Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

Nov. 18, 2025, 2:50 a.m.

Description

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.

External References

https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense
https://otx.alienvault.com/pulse/691bd5c16cda885503b01c6a
Tags
espionage
phishing
defense
lateral movement
privilege escalation
aerospace
custom malware
minibike
2025-11-18
dcsyncer.slick
third-party compromise
sightgrab
trusttrap
lightrail
deeproot
crashpad
twostroke
pollblend
ghostline

Date

  • Created: Nov. 18, 2025, 2:11 a.m.
  • Published: Nov. 18, 2025, 2:11 a.m.
  • Modified: Nov. 18, 2025, 2:50 a.m.

Indicators

  • f38bba949956ef527a86f89042a81a2f07931ce6
  • 09756286dc08a9e1bb072687317af0ffeae39df8
  • 46.31.115.92
  • 167.172.137.208
  • 104.194.215.88
  • aaaaaaaaaaaaaaaaaa.bbbbbb.cccccccc.ddddd.com
  • vcs-news.com
  • tini-ventures.com
  • politicalanorak.com
  • forcecodestore.com
  • fdtsprobusinesssolutions.com
  • automationagencybusiness.com
  • airplaneserviceticketings.com
  • airbus.usa-careers.com
  • thetacticstore.com
  • airtravellog.com
Download all indicators here!

Attack Patterns

  • UNC1549

Additional Informations

  • Aerospace
  • Defense