| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.
There are currently no families associated with this actor.
| 2024-02-27
⋅
Mandiant
⋅
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors LIGHTRAIL MINIBIKE MINIBUS UNC1549 |