Subtle Snail LinkedIn phishing espionage campaign against telecom and aerospace targets
Campaign
Summary
Hide ▲
Show ▼
The Subtle Snail (UNC1549) campaign expanded across the Middle East, Europe, and North America, using LinkedIn recruiter lures and impersonated job openings to target telecommunications, satellite, and aerospace organizations. The burst matters because the operators stole highly sensitive data from 11 global companies and customized each intrusion to the victim. The activity points to a sustained espionage effort focused on privileged staff and sensitive business systems.
Related Happenings
Bitter Middle East spear-phishing campaign targeting civil society figures
Campaign
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Bitter Middle East spear-phishing campaign targeting civil society figures
CampaignAbout this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Global Profit / MC Profit Always exposed phishing repository leak
Data Leak
First: 25.02.2026 01:57
Last: 25.02.2026 01:57
Sources 1
About this happening:
An exposed repository tied to **Global Profit / MC Profit Always** leaked an **SQL database** and **Telegram webhook logs**, exposing phishing-operator communications and infrastr...
Global Profit / MC Profit Always exposed phishing repository leak
Data LeakAbout this happening: An exposed repository tied to **Global Profit / MC Profit Always** leaked an **SQL database** and **Telegram webhook logs**, exposing phishing-operator communications and infrastr...
Timeline
-
19.09.2025 16:59 3 articles · 8mo ago
Subtle Snail campaign disclosure across telecom and aerospace targets
Initial DisclosureSubtle Snail (UNC1549) has stolen highly sensitive data from 11 global telecommunications companies, satellite operators, and aerospace equipment manufacturers while expanding operations across the Middle East, Europe, and North America. The group uses LinkedIn recruiter lures, fake job openings, and phishing domains impersonating Telespazio or Safran Group to deliver the MiniBike backdoor and load DLL components for espionage-oriented data theft.
Show sources
- Iranian State APT Blitzes Telcos & Satellite Companies — www.darkreading.com — 19.09.2025 16:59
- Iranian State APT Blitzes Telcos & Satellite Companies — www.darkreading.com — 19.09.2025 16:59
- UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware — thehackernews.com — 19.09.2025 19:06