Iranian State APT Blitzes Telcos & Satellite Companies - Dark Reading

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS NEWS Iranian State APT Blitzes Telcos & Satellite Companies A Charming Kitten subgroup is performing some of the most bespoke cyberattacks ever witnessed in the wild, to down select high-value targets. Nate Nelson,Contributing Writer September 19, 2025 4 Min Read SOURCE: ARTERRA PICTURE LIBRARY VIA ALAMY STOCK PHOTO In the span of just a couple of weeks, Iranian hackers have stolen highly sensitive data from 11 global telecommunications companies, satellite operators, and aerospace equipment manufacturers. Cyber defenders have been tracking or otherwise fending off Middle Eastern cyberattacks by "Subtle Snail" (aka UNC1549) for around four years now. First, in 2021, it attacked a Bahrain-based IT integrator — perhaps, researchers thought, as a window to its more valuable clients. Later, it seemed to have developed a focus on aerospace and defense firms. Google researchers observed attacks in Israel and the United Arab Emirates (UAE), and evidence of further activity in Albania, India, and Turkey. In a burst of recent attacks observed by researchers at Prodaft, Subtle Snail spread its operations across the Middle East, Europe, and North America. Besides aerospace and defense, a lot of its focus has been in the telecommunications industry, particularly satellite communications. A few of its latest victims have been massive companies serving millions of customers — big catches they managed to pull off by customizing every single attack to the nines. Related:C2 Implant 'SnappyClient' Targets Crypto Wallets Charming Kitten Spies on Telcos Subtle Snail's success can be attributed to the significant amount of effort it puts into customizing its attacks for each and every victim. First, the group identifies key personnel in the organization it's interested in. IT administrators, researchers, and developers make for ideal pickings, for their having greater-than-average access to sensitive systems and business data. The attackers do background research on these folks, reviewing their online profiles — particularly LinkedIn — and whatever other useful information they might have published on the Web. They also, of course, gather what they can about the target's employer. Next the attackers don the disguise of a recruiter on LinkedIn and reach out to their targets with fake job openings. These fake profiles, openings, and the phishing domains they connect to are all designed to impersonate either Telespazio or Safran Group, European companies in the outer space and aerospace technology sectors. Targets are attracted to the job openings that seem perfect for their career trajectories — What a coincidence! — so they follow the phishing links and start divulging their personal information. The backdoor they end up contracting, "MiniBike," is even more customized than the phishing lure they fell for. On its own, it's a fairly standard piece of badware: gathering basic system data, establishing persistence, connecting to a command-and-control (C2) server, and supporting a dozen more standard fare malicious functions. Related:Nation-State Actor Embraces AI Malware Assembly Line MiniBike's primary purpose is to load additional components in the form of dynamic link libraries (DLLs). In a kind of comical exaggeration of a modular backdoor, each potential function it can carry out must be downloaded in the form of its own DLL, slightly changed so as to constitute its own variant. So if MiniBike deploys a keylogger on two different systems, they won't look exactly the same. "Operationally, the malware is modular and its functionally the same," explains Halit Alptekin, chief intelligence officer at Prodaft. Still, in effect, "even a single-bit change produces a different hash, and many AV products struggle to detect those variants. Some vendors perform behavior analysis, but their detection rules are still not comprehensive enough to catch every variant." He adds, "We observe similar patterns across other Iran-nexus threat clusters. Initial access methods vary, but most campaigns still rely on DLL sideloading combined with custom malware that looks nearly identical." Subtle Snail: A Slime Trail of International Espionage At the conclusion of its attack chain, Subtle Snail aims to steal a variety of data, including but not limited to: Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL System and network information, including insights into installed security programs, virtual private network (VPN) configuration files, and data pertaining to the user's browser usage patterns Credentials stored in password managers, files, Chromium browsers, and more Personally identifying information (PII) in the form of photographs, passport scans, or wherever else such sensitive data might be found on a targeted system Proprietary business data, in whatever form it might come in — confidential documents, customer databases, and source code repositories The goal, overall, appears to be twofold: gathering information useful for research and development, and snatching call data records (CDR) for use in international espionage. This tracks with what we know of Subtle Snail in general. The group is linked to Tortoiseshell (aka Unyielding Wasp), which in turn is believed to be part of Charming Kitten — one of those umbrella advanced persistent threats (APTs), like North Korea's Kimsuky, that seems to catch blame for any and all attacks from its host country. Charming Kitten is associated with Iran's Revolutionary Guard Corps' (IRGC). Attribution is always a challenge, Alpetkin warns. What he can say with relative certainty is that Iran's hackers are split into distinct roles — malware developers and initial access operators — and that "many of those individuals are employed by security companies while also working for government customers." And Subtle Snail, by all accounts, is operating on behalf of state interests. He points out that "if documents are stolen from a telecom, the government is often the only available buyer for that type of data." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE