A sophisticated Iranian-backed threat group, identified as UNC1549, has been actively conducting targeted cyberattacks against aerospace, aviation, and defense organizations globally since mid-2024. The group employs a dual approach, merging finely tuned phishing campaigns with the exploitation of established trust relationships between primary targets and their third-party suppliers, making them a significant concern for the defense sector.
This advanced offensive strategy allows UNC1549 to bypass the robust security measures often in place at well-defended organizations like defense contractors. Instead, they focus on compromising softer targets, such as vendors, to gain an initial foothold within the broader supply chain. This tactic highlights a growing trend in sophisticated cyber espionage operations.
UNC1549’s Evolving Tactics and Custom Tooling
UNC1549 has demonstrated a notable evolution in its operational methods, showcasing significant tactical sophistication. Operating from late 2023 through 2025, the group meticulously crafts role-relevant phishing emails to infiltrate victim networks. Their approach is highly personalized, aiming to increase the likelihood of successful initial compromise.
Once inside a network, UNC1549 is adept at creative lateral movement. The group has been observed to steal victim source code specifically to craft spear-phishing campaigns. These campaigns utilize lookalike domains designed to circumvent security proxies, further complicating detection efforts. Additionally, they leverage internal service ticketing systems to harvest credentials from unsuspecting employees, exploiting internal workflows.
Google Cloud security analysts have identified that UNC1549 deploys custom tooling specifically engineered to evade detection and hinder forensic investigations following an attack. A key characteristic of their malware is the unique hash associated with every post-exploitation payload observed during investigations. This level of customization, even for multiple samples of the same backdoor variant within a single network, underscores the group’s substantial resources and commitment to maintaining operational security.
Search Order Hijacking for Persistent Access
One of the most technically significant aspects of UNC1549’s operations is their skillful use of search order hijacking for malware persistence. This technique involves strategically placing malicious DLLs within legitimate software installation directories. When an administrator or user subsequently runs the legitimate software, the malicious DLL is executed, granting the attackers persistent access to the compromised system.
The group has successfully exploited this vulnerability in widely-used enterprise solutions, including executables from major software providers such as FortiGate, VMware, Citrix, Microsoft, and NVIDIA. This broad application of the technique increases the potential impact across diverse organizational IT infrastructures.
Initial Access and the TWOSTROKE Backdoor
In observed cases, researchers have noted that UNC1549 deliberately installs legitimate software after gaining initial access. This is done specifically to abuse the DLL search order hijacking capability, turning trusted applications into vectors for ongoing compromise. This tactic demonstrates a deep understanding of system mechanics and a methodical approach to establishing long-term presence.
The custom C++ backdoor, dubbed TWOSTROKE, exemplifies the group’s technical prowess. This C2 (command and control) malware communicates over SSL-encrypted TCP connections on port 443, making its traffic difficult to distinguish from legitimate network activity. Upon execution, TWOSTROKE generates a unique victim identifier by retrieving the fully qualified DNS computer name using the Windows API function GetComputerNameExW.
This identifier is then processed through XOR encryption with a static key, converted to lowercase hexadecimal, truncated to its first eight characters, and reversed to form the bot ID. The TWOSTROKE backdoor offers a comprehensive set of post-compromise capabilities, including the collection of system information, dynamic loading of DLLs, file manipulation, and the establishment of persistent backdoor functionality, providing the attackers with extensive control.
Advanced Command and Control and Defense Evasion
The malware is designed to receive hex-encoded payloads from command servers. These payloads contain multiple commands separated by a specific delimiter, “@##@”. The command set enables a wide range of malicious activities, from uploading and downloading files, executing shell commands, listing directories, to deleting files, offering significant flexibility to the attackers.
UNC1549’s campaign exhibits a distinct prioritization of long-term persistence and a strategic anticipation of investigator responses. They deliberately deploy backdoors that remain dormant for extended periods, often activating only after victims have attempted to remediate the initial compromise. This sophisticated approach, combined with the extensive use of reverse SSH shells and domains that mimic the industries of their targets, creates a highly challenging environment for defenders attempting to detect and neutralize the threat.
The ongoing activities of UNC1549 underscore the persistent threat posed by nation-state-sponsored cyber actors targeting critical infrastructure. The sophistication of their custom tooling and their multifaceted attack vectors highlight the continuous need for advanced threat intelligence and robust cybersecurity defenses within the aerospace and defense sectors. Organizations are advised to remain vigilant and update their security protocols in response to these evolving threats.