Iran’s Cyber Actors Attacking Global Airlines to Exfiltrate Sensitive Data

The breach of Tehran-based security contractor Amnban has ripped the cover off a multi-year espionage program that quietly burrowed into airline reservation systems across Africa, Europe, and the Middle East.

Internal documents and screen-captured videos obtained by investigatory journalist Nariman Gharib reveal methodical reconnaissance of Royal Jordanian, Turkish Airlines, Wizz Air, Qatar Airways and more, all steered by Iran’s Ministry of Intelligence-linked APT39.

First traced in late 2023 but active far earlier, the malware toolkit—nicknamed “Trailblazer” by incident responders—leverages spear-phishing lures disguised as legitimate flight-manifest requests to gain a foothold on airline help-desk workstations.

Once inside, Trailblazer deploys a lightweight C# loader that drops its encrypted payload directly into memory, erasing on-disk artifacts and evading common endpoint agents.

Command-and-control traffic masquerades as TLS-encrypted telemetry sent to Microsoft Graph, allowing outbound beacons to blend with routine Office 365 traffic.

Nariman Gharib analysts noted that the same implant was discovered pivoting through freight carriers such as FedEx and DHL, underscoring the adversary’s appetite for logistics data that can map global cargo movements.

The operational scope is striking: passenger name records, API credentials, passport scans, and airport VPN configs siphoned in real time to VPS relays registered under benign-looking domains like api-azurecloud[.]com.

Airlines in Qatar and Russia appear to have been tapped for intelligence, while carriers in Jordan or Poland were targeted for counter-dissident surveillance.

According to telemetry shared by a European CERT, a single Trailblazer node exfiltrated 12.6 GB of manifest data during a 48-hour burst in March 2025, highlighting both the malware’s bandwidth efficiency and the victims’ limited detection coverage.

Industry impact quickly followed. Several regional airports reported unexplained check-in outages coinciding with Trailblazer beacon spikes, and one Gulf carrier was forced to freeze its frequent-flyer program after attackers reused stolen miles for mule travel.

International regulators now fear that long-term manipulation of passenger manifests could enable physical tracking or even kinetic sabotage if gate assignments are altered at scale.

Detection Evasion Through In-Memory Patching

Trailblazer’s most insidious talent is its in-memory patching engine, a routine that hooks Windows API calls at runtime to falsify scan results returned to antivirus drivers.

The implant enumerates loaded modules, locates the first 16-byte sequence of each engine’s signature definition, and replaces it with random bytes until the scan passes.

Because the change lives only in volatile memory, rebooting the host restores the original code and erases the tampering trail. A disassembled excerpt from the loader illustrates the process:-

byte[] sig = new byte[16];
IntPtr target = GetProcAddress(GetModuleHandle("amsi.dll"), "AmsiScanBuffer");
Marshal.Copy(target, sig, 0, 16);        // save original
for(int i=0;i<16;i++){ sig[i]=(byte)rand.Next(1,255);} // scramble
uint old;
VirtualProtect(target, 16, 0x40, out old);
Marshal.Copy(sig, 0, target, 16);        // patch AMSI
VirtualProtect(target, 16, old, out old);

Because AMSI’s entry point is altered before any script executes, PowerShell transcripts look normal while malicious commands run unhindered.

Memory-only modifications like this prevent file-based scanners and leave minimal forensic residue, explaining why several compromised airlines reported “clean” antivirus sweeps even as data leaked.

Security teams are now urged to supplement signature engines with kernel-level integrity monitoring capable of detecting unauthorized patching events before Trailblazer taxis off the runway.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now