Since mid-2024, a sophisticated Iranian-backed threat group known as UNC1549 has been conducting targeted campaigns against aerospace, aviation, and defense organizations across the globe.
The hackers employ an advanced dual approach, combining carefully crafted phishing campaigns with the exploitation of trusted connections between primary targets and their third-party suppliers.
This strategy proves particularly effective against well-defended organizations like defense contractors, which often leave their vendors as softer targets for initial compromise.
The threat group’s operational methods demonstrate significant evolution and tactical sophistication. Operating from late 2023 through 2025, UNC1549 leverages highly targeted, role-relevant phishing emails to establish initial footholds.
Once inside a network, they employ creative lateral movement techniques, including stealing victim source code to craft spear-phishing campaigns using lookalike domains that bypass security proxies.
The group also abuses internal service ticketing systems to harvest credentials from unsuspecting employees.
Google Cloud security analysts identified that UNC1549 deploys custom tooling designed specifically to evade detection and complicate forensic investigations.
Notably, every post-exploitation payload identified during investigations carried a unique hash, even when multiple samples of the same backdoor variant appeared within a single victim network.
This level of customization underscores the group’s substantial resources and commitment to operational security.
One of the most technically significant aspects of UNC1549’s operations involves their use of search order hijacking for malware persistence.
This technique involves placing malicious DLLs within legitimate software installation directories, allowing attackers to achieve persistent execution when administrators or users run the legitimate software.
.webp "UNC1549 Hackers with Custom Tools Attacking Aerospace and Defense Systems to Steal Logins 3")
The group has successfully exploited this vulnerability in widely-used enterprise solutions, including FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.
Initial access
In these cases, researchers detected that UNC1549 deliberately installed legitimate software after gaining initial access, specifically to abuse this DLL search order hijacking capability.
The TWOSTROKE backdoor exemplifies this technical sophistication. This custom C++ backdoor communicates through SSL-encrypted TCP connections on port 443, making it difficult to distinguish from legitimate traffic.
Upon execution, TWOSTROKE generates a unique victim identifier by retrieving the fully qualified DNS computer name using the Windows API function GetComputerNameExW(ComputerNameDnsFullyQualified).
This name undergoes XOR encryption using a static key, converts to lowercase hexadecimal, and extracts the first eight characters before reversing them to create the bot ID.
TWOSTROKE’s command set enables extensive post-compromise capabilities, including system information collection, dynamic DLL loading, file manipulation, and persistent backdoor functionality.
The malware receives hex-encoded payloads from command servers containing multiple commands separated by “@##@” delimiters. Commands range from file uploads and shell command execution to directory listing and file deletion operations.
UNC1549’s campaign prioritizes long-term persistence and anticipates investigator response. They strategically deploy backdoors that remain dormant for months, activating only after victims attempt remediation.
This approach, combined with extensive reverse SSH shell usage and domains mimicking victim industries, creates a challenging operational environment for defenders.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
