Peach Sandstorm Deploys New Tickler Malware in Persistent Espionage Campaigns
Microsoft Threat Intelligence has identified a sophisticated campaign by the Iranian state-sponsored group known as Peach Sandstorm. Between April and July 2024, the group deployed a custom multi-stage backdoor, dubbed Tickler, to infiltrate high-profile targets across the satellite, communications, oil and gas, and government sectors in both the United States and the United Arab Emirates.
The newly discovered Tickler malware represents a significant evolution in Peach Sandstorm’s toolkit. This custom malware, written in C/C++, is designed to infiltrate and maintain persistence within compromised environments. Microsoft researchers identified two distinct samples of Tickler, each showcasing the malware’s capabilities and the strategic approach of its operators.
One sample, disguised as a security guide for Yahsat, a satellite operator in the UAE, was found packaged within an archive alongside benign PDF documents. The malicious file initiates the infection process by deploying the Tickler malware while simultaneously launching a decoy PDF to avoid detection.
Once executed, Tickler collects network information from the host machine and transmits it to a command-and-control (C2) server, helping the attackers orient themselves within the compromised network. The malware’s second variant, identified as sold.dll, extends its functionality by downloading additional payloads and establishing persistence through DLL sideloading techniques.
In addition to deploying Tickler, Peach Sandstorm has continued to use password spray attacks—a technique that involves attempting a single password across many accounts—to gain initial access to targeted organizations. These attacks have been particularly effective against the education sector, where compromised accounts are often repurposed to create attacker-controlled Azure infrastructure. This infrastructure is then used as C2 nodes for further exploitation, particularly within the defense, space, and government sectors.
Notably, Peach Sandstorm has been observed leveraging Azure for Students subscriptions within compromised Azure tenants to host their C2 servers. Microsoft’s ongoing monitoring efforts have led to the disruption of several of these fraudulent Azure resources.
Peach Sandstorm’s cyber operations are not limited to technical exploits; the group has also been active in social engineering campaigns on LinkedIn. Since at least November 2021, the group has used fake profiles masquerading as students, developers, and talent acquisition managers to gather intelligence and potentially manipulate targets in the higher education, satellite, and defense sectors.
Microsoft’s analysis suggests that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), with the group’s activities closely aligning with Iranian state interests. The use of custom malware like Tickler, combined with social engineering and password spray attacks, underscores the group’s commitment to advancing Iran’s geopolitical objectives through cyber espionage.
The continuous evolution of Peach Sandstorm’s tactics, techniques, and procedures (TTPs) poses a significant challenge for organizations in targeted sectors. The group’s ability to adapt and innovate, as demonstrated by the deployment of Tickler and the abuse of Azure resources, reflects a broader trend of increasingly sophisticated state-sponsored cyber operations.
