| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.
There are currently no families associated with this actor.
| 2025-09-22
⋅
Check Point Research
⋅
Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures MINIBIKE MiniJunk UNC1549 |
| 2025-09-22
⋅
Check Point Research
⋅
Nimbus Manticore Deploys New Malware Targeting Europe MINIBIKE MiniJunk UNC1549 |
| 2024-02-27
⋅
Mandiant
⋅
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors LIGHTRAIL MINIBIKE MINIBUS UNC1549 |