MINIBUS is a custom Windows backdoor associated with the Iranian espionage actor tracked as UNC1549, Tortoiseshell, Smoke Sandstorm, and Screening Serpens. It is part of the Dream Job-style intrusion activity targeting aerospace, aviation, defense, technology, satellite communications, research and development, and defense supply-chain organizations, with observed victimology spanning the Middle East, Western Europe, and North America. MINIBUS is regarded as a newer evolution within this malware lineage and provides a more flexible code-execution interface and stronger reconnaissance functionality than MINIBIKE.
Observed delivery has relied on highly targeted spearphishing and recruitment-themed lures, including fake job and collaboration portals. Infection chains have used user execution of disguised installer content, DLL sideloading through legitimate applications, and .NET AppDomainManager hijacking via configuration-file abuse to load the payload while presenting decoy content or error messages. Persistence has been established through Windows Run Key mechanisms.
Operationally, MINIBUS has been used with HTTPS command-and-control that heavily leverages Microsoft Azure infrastructure and target-specific cloud-hosted endpoints to blend with legitimate traffic. Reported functionality includes remote command execution and enhanced host reconnaissance, including process enumeration that can help operators identify security tooling or virtualized environments. In the broader campaign context, related tooling and procedures supported covert access, intelligence collection, and data theft from targeted organizations. The malware family reflects an espionage-focused tradecraft pattern emphasizing rapid variant turnover, infrastructure rotation, and defense evasion through abuse of legitimate platform behavior and trusted cloud services.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MiniBike и MiniBus: RAT-семейства кампании Dream Job. Unit 42 классифицировала шесть обнаруженных RAT-вариантов в два семейства... MiniBus - два варианта, эволюция ранее задокументированного семейства.
MiniBike и MiniBus: RAT-семейства кампании Dream Job. Unit 42 классифицировала шесть обнаруженных RAT-вариантов в два семейства... MiniBus - два варианта, эволюция ранее задокументированного семейства.
17 distinct techniques documented for this family, organized by ATT&CK tactic.
The websites would eventually lead to downloading a malicious payload.
Tortoiseshell is described as “targeting supply chains”; Curious Serpens attacked “through phishing and supply chain compromises.”
Multiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”
Цепочка заражения начинается с целевого фишинга через рекрутинговые приманки - адаптированный под конкретные должности вариант Dream Job кампании.
This suspected UNC1549 campaign uses two primary methods to achieve initial access to the targets: spear-phishing and credential harvesting. A typical chain of attack consists of several stages: Spear-phishing emails or social media correspondence, disseminating links to fake websites containing Israel-Hamas related content or fake job offers.
MINIBIKE ... provides a full backdoor functionality, including ... running additional processes. MINIBUS provides a more flexible code-execution and command interface, including the ability to run an executable.
При запуске setup.exe из Hiring Portal.zip открывается поддельное окно ошибки с заголовком "Hiring Portal.zip". Пользователь видит ожидаемое поведение - "портал не загрузился" - и не замечает, что payload уже крутится в фоне.
A benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS, a custom application presenting content related to Israelis kidnapped by Hamas... Using domain naming schemes that include strings that would likely seem legitimate to network defenders.
Payload installation and device compromise, achieved after the MINIBIKE or MINIBUS backdoors establish C2 communication, in most cases via Microsoft Azure cloud infrastructure.
21 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RAT family used in the same UNC1549/Screening Serpens Dream Job espionage activity. The content describes it as an evolved previously documented family deployed against organizations in the Middle East and the United States as part of a cloud-backed espionage intrusion set.
Named as a TA455 custom backdoor family/tooling in the report; no additional functional detail provided in this content beyond being a custom backdoor used by TA455.
Backdoor malware used by Tortoiseshell for espionage, delivered via phishing and leveraging cloud-based command and control.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.