Google-owned security firm Mandiant reported on Tuesday that Iran-linked UNC1549 breached Middle East aerospace, aviation and defense organizations in a campaign from late 2023 to October 2025.
“The operation represents a notable technical advancement for the group, which introduced two previously undocumented custom backdoors: TWOSTROKE, a lightweight Windows implant written in C++ that supports command execution, file operations, screenshot capture and various persistence methods,” Google-owned firm said.
“The other is DEEPROOT, a cross-platform backdoor developed in ‘Go’ language crossed platform that works on both Linux and Windows systems, enabling shell commands and file transfers,” the report added.
Attackers gained initial access primarily through spear-phishing emails containing tailored job recruitment lures aimed at defense and aviation professionals, as well as through supply-chain compromises involving trusted third-party software vendors and virtual desktop infrastructure providers, Mandiant reported.
“Once inside victim networks, UNC1549 (aka Nimbus Manticore/Tropical Scorpius) deployed additional tools including SIGHTGRAB for screenshots and CRASHPAD for credential harvesting and data staging,” Mandiant said. “Command-and-control traffic was routed through compromised Microsoft Azure tenant accounts to blend with legitimate cloud activity and avoid detection.”
Mandiant said with high confidence that the activity supports Iranian state interests focused on strategic intelligence collection.
Sensitive data was exfiltrated from compromised networks, though the specific content and affected countries have not been disclosed.
