MiniBike
MINIBIKE is a custom modular C++ backdoor, also referred to as SlugResin, associated with the Iran-linked espionage cluster UNC1549, also known as Nimbus Manticore, Subtle Snail, and overlapping with reporting on Tortoiseshell/Smoke Sandstorm. It has been used since at least June 2022 in campaigns targeting aerospace, aviation, defense, telecommunications, and related supply-chain organizations, primarily in the Middle East and also in Europe and the United States. Reported targeting includes aviation and defense organizations across the Middle East between 2023 and 2025, European telecom firms via LinkedIn recruitment lures, and broader Dream Job-style operations against defense-sector personnel.
Observed initial access and delivery methods include spear-phishing with job-themed or recruitment-themed lures, fake career and interview websites, fraudulent resume/personality-test applications, and abuse of stolen credentials and third-party relationships. MINIBIKE has been delivered via DLL side-loading/search-order hijacking using legitimate executables, including in fake recruitment workflows where a ZIP archive contains an executable that side-loads a malicious MINIBIKE DLL. Reporting also notes use through cloud-backed infrastructure, especially Azure, for command and control.
High-confidence capabilities described across the source material include system reconnaissance and information gathering; file upload and exfiltration; command execution; directory and file enumeration; fetching and deploying additional payloads; credential theft including Microsoft Outlook credentials and browser data from Chrome, Brave, and Edge; keystroke and clipboard logging; screenshot capture; process listing and termination; and execution of EXE, DLL, BAT, and CMD payloads. Some reporting specifically describes MINIBIKE as supporting 12 commands and being used for Microsoft Outlook credential theft, persistence, and broader post-compromise reconnaissance. It has also been described as maintaining persistence via Windows Registry changes and as being built/deployed in victim-specific DLL variants to hinder detection and forensics.
Operationally, MINIBIKE communications have been observed through Azure cloud infrastructure and Azure-proxied C2, with operators using cloud-hosted subdomains and infrastructure intended to blend with legitimate traffic. Mandiant reported MINIBIKE variants evolving over time in lures, persistence methods, obfuscation, export DLL names, and Azure C2 usage. Associated activity frequently co-deploys other UNC1549 malware and tooling including TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, CRASHPAD, DCSYNCER.SLICK, SIGHTGRAB, and TRUSTTRAP.
The malware is tied to long-term espionage objectives, including theft of technical data, emails, credentials, and other sensitive information, with reporting noting long dwell time, stealth, and persistence in compromised environments. One report states UNC1549 maintained access to a victim environment for more than two years using stolen VPN credentials and MiniBike malware and stole nearly one terabyte of proprietary data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mandiant observed the following custom malware families used in the suspected UNC1549 activity. MINIBIKE — A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.
"MINIBIKE (aka SlugResin), a known C++ backdoor that gathers system information and fetches additional payloads..."
Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns...
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThis suspected UNC1549 campaign deployed several evasion techniques to mask their activity: Abusing Microsoft Azure infrastructure for C2 and hosting, making it difficult to discern the activity from legitimate network traffic.
Initial Access
5 techniquesBoth state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The websites would eventually lead to downloading a malicious payload.
Tortoiseshell is described as “targeting supply chains”; Curious Serpens attacked “through phishing and supply chain compromises.”
"Each potential victim receives unique login credentials in advance through spear-phishing communications."
This suspected UNC1549 campaign uses two primary methods to achieve initial access to the targets: spear-phishing and credential harvesting. A typical chain of attack consists of several stages: Spear-phishing emails or social media correspondence, disseminating links to fake websites containing Israel-Hamas related content or fake job offers.
Execution
5 techniquesactors linked to Iran and China, who maintained access to the victim environment well over a year and a half
MINIBIKE ... provides a full backdoor functionality, including ... running additional processes. MINIBUS provides a more flexible code-execution and command interface, including the ability to run an executable.
User Execution: The victim runs Setup.exe from the archive.
"...the malicious site deliver weaponized archives containing advanced malware."
Persistence
3 techniquesactors linked to Iran and China, who maintained access to the victim environment well over a year and a half
Both state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging directory and setting the following Run registry key... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveFileCoAuth.exe ... MINIBUS ... sets persistence for the backdoor using the following registry run key.
Privilege Escalation
3 techniquesactors linked to Iran and China, who maintained access to the victim environment well over a year and a half
Both state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging directory and setting the following Run registry key... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveFileCoAuth.exe ... MINIBUS ... sets persistence for the backdoor using the following registry run key.
Stealth
4 techniquesThe tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation
A benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS, a custom application presenting content related to Israelis kidnapped by Hamas... Using domain naming schemes that include strings that would likely seem legitimate to network defenders.
Discovery
2 techniquesMINIBIKE ... including directory and file enumeration, collection of system files and information... MINIBUS contains ... more advanced reconnaissance features.
MINIBIKE ... including directory and file enumeration, collection of system files and information, uploading files...
Lateral Movement
2 techniques“Lateral movement has typically been achieved through remote services (T1021), such as SMB or RDP …” / “Enter-PSSession … ssh … RDP hijacking …”
Iran-linked threat actor UNC1549 had access to a target environment using stolen VPN credentials and the MiniBike malware.
Command and Control
3 techniquesPayload installation and device compromise, achieved after the MINIBIKE or MINIBUS backdoors establish C2 communication, in most cases via Microsoft Azure cloud infrastructure.
The backdoor uses regular HTTPS requests using the Windows API.
Imperial Kitten is described as “using cloud-based C2 servers”; Tortoiseshell “leveraging cloud infrastructure like Azure for C2.”
Exfiltration
2 techniquesMINIBIKE is a custom backdoor written in C++ capable of file exfiltration and upload...
In most of the investigated attacks, the actor's objective was silent exfiltration of high volumes of data without immediate extortion and long-term persistence.
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor previously deployed by Nimbus Manticore in attacks against aviation and defense organizations across the Middle East.
Backdoor malware used to maintain long-term access in a victim environment and facilitate theft of nearly one terabyte of proprietary data.
Backdoor family delivered via spear-phishing (including job-themed lures) and leveraging cloud infrastructure (e.g., Azure) for C2; used in supply-chain-oriented espionage.
Tortoiseshell custom backdoor family used for initial footholds and persistent espionage access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.