virus logo Outbreak Alert

UNC1549 Critical Infrastructure Espionage Attack

Released: Nov 28, 2025

Updated: Dec 02, 2025

Download PDF »

UNC1549 Espionage Attack Malware Attack Tags

Critical Severity

Watch Video

Subscribe

Targeted espionage against high-value aerospace/defense and telecom organizations with long-term persistence and custom tooling.

A suspected Iran-linked espionage group tracked as UNC1549 is actively targeting aerospace, defense, and telecommunications organizations across Europe and other regions. The threat actor employs a combination of highly tailored spear-phishing, credential theft from third-party services, and the abuse of virtual desktop infrastructure such as Citrix, VMware, and Azure VDI to gain initial access and move laterally within target networks. Learn More »

Common Vulnerabilities and Exposures



Background

Since mid-2024, UNC1549 has been executing highly targeted espionage campaigns against organizations in the aerospace, aviation, and defense sectors. The group gains initial access through tailored spear-phishing aimed at credential theft and malware delivery, as well as by compromising trusted third-party access and supply-chain relationships to pivot into downstream environments.

The threat actor has previously leveraged CVE-2021-26855 and CVE-2020-0688 in past campaigns to gain initial access and facilitate follow-on exploitation.

UNC1549 employs multiple custom malware families and covert operational techniques to establish persistence and evade detection:
- MINIBIKE: Modular backdoor enabling credential theft, keylogging, screenshot capture, and deployment of additional payloads.
- TWOSTROKE: Remote access tool designed for persistence and full host control.
- DEEPROOT: Linux-focused variant providing similar capabilities across non-Windows platforms.
- LIGHTRAIL & GHOSTLINE: Covert C2 and tunneling tools that disguise malicious traffic within legitimate cloud services to support resilient communications and data exfiltration.

These operations are consistent with state-sponsored intelligence requirements, emphasizing the theft of sensitive technical data, monitoring of high-value communications, and maintaining long-term strategic footholds inside targeted environments.

Click here to analyze the

Real-Time Threat Map

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Fortinet customers are protected through the FortiGuard Intrusion Prevention System (IPS) Security Service, which detects and blocks exploit attempts targeting known vulnerabilities associated with this activity. In addition, FortiGuard provides coverage against malware leveraged throughout the campaign. For the complete list of available protections, please refer to the Solution tab.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • Web & DNS Filter

  • Botnet C&C

DETECT

  • IOC

  • Outbreak Detection

RESPOND

  • Automated Response

  • Assisted Response Services

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Vulnerability Management

  • Attack Surface Monitoring (Inside & Outside)

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.