LightRail
LIGHTRAIL is a custom tunneling malware used for covert command-and-control and data exfiltration. Reporting describes it as likely based on Lastenzug, an open-source Socks4a proxy, and communicating through Azure cloud infrastructure, including hardcoded WebSocket parameters, to blend malicious traffic with legitimate cloud activity. It has been associated with the Iran-linked espionage cluster UNC1549, which overlaps with Tortoiseshell and has also been described as Nimbus Manticore and Subtle Snail. LIGHTRAIL has been used in espionage intrusions targeting aerospace, aviation, defense, telecommunications, and related sectors across the Middle East, Europe, and other regions. It has also been referenced in broader reporting on Tortoiseshell tooling. Observed tradecraft includes delivery and execution via DLL search order hijacking: one reported case involved a ZIP archive containing the LIGHTRAIL payload as VGAuth.dll, executed through VGAuthCLI.exe. LIGHTRAIL is frequently mentioned alongside other UNC1549/Tortoiseshell tools including GHOSTLINE, POLLBLEND, MINIBIKE, TWOSTROKE, DEEPROOT, DCSYNCER.SLICK, CRASHPAD, and SIGHTGRAB. High-confidence behavioral characterization from the source material is that LIGHTRAIL functions as a stealthy tunneler that disguises malicious communications within legitimate cloud traffic to support resilient connectivity and covert exfiltration.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
LIGHTRAIL — A tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure.
"LIGHTRAIL, a custom tunneler that's likely based on Lastenzug, an open-source Socks4a proxy that communicates using Azure cloud infrastructure"
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThis suspected UNC1549 campaign deployed several evasion techniques to mask their activity: Abusing Microsoft Azure infrastructure for C2 and hosting, making it difficult to discern the activity from legitimate network traffic.
Execution
1 technique"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."
Stealth
2 techniquesA benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS, a custom application presenting content related to Israelis kidnapped by Hamas... Using domain naming schemes that include strings that would likely seem legitimate to network defenders.
"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."
Command and Control
3 techniquesPayload installation and device compromise, achieved after the MINIBIKE or MINIBUS backdoors establish C2 communication, in most cases via Microsoft Azure cloud infrastructure.
LIGHTRAIL, a unique tunneler used in the campaign... LIGHTRAIL likely leverages the open-source utility “Lastenzug” ... a Socks4a proxy based on websockets.
fallback channels and protocol tunneling tools such as Ngrok and ZeroTier ensured continuity
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Tortoiseshell malware component used within a modular framework for long-term access and movement.
Tunneling tool used for covert command-and-control and data exfiltration by disguising malicious traffic within legitimate cloud communications.
Tunneling tool used during intrusions (likely for covert C2/traffic forwarding).
Custom tunneling/proxy tool (likely derived from the open-source Socks4a proxy Lastenzug) that uses Azure cloud infrastructure for communications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.