Since mid-2024, a sophisticated Iranian-backed threat group known as UNC1549 has been conducting targeted campaigns against aerospace, aviation, and defense organizations across the globe.<\/p>\n
The hackers employ an advanced dual approach, combining carefully crafted phishing campaigns with the exploitation of trusted connections between primary targets and their third-party suppliers.<\/p>\n
This strategy proves particularly effective against well-defended organizations like defense contractors, which often leave their vendors as softer targets for initial compromise.<\/p>\n
The threat group\u2019s operational methods demonstrate significant evolution and tactical sophistication. Operating from late 2023 through 2025, UNC1549 leverages highly targeted, role-relevant phishing emails<\/a> to establish initial footholds.<\/p>\n Once inside a network, they employ creative lateral movement techniques, including stealing victim source code to craft spear-phishing campaigns using lookalike domains that bypass security proxies<\/a>.<\/p>\n The group also abuses internal service ticketing systems to harvest credentials from unsuspecting employees.<\/p>\n Google Cloud security analysts identified<\/a> that UNC1549 deploys custom tooling designed specifically to evade detection and complicate forensic investigations.<\/p>\n Notably, every post-exploitation payload identified during investigations carried a unique hash, even when multiple samples of the same backdoor variant appeared within a single victim network.<\/p>\n This level of customization underscores the group\u2019s substantial resources and commitment to operational security.<\/p>\n One of the most technically significant aspects of UNC1549\u2019s operations involves their use of search order hijacking for malware persistence.<\/p>\n This technique involves placing malicious DLLs within legitimate software<\/a> installation directories, allowing attackers to achieve persistent execution when administrators or users run the legitimate software.<\/p>\n The group has successfully exploited this vulnerability in widely-used enterprise solutions, including FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.<\/p>\n In these cases, researchers detected that UNC1549 deliberately installed legitimate software after gaining initial access, specifically to abuse this DLL search order hijacking capability.<\/p>\n The TWOSTROKE backdoor exemplifies this technical sophistication. This custom C++ backdoor communicates through SSL-encrypted TCP connections on port 443, making it difficult to distinguish from legitimate traffic.<\/p>\n Upon execution, TWOSTROKE generates a unique victim identifier by retrieving the fully qualified DNS computer name using the Windows API function GetComputerNameExW(ComputerNameDnsFullyQualified).<\/p>\n This name undergoes XOR encryption using a static key, converts to lowercase hexadecimal, and extracts the first eight characters before reversing them to create the bot ID.<\/p>\n TWOSTROKE\u2019s command set enables extensive post-compromise capabilities, including system information collection, dynamic DLL loading, file manipulation, and persistent backdoor functionality.<\/p>\n The malware receives hex-encoded payloads from command servers containing multiple commands separated by \u201c@##@\u201d delimiters. Commands range from file uploads and shell command execution to directory listing and file deletion operations.<\/p>\n UNC1549\u2019s campaign prioritizes long-term persistence<\/a> and anticipates investigator response. They strategically deploy backdoors that remain dormant for months, activating only after victims attempt remediation.<\/p>\n This approach, combined with extensive reverse SSH shell usage and domains<\/a> mimicking victim industries, creates a challenging operational environment for defenders.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post UNC1549 Hackers with Custom Tools Attacking Aerospace and Defense Systems to Steal Logins<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiV8g-rpbyApqUrMmCHUaLRf36OViEWk8uueP3qVcbEKmGBcCRUROd0ax5wODlAkFskrdZowjCgG9fTzFMjeMU-4VdQiRoB-lIaDZkxFI-LTAfS0IRzkZ65kxNLxNUOweKLnOy-1E-Moaj7Eoe4khv6tJE6mglrx4gjh2Z4zRmAiijoGfnTOJSq3_QGK8\/s16000\/Phishing%2520email%2520sent%2520by%2520UNC1549%2520%28Source%2520-%2520Google%2520Cloud%29.webp?ssl=1\")
Initial access<\/strong><\/h2>\n