINIBUS (more flexible executor and reconnaissance features, since Aug 2023)—plus the LIGHTRAIL tunneler.
  • Execution & persistence: Launchers use search-order-hijacking (SoH) and set Run registry keys (e.g., HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOneDriveFileCoAuth.exe) to persist.
  • C2 infrastructure: Extensive abuse of Microsoft Azure web apps and many Azure subdomains (125+), sometimes supplemented by dedicated *.com domains for MINIBUS C2.
  • Evasion & opsec: String obfuscation, legitimate-looking domain naming, geolocated servers, and use of benign decoy applications (OneDrive/SharePoint, fake .NET app) to mask malicious activity.
  • Capabilities: directory/file enumeration, system information collection, process enumeration, file upload/download, command execution, and tunneling/proxying via LIGHTRAIL.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Used to deliver links to fake sites and job offers: ‘Spear-phishing emails or social media correspondence, disseminating links to fake websites containing Israel-Hamas related content or fake job offers.’
  • [T1574.001] DLL Search Order Hijacking – Launchers deploy the backdoor via search-order hijacking (SoH): ‘a launcher, executed via search-order-hijacking (SoH), deploying MINIBIKE and setting its persistence using registry keys.’
  • [T1547.001] Registry Run Keys/Startup Folder – Malware sets Run registry keys for persistence: ‘setting the following Run registry key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOneDriveFileCoAuth.exe.’
  • [T1105] Ingress Tool Transfer – Initial payloads are downloaded from attacker-controlled websites as IMG or ZIP archives containing the backdoor and launchers: ‘Payload delivery, downloaded from the previously mentioned websites to the target’s computer. The payload is a compressed archive…’
  • [T1102] Web Service – Microsoft Azure web apps and subdomains are abused for command-and-control: ‘MINIBIKE or MINIBUS backdoors establish C2 communication, in most cases via Microsoft Azure cloud infrastructure.’
  • [T1090] Proxy – LIGHTRAIL provides tunneling/proxy functionality likely based on an open-source Socks4a proxy: ‘LIGHTRAIL, a unique tunneler used in the campaign… likely leverages the open-source utility “Lastenzug”… a Socks4a proxy.’
  • [T1027] Obfuscated Files or Information – Multiple MINIBIKE/MINIBUS/LIGHTRAIL instances use string and binary obfuscation: ‘Additional obfuscation’ and ‘String obfuscation, similar to MINIBIKE.’
  • [T1083] File and Directory Discovery – Backdoors perform directory and file enumeration: ‘directory and file enumeration, collection of system files and information, uploading files…’
  • [T1082] System Information Discovery – Malware gathers system information and files for intelligence collection: ‘collection of system files and information…’
  • [T1057] Process Discovery – MINIBUS includes process enumeration to identify VM/security-related processes: ‘MINIBUS has a process enumeration feature.’
  • [T1041] Exfiltration Over Command and Control Channel – Files are uploaded to C2 via HTTP endpoints on Azure/dedicated domains: ‘/api/blogs/result/file/ – upload file’ (example URI quoted in analysis).

Indicators of Compromise

  • [File Hashes] Malware sample examples – 691d0143c0642ff783909f983ccb8ffd (MINIBIKE v2.0), ef262f571cd429d88f629789616365e4 (MINIBUS), and 20+ other MD5s listed in the report.
  • [Domains] Malicious hosting/C2 and lures – 1stemployer[.]com (fake recruiter hosting MINIBUS), birngthemhomenow[.]co[.]il (fake movement site/ lure), and other attacker-controlled domains like cashcloudservices[.]com.
  • [Azure subdomains] Azure C2 examples – engineeringrssfeed[.]azurewebsites[.]net, blogvolleyballstatus[.]azurewebsites[.]net, and 125+ additional azurewebsites/cloudapp subdomains used for C2 and hosting.
  • [File names] Delivered archives and decoys – Survey.zip, bringthemhomenow.zip, Screenshot.img (archives containing launchers, decoy apps, and malicious DLLs).
  • [IP Address] Legacy/minor C2 example – 158.255.74[.]25 (observed in an early MINIBIKE instance before Azure use).

MINIBIKE and MINIBUS infections typically begin with targeted spear-phishing or social media messages that lead victims to either fake job sites or Israel-Hamas themed pages. Those sites host downloadable IMG or ZIP archives (examples: Screenshot.img, Survey.zip, bringthemhomenow.zip) that contain a benign-looking executable, a launcher DLL, and the malicious payload DLL; the launcher uses DLL search-order hijacking (SoH) to sideload the backdoor and then sets persistence via Run registry keys (e.g., HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOneDriveFileCoAuth.exe or OneDriveCoUpdate entries). The bundles commonly include decoy applications (SharePoint/OneDrive or a custom .NET “Bring Them Home” app) to mask execution and to encourage user interaction.

Once executed, MINIBIKE (C++ backdoor) and MINIBUS (a more modular executor) perform discovery (file/directory enumeration, system info), process enumeration (MINIBUS), command execution, file upload/download, and allow operators to run arbitrary code; both establish C2 over HTTP(S) using Microsoft Azure web apps and attacker-owned domains. MINIBIKE versions evolved from direct IP-based C2 to loops over multiple Azure subdomains and beacon URIs such as /news/notifications/ or /assets//index.html|favicon.ico|icon.svg, while MINIBUS combines Azure subdomains with unique *.com C2 domains (e.g., cashcloudservices[.]com). Operators apply string/binary obfuscation and use realistic domain naming and geolocated servers to blend malicious traffic with legitimate services.

LIGHTRAIL acts as a tunneler/proxy (Socks4a-like) to pivot or relay traffic and shares code and Azure naming patterns with the backdoors; it communicates with Azure cloudapp subdomains (e.g., tnlsowki[.]westus3[.]cloudapp[.]azure[.]com) and can be used alongside MINIBIKE/MINIBUS to move data or reach internal resources. Detection priorities include blocking or closely monitoring the long list of Azure subdomains and dedicated C2 domains, flagging archives and launcher DLLs that employ SoH, monitoring registry Run keys for unusual entries, and checking for the MD5s and filenames listed in the technical appendix to identify compromises and contain exfiltration over C2 channels.

Read more: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east