UNC1549 Expands Iran-Linked Espionage Against Aerospace via Third Parties

UNC1549 is an Iran-nexus espionage group conducting multi-year campaigns against aerospace, aviation and defense organizations in the Middle East and Europe, with Mandiant observing a surge in activity since mid-2024. The actors pair highly targeted spear-phishing—using job and recruitment lures—with compromise of third-party suppliers and service providers to reach hardened primary targets, mapping to MITRE ATT&CK T1566 (Phishing), T1190 (Exploit Public-Facing Application) via partner portals, and T1195 (Supply Chain Compromise). Once inside, UNC1549 leverages custom tools including DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB and CRASHPAD, often executed via DLL search-order hijacking techniques. The group’s initial access strategy exploits trust relationships by compromising vendors and then pivoting through virtual desktop infrastructure (VDI) or service provider access into end-customer networks. They steal source code and internal materials to craft realistic phishing emails from lookalike domains, and abuse internal ticketing systems for credential harvesting. DCSYNCER.SLICK mimics legitimate Active Directory DCSync replication to pull NTLM password hashes from domain controllers, aligning with MITRE T1003 (OS Credential Dumping), while SIGHTGRAB captures periodic screenshots for visual intelligence collection. The use of reverse SSH tunnels as command-and-control channels allows UNC1549 to bypass some endpoint detection and limit forensic traces. UNC1549 is highly focused on persistence and operational security. Mandiant reports that the group plants backdoors that remain dormant for months, reactivating only after defenders attempt eradication, and frequently deletes utilities and Windows artifacts such as RDP connection history to hinder incident response. Overlapping reporting from Check Point and Prodaft links UNC1549 to broader Iranian clusters like Nimbus Manticore and Charming Kitten (Eclipsed Wasp network), with objectives centered on long-term access to telecom, aerospace and defense manufacturing environments for strategic intelligence collection. For targeted organizations and their suppliers, these campaigns pose significant business and national-security risks, including theft of intellectual property, defense designs, and operational documentation. Organizations should elevate third-party risk management around telecom, IT and engineering providers and implement continuous monitoring for DLL search-order hijacking, anomalous DCSync operations and reverse SSH tunnels. Segmentation of Active Directory tiering, enforcement of privileged access management for domain admins, and rigorous email security with DMARC and advanced phishing detection are critical to reducing UNC1549’s ability to gain and maintain access.