DeepRoot
DEEPROOT is a custom backdoor used by the Iran-linked threat cluster UNC1549, also tracked as Nimbus Manticore and associated in reporting with Tortoiseshell. It has been used in espionage campaigns targeting aerospace, aviation, defense, and in some reporting telecommunications organizations across the Middle East, Europe, the U.S., and other regions from at least late 2023 through 2025. Multiple sources in the provided content describe DEEPROOT as a Golang-based Linux backdoor and as the Linux counterpart to TWOSTROKE. Its documented capabilities include shell command execution, system information enumeration, and file operations including deletion, upload, and download. Reporting also places DEEPROOT in Dream Job-style and recruitment-themed social-engineering campaigns, including resume and personality-test style delivery chains, alongside other UNC1549 malware such as MINIBIKE, TWOSTROKE, CRASHPAD, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, SIGHTGRAB, and TRUSTTRAP. The broader intrusion set used spear-phishing, stolen credentials, abuse of third-party relationships, and access to remote platforms such as Azure Virtual Desktop, Citrix, and VMware; however, the content specifically attributes DEEPROOT itself to post-compromise backdoor functionality rather than initial access. High-confidence behavior directly attributed to DEEPROOT is limited to shell execution, host/system enumeration, and file management on Linux systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group is also linked to attacks on aviation and defense organizations across the Middle East between 2023 and 2025, deploying backdoors such as MINIBIKE, TWOSTROKE and DEEPROOT.
"DEEPROOT, a Golang-based Linux backdoor that supports shell command execution, system information enumeration, and file operations"
Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns...
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueCommon TTPs across these campaigns include spearphishing, supply chain compromise, drive-by downloads, malicious RDP and LNK files, credential dumping, obfuscated payloads, and encrypted command and control (C2) channels.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor previously deployed by Nimbus Manticore in attacks against aviation and defense organizations across the Middle East.
Component of Tortoiseshell’s modular intrusion framework supporting persistent espionage access.
Malware used in Dream Job-style social-engineering campaigns via resume/personality-test apps (as described).
Malware family used by UNC1549/Nimbus Manticore in Middle East aerospace/aviation/defense targeting.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.