Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

DCSyncer.Slick

DCSyncer.Slick is a Windows post-exploitation utility used by the Iran-linked espionage actor UNC1549, also tracked as Nimbus Manticore and Subtle Snail, and described in broader reporting as part of the Tortoiseshell toolset. It is used to conduct DCSync-style attacks against Active Directory in order to extract NTLM password hashes directly from domain controllers, supporting privilege escalation and credential access objectives. Reporting describes it as a Windows utility based on DCSyncer that mimics the legitimate Active Directory replication feature. DCSyncer.Slick has been observed in intrusions targeting aerospace, aviation, and defense organizations across the Middle East, and related reporting also links the broader actor to telecommunications targeting. UNC1549 commonly gains initial access through spear-phishing, stolen credentials, abuse of third-party relationships, and access to remote platforms such as Azure Virtual Desktop, Citrix, and VMware. After compromise, the actor deploys DCSyncer.Slick alongside other custom malware and utilities including MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. Mandiant reported that UNC1549 abused DLL search order hijacking to execute DCSyncer.Slick and other payloads, often by masquerading malicious components as legitimate software from vendors such as FortiGate, Microsoft, NVIDIA, Citrix, and VMware, and in some cases installing legitimate software to facilitate the hijack. High-confidence capability information directly stated in the source is that DCSyncer.Slick extracts NTLM password hashes from domain controllers and is used for DCSync attacks for privilege escalation.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Magic Hound

Over subsequent years, the group layered in additional tooling — MiniJunk, MiniBrowse, DCSyncer.Slick, DeepRoot, GhostLine, LightRail, and others...

via trellix blogtrellix.com
Subtle Snail

"DCSYNCER.SLICK, a Windows utility based on DCSyncer to conduct DCSync attacks for privilege escalation"

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."

Stealth

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."

Credential Access

2 techniques
T1003.006DCSyncEvidence1
TacticCredential Access

including Kerberoasting, DCSync operations, RDP hijacking, and internal spear phishing

T1558.003KerberoastingEvidence1
TacticCredential Access

including Kerberoasting, DCSync operations, RDP hijacking, and internal spear phishing

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

Tool in Tortoiseshell’s framework associated with credential theft and long-term persistent access.

Read more
scworldNews
Nov 19, 2025
Multiple tools harnessed in Iranian cyberespionage attacks against Middle East

Windows utility used during intrusions (specific function not described in the provided content).

Read more
the hacker newsNews
Nov 18, 2025
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks

Windows utility derived from DCSyncer used to perform DCSync-style credential replication attacks to obtain elevated access.

Read more
dark readingNews
Nov 18, 2025
Iran-Nexus Threat Actor UNC1549 Takes Aim at Aerospace

Credential-dumping tool that abuses/mimics Active Directory DCSync replication behavior to extract NTLM password hashes from domain controllers.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.