Ddos 
A new study from Catalyst has exposed a sophisticated cyber espionage campaign conducted by Subtle Snail (UNC1549), an Iran-nexus group linked to Unyielding Wasp (Tortoiseshell) and ultimately part of the Charming Kitten (Eclipsed Wasp) network. The group has been active since at least June 2022, but recent findings show it has pivoted to focus on European telecommunications, aerospace, and defense organizations.
According to the report, “Subtle Snail has infected 34 distinct devices across 11 organizations through targeted operations that leverage fake recruitment processes via LinkedIn.”
The campaign begins with extensive reconnaissance, profiling IT administrators, developers, and researchers with privileged access. Threat actors pose as HR representatives, creating fake LinkedIn accounts and contacting targets with tailored job offers.
As Catalyst explains, “Subtle Snail creates fake HR accounts on LinkedIn and contacts specific targets with fake job opportunities… These fake messages also include a fraudulent PDF job posting, which is customized for the victim.”
Victims are then lured into visiting malicious domains (such as telespazio-careers.com or safrangroup-careers.com), where they are prompted to submit credentials through fake job application portals.
Once access is achieved, Subtle Snail deploys a custom MINIBIKE backdoor variant, a modular malware framework that communicates with C2 infrastructure proxied through Azure cloud services.
The report notes, “The group also possesses a comprehensive malware development capability… They create custom variants of the MINIBIKE backdoor and develop DLL sideloading binaries tailored for specific victims and operations.”
DLL sideloading is a core technique: malicious DLLs masquerade as legitimate system libraries and are loaded by trusted executables, enabling stealthy execution. These modules support keylogging, credential theft, screenshot capture, and even Outlook credential harvesting.
To bypass security defenses, Subtle Snail signs its malware with legitimate code-signing certificates. Catalyst researchers found that “all malicious binaries used in Subtle Snail attacks are signed with a valid digital certificate issued by Insight Digital B.V., a Dutch company.”
At the infrastructure level, Subtle Snail relies on Azure cloud-based VPS and proxy domains (such as group-policy-update.azurewebsites.net) to disguise malicious C2 traffic as normal enterprise cloud activity. This blending technique makes detection by traditional network security tools far more difficult.
Subtle Snail’s mission is clear: long-term espionage. Once inside a network, they systematically exfiltrate credentials, customer databases, and sensitive files.
The report highlights, “The threat actors steal project files and other critical data from targeted companies, they also collect and upload personal information to their C2 server, including passport and visa data, identification details, and personal photos.”
Techniques include:
- Browser credential theft (Chrome, Edge, Brave).
- Outlook and Winlogon credential stealing via fake login prompts.
- Keylogging and clipboard monitoring.
- Exfiltration of PST files, source code, and VPN configurations using compressed multi-volume archives.
By compromising European telecom and defense firms, Subtle Snail gains access to highly sensitive infrastructure, technical data, and communications. Catalyst warns that “Iran-nexus cyber espionage operations against European telecommunications companies have reached unprecedented levels of sophistication.” These operations are not smash-and-grab attacks. They are long-term espionage efforts designed to maintain persistence, gather intelligence, and support Iranian strategic interests.
Donate