Iranian APT UNC1549 Infiltrates Aerospace by Hijacking Trusted DLLs and Executing VDI Breakouts

The threat group UNC1549, suspected to be linked to Iran, has significantly expanded its cyber-espionage operations across the aerospace, aviation, and defense sectors since mid-2024, according to a new analysis released by Mandiant. The group is employing increasingly sophisticated initial-access techniques, stealthy persistence mechanisms, and customized malware families aimed at long-term intelligence collection.

The researchers further emphasize that the activity represents a continued evolution from campaigns they first documented in 2023.

UNC1549 is leveraging a dual intrusion strategy:

• Compromising trusted third-party suppliers and contractors, and
• Launching highly personalized spear-phishing campaigns.

Mandiant explains:

“UNC1549 employed a dual approach: deploying well-crafted phishing campaigns… and exploiting trusted connections with third-party suppliers and partners.”

The abuse of third-party relationships has proven especially effective against hardened environments such as defense contractors. Mandiant highlights this strategic blind spot:

“This disparity provides UNC1549 a path of lesser resistance, allowing them to circumvent the primary target’s main security controls by first compromising a connected entity.”

UNC1549 was also observed abusing enterprise virtualization and remote access technologies:

• Citrix
• VMware
• Azure Virtual Desktop

The report notes that attackers used stolen third-party credentials to authenticate, then executed VDI breakouts to move laterally:

“Post-authentication, UNC1549 used techniques designed to escape the security boundaries and restrictions of the virtualized Citrix session.”

UNC1549 continues to sharpen its social-engineering playbook.

“UNC1549 utilized targeted spear-phishing emails… using lures related to job opportunities or recruitment efforts.”

After compromising initial users, they shift toward targeting IT staff and administrators, performing inbox reconnaissance to mimic internal processes like password resets.

Mandiant identified multiple custom malware payloads used to maintain persistence and conduct reconnaissance, including:

• MINIBIKE
• TWOSTROKE
• DEEPROOT
• POLLBLEND
• CRASHPAD
• SIGHTGRAB
• DCSYNCER.SLICK
• LIGHTRAIL

Critically, Mandiant discovered that each payload sample—across all victims—had a unique hash, increasing forensic complexity.

“Every post-exploitation payload identified, regardless of family, had a unique hash… highlighting UNC1549’s sophistication.”

TWOSTROKE backdoor is a C++ backdoor with rich command capabilities over SSL-encrypted C2 channels. It supports commands for file manipulation, DLL loading, process execution, and system profiling. TWOSTROKE also generates unique victim identifiers by XOR-encoding DNS computer names.

UNC1549 demonstrates deep knowledge of Windows internals by abusing DLL search order hijacking across multiple enterprise software products.

Mandiant writes:

“UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads.”

The group even installed legitimate software packages—Fortigate, VMware, Citrix, Microsoft, NVIDIA—solely to hijack their DLL load paths.

Mandiant found that LIGHTRAIL, likely based on the Lastenzug SOCKS4a proxy, has been significantly enhanced:

• MAX_CONNECTIONS increased from 250 → 5000
• Hard-coded Azure-based WebSocket C2
• Custom User-Agent strings
• Optimized function count from 26 → 10

The report highlights:

“LIGHTRAIL is a custom tunneler… communicating using Azure cloud infrastructure.”

On Linux systems, UNC1549 deployed DEEPROOT, a Golang backdoor supporting shell execution, enumeration, file operations, and multi-server C2 fallback.

Mandiant states:

“DEEPROOT was observed using multiple C2 domains hosted in Microsoft Azure… suspected to be used for redundancy.”

UNC1549 heavily emphasizes credential access. Their toolkit includes:

• DCSYNCER.SLICK — steals NTLM hashes via DCSync-like operations
• CRASHPAD — decrypts credentials stored by browsers
• SIGHTGRAB — captures periodic screenshots
• TRUSTTRAP — fake Outlook login windows harvesting passwords

The report notes the group frequently resets domain controller computer account passwords using unconventional methods:

“They were observed unconventionally resetting passwords for domain controller computer accounts using net.exe.”

This breaks DC functionality but enables replication rights for DCSync operations.

They also abuse:

• RBCD (Resource-Based Constrained Delegation)
• Kerberoasting using obfuscated scripts
• Active Directory Certificate Services to impersonate privileged users

UNC1549 blends in by repurposing legitimate enterprise tools:

• RDP
• PowerShell Remoting
• Atelier Web Remote Commander (AWRC)
• SCCM remote control (SCCMVNC)

Mandiant notes:

“Most frequently, RDP was used… UNC1549 also observed using AWRC and SCCM remote control for lateral movement.”

SCCMVNC is especially stealthy, allowing silent remote control without user consent.

UNC1549 relies heavily on reverse SSH tunnels, making most C2 traffic appear as benign outbound connections. The group also deployed ZeroTier and Ngrok for redundant access.

The group’s mission objectives center around espionage:

“UNC1549’s operations appear strongly motivated by espionage… actively seeking sensitive information including network/IT documentation, intellectual property, and emails.”

They also pivot from compromised entities to target partners within the same supply chain—expanding operational reach.

Related Posts:

• UNC1549’s Espionage Campaign Against Aerospace and Defense
• Following Russian, Iran also issued a signal to ban Telegram
• Mandiant Exposes Ongoing Exploits Against Citrix Users
• Warning: DLL Hijacking in Modern Malware Campaigns
• Google Launches Unified Security Powered by Gemini AI, Enhances Enterprise Protection