Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Iran

Smoke Sandstorm

UNC1549 is an Iranian state-backed cyber-espionage group, with high-confidence links to the Islamic Revolutionary Guard Corps (IRGC) and significant overlap with the Tortoiseshell group. The group is also tracked as Imperial Kitten (CrowdStrike), GalaxyGato (ESET), Subtle Snail, Nimbus Manticore, and Smoke Sandstorm. Active since at least early 2024, UNC1549 primarily targets aerospace, aviation, and defense sectors across the Middle East, Israel, the US, UAE, Qatar, Spain, and Saudi Arabia, but has also expanded to technology, hospitality, finance, and transportation sectors. UNC1549 employs spear-phishing (often with job-themed lures), supply chain attacks, and credential theft for initial access, frequently leveraging compromised third-party suppliers to bypass robust defenses. The group uses a sophisticated malware arsenal, including custom tools such as Twostroke (C++ backdoor), Deeproot, Crashpad, Dcsyncer.slick (Active Directory hash extraction), Ghostline, Pollblend (tunneling), Sightgrab (screenshots), Trusttrap (credential theft via pop-ups), and Lightrail. They also abuse code-signing certificates (notably from SSL.com) to sign malware, drastically reducing detection rates. UNC1549 mimics legitimate software from vendors like FortiGate, Microsoft, Nvidia, Citrix, and VMWare, and sometimes installs legitimate software to load malicious binaries. The group uses DLL search order hijacking, SSH reverse tunnels, and deletes forensic artifacts to evade detection and maintain long-term persistence, with backdoors that can remain dormant for months. UNC1549's operations are characterized by strategic intelligence gathering, theft of sensitive data (emails, IP, network documentation), and support for Iran's military and geopolitical objectives, including missile and drone program advancements and sanctions circumvention. The group is highly adaptive, anticipating incident response and ensuring persistence even after remediation attempts. Their activities are part of a broader Iranian cyber campaign targeting critical infrastructure and supporting covert procurement networks. Known sub-groups and aliases include Tortoiseshell, Subtle Snail, Nimbus Manticore, and Smoke Sandstorm.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

UNC1549 (Nimbus Manticore) is an Iranian cyber-espionage group targeting aerospace, aviation, and defense sectors.

Read more
bank info securityNews
Nov 18, 2025
Google Finds New Malware Backdoors Linked to Iran

UNC1549 is an Iranian state-sponsored threat actor known for targeting aerospace, aviation, and defense industries in the Middle East. The group has evolved its operations by deploying multiple custom malware variants and advanced post-exploitation techniques to maintain persistence and evade detection.

Read more
dark readingNews
Nov 18, 2025
Iran-Nexus Threat Actor UNC1549 Takes Aim at Aerospace

UNC1549 is conducting espionage campaigns targeting aerospace, aviation, and defense organizations, as well as expanding to technology, hospitality, finance, and transportation sectors. The group uses spear-phishing, supply chain attacks, and custom malware to steal sensitive information, intellectual property, and credentials, primarily for strategic intelligence gathering aligned with Iranian interests.

Read more
dark readingNews
Sep 26, 2025
Iranian State Hackers Use SSL.com Certificates to Sign Malware

UNC1549 is an Iranian cyber espionage group linked to Charming Kitten APT, known for using code-signing certificates from SSL.com to sign malware, making it harder to detect. They have targeted European organizations with backdoors and infostealers, leveraging fraudulent or impersonated companies to acquire valid certificates.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.