Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

CRASHPAD

CRASHPAD is a C++ Windows utility used by the Iran-linked threat cluster UNC1549, also known as Nimbus Manticore and Subtle Snail. It is used post-compromise to extract credentials saved within web browsers. Reporting places it in broader UNC1549 intrusions targeting aerospace, aviation, and defense organizations in the Middle East, and in Dream Job-style social-engineering campaigns against aerospace and defense targets in the Middle East and the United States. UNC1549 has also been reported using recruitment- and resume-themed lures, spear-phishing, and stolen credentials for remote access platforms such as Azure Virtual Desktop, Citrix, and VMware to gain access.

CRASHPAD is described as one of several custom Windows utilities and backdoors deployed alongside tooling such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, SIGHTGRAB, and TRUSTTRAP. Mandiant reported that UNC1549 abused DLL search order hijacking to execute CRASHPAD and other payloads, often masquerading malicious components as legitimate software from vendors including FortiGate, Microsoft, NVIDIA, Citrix, and VMware, and in some cases installing legitimate software to facilitate hijacking. The campaign emphasized stealth, operational security, and long-term persistence, with uniquely hashed payloads observed across victim environments. High-confidence functionality directly attributed to CRASHPAD in the content is browser-saved credential theft on Windows.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Subtle Snail

"CRASHPAD, a C++ Windows utility to extract credentials saved within web browsers"

via the hacker newsthehackernews.com
Magic Hound

"CRASHPAD, a C++ Windows utility to extract credentials saved within web browsers"

via the hacker newsthehackernews.com
UNC6446

Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns...

via rescana blogrescana.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1
TacticInitial Access

APT45 (Andariel) , APT43 (Kimsuky) , and UNC2970 (Lazarus Group) from North Korea are leveraging social engineering, “Dream Job” campaigns... Iranian groups deploy... in Dream Job-style campaigns, often using resume and personality test apps as delivery vectors.

Execution

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."

Stealth

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
rescana blogNews
Feb 15, 2026
Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Malware used in Dream Job-style social-engineering campaigns via resume/personality-test apps (as described).

Read more
the hacker newsNews
Feb 13, 2026
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Malware family used by UNC1549/Nimbus Manticore in Middle East aerospace/aviation/defense targeting.

Read more
scworldNews
Nov 19, 2025
Multiple tools harnessed in Iranian cyberespionage attacks against Middle East

Windows utility used during intrusions (specific function not described in the provided content).

Read more
the hacker newsNews
Nov 18, 2025
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks

C++ Windows credential extraction utility focused on harvesting credentials stored in web browsers.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.