MalwareUsed by 3 actors

TWOSTROKE

TWOSTROKE is a custom C++ backdoor associated with the Iran-linked espionage cluster UNC1549, also known as Nimbus Manticore and Subtle Snail, which has targeted aerospace, aviation, defense, and in some reporting telecommunications organizations across the Middle East, Europe, and other regions from at least late 2023 through 2025. It has been used in Dream Job-style and recruitment-themed campaigns, including operations abusing spear-phishing, stolen credentials, third-party relationships, and virtual desktop/collaboration platforms such as Azure Virtual Desktop, Citrix, and VMware. Mandiant reported TWOSTROKE was deployed alongside other UNC1549 malware families including MINIBIKE, DEEPROOT, CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, POLLBLEND, SIGHTGRAB, LIGHTRAIL, and TRUSTTRAP.

High-confidence capabilities attributed to TWOSTROKE include system information collection, remote access/system control, DLL loading including in-memory DLL loading, file manipulation and transfer, execution, host and user discovery, and persistence. It communicates with command-and-control infrastructure over SSL-encrypted TCP port 443. Mandiant reported that TWOSTROKE generates a victim bot ID from the fully qualified DNS computer name by XOR-encrypting it with a static key, converting the result to lowercase hexadecimal, taking the first eight characters, and reversing them. It also receives hex-encoded C2 payloads with values separated by the delimiter "@##@".

UNC1549 commonly deployed TWOSTROKE through DLL search order hijacking, often by planting malicious DLLs alongside legitimate software or binaries from vendors such as FortiGate, Microsoft, NVIDIA, Citrix, and VMware; in some cases the actor reportedly installed legitimate software specifically to facilitate hijacking. Reporting also describes UNC1549 using uniquely hashed post-exploitation payloads, stealthy long-term persistence, and dormant backdoors that can beacon silently for months before reactivation. No specific standalone IoCs for TWOSTROKE were provided beyond its SSL/TCP 443 C2 channel and the "@##@" payload delimiter.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Magic Hound

The group is also linked to attacks on aviation and defense organizations across the Middle East between 2023 and 2025, deploying backdoors such as MINIBIKE, TWOSTROKE and DEEPROOT.

via scworldscworld.com

Subtle Snail

"TWOSTROKE, a C++ backdoor that allows for system information collection, DLL loading, file manipulation, and persistence"

via the hacker newsthehackernews.com

UNC6446

Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns...

via rescana blogrescana.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

TacticInitial Access

Common TTPs across these campaigns include spearphishing, supply chain compromise, drive-by downloads, malicious RDP and LNK files, credential dumping, obfuscated payloads, and encrypted command and control (C2) channels.

Execution

1 technique

T1574.001DLLEvidence1

TacticsExecution Stealth

"UNC1549 abused DLL search order hijacking to execute CRASHPAD, DCSYNCER.SLICK, GHOSTLINE, LIGHTRAIL, MINIBIKE, POLLBLEND, SIGHTGRAB, and TWOSTROKE payloads... installed the legitimate software after initial access in order to abuse SOH... replaced or added the malicious DLLs within the legitimate installation directory, typically with SYSTEM privileges."

Stealth

1 technique

T1574.001DLLEvidence1

TacticsExecution Stealth

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

scworldNews

May 27, 2026

Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor | news | SC Media

Backdoor previously deployed by Nimbus Manticore in attacks against aviation and defense organizations across the Middle East.

rescana blogNews

Feb 15, 2026

Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Malware used in Dream Job-style social-engineering campaigns via resume/personality-test apps (as described).

the hacker newsNews

Feb 13, 2026

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Malware family used by UNC1549/Nimbus Manticore in Middle East aerospace/aviation/defense targeting.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Backdoor used in suspected Iranian espionage activity targeting aerospace/aviation/defense in the Middle East.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.