Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Description

Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandstorm also conducted password spray attacks against educational institutions and other sectors. The group used LinkedIn profiles for intelligence gathering and social engineering. Tickler malware collects network information and can execute various commands. Peach Sandstorm abused Azure resources for command and control infrastructure. Post-compromise activities included lateral movement via SMB, installing remote monitoring tools, and taking Active Directory snapshots.