Tickler
Tickler is a custom multi-stage backdoor used by the Iranian state-sponsored threat actor Peach Sandstorm, which Microsoft assesses operates on behalf of the IRGC. Microsoft observed Tickler deployed between April and July 2024 in campaigns targeting organizations in the satellite, communications equipment, oil and gas, and U.S. federal and state government sectors, with victims in the United States and the United Arab Emirates. Reporting also describes targeting of defense, space, education, government, energy, telecommunications, and satellite-related entities in overlapping Peach Sandstorm activity.
Tickler uses attacker-controlled Azure infrastructure for command and control, including fraudulent or compromised Azure subscriptions and Azure App Service resources. Microsoft observed the malware communicating with attacker-controlled Azure resources, and Peach Sandstorm used compromised education-sector accounts to access existing Azure subscriptions or create new Azure for Students subscriptions to host operational infrastructure.
Observed delivery included a decoy-laden ZIP archive such as "Network Security.zip" containing benign PDF documents and a malicious executable named "YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe." Microsoft identified at least two Tickler samples. An initial 64-bit C/C++ PE sample traversed the PEB to locate kernel32 functionality, launched a benign PDF decoy, collected host and network information, and sent it to a C2 URI via HTTP POST. A later sample, "sold.dll," acted as a Trojan dropper that downloaded additional payloads from C2, including legitimate signed binaries such as msvcp140.dll, LoggingPlatform.dll, vcruntime140.dll, and Microsoft.SharePoint.NativeMessaging.exe, likely to support DLL sideloading.
Tickler establishes persistence via a batch script that adds a registry Run key for "SharePoint.exe" and uses legitimate Windows-signed binaries to evade detection. Reported backdoor capabilities include beaconing to Azure App Service, downloading additional payloads, host and network discovery, directory listing, command execution, file deletion, configurable beacon interval, and file upload/download. Explicitly observed commands include systeminfo, dir, run, delete, interval, upload, and download.
Associated tradecraft in the same campaigns included password spraying against thousands of organizations, use of the user agent "go-http-client," sign-ins from commercial VPN infrastructure after credential validation, and LinkedIn-based reconnaissance and possible social engineering by Peach Sandstorm. High-confidence malware-related indicators directly mentioned in the content include the archive "Network Security.zip," the executable "YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe," the DLL "sold.dll," and persistence via a Run key for "SharePoint.exe."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler.
In 2024, they... deployed Tickler malware against US and UAE satellite, government, and energy sectors.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueAPT33 uses Azure Active Directory (AAD) and Azure subscriptions as C2 infrastructure. Their custom malware, Tickler, was observed communicating with attacker-controlled Azure resources.
Initial Access
2 techniquesMultiple Iran-nexus APT groups are described as using spear-phishing: e.g., Charming Kitten uses “spear-phishing with fake personas and compromised emails… phishing via benign PDFs for credential harvesting”; several others use “spear-phishing with malicious documents/attachments/links.”
The first sample was contained in an archive file named Network Security.zip alongside benign PDF files used as decoy documents.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueThe archive file contained: YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe – the Tickler malware
Discovery
1 techniqueThe sample collects the network information from the host and sends it to the C2 URI via HTTP POST request
Command and Control
3 techniquesPeach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2).
The sample collects the network information from the host and sends it to the C2 URI via HTTP POST request
The malware downloads additional payloads from the C2 server, including a backdoor, a batch script to set persistence for this backdoor
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware deployed in targeted intrusions affecting satellite, government, and energy-related targets (as described in the report).
Malware used by Peach Sandstorm (APT33) for targeting satellite, government, and energy sectors.
Custom backdoor malware used by Curious Serpens (Peach Sandstorm) for espionage and data collection.
Custom malware attributed to APT33 that communicates with attacker-controlled Azure resources used as command-and-control infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.