Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem
Essential information
- Published
- 18/11/2025 02:11
- Modified
- 18/11/2025 02:50
- Tags
- 2025-11-18 aerospace crashpad custom malware dcsyncer.slick deeproot defense espionage ghostline lateral movement lightrail minibike phishing pollblend privilege-escalation sightgrab third-party compromise trusttrap twostroke
- Related entities
- 16 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 others
Description
UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.