Subtle Snail LinkedIn phishing espionage campaign against telecom and aerospace targets
Campaign
Summary
Hide ▲
Show ▼
The Subtle Snail (UNC1549) campaign expanded across the Middle East, Europe, and North America, using LinkedIn recruiter lures and impersonated job openings to target telecommunications, satellite, and aerospace organizations. The burst matters because the operators stole highly sensitive data from 11 global companies and customized each intrusion to the victim. The activity points to a sustained espionage effort focused on privileged staff and sensitive business systems.
Related Happenings
Bitter Middle East spear-phishing campaign targeting civil society figures
Campaign
H score28
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Bitter Middle East spear-phishing campaign targeting civil society figures
CampaignAbout this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
H score37
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
H score32
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
H score38
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Latest development: 27.06.2026 01:06
FBI and CISA warn that the Russian intelligence services-linked Signal phishing campaign has evolved from stealing verification codes, account PINs, and linked-device access to eliciting victims' Backup Recovery Keys through impersonated Signal support messages. If a target provides the key, attackers can restore Signal's Secure Backups on their own devices and read historical messages, including private and group conversations, while the campaign continues to target high-intelligence-value individuals.
Global Profit / MC Profit Always exposed phishing repository leak
Data Leak
H score27
First: 25.02.2026 01:57
Last: 25.02.2026 01:57
Sources 1
About this happening:
An exposed repository tied to **Global Profit / MC Profit Always** leaked an **SQL database** and **Telegram webhook logs**, exposing phishing-operator communications and infrastr...
Global Profit / MC Profit Always exposed phishing repository leak
Data LeakAbout this happening: An exposed repository tied to **Global Profit / MC Profit Always** leaked an **SQL database** and **Telegram webhook logs**, exposing phishing-operator communications and infrastr...
Timeline
-
19.09.2025 16:59 3 articles · 9mo ago
Subtle Snail campaign disclosure across telecom and aerospace targets
Initial DisclosureSubtle Snail (UNC1549) has stolen highly sensitive data from 11 global telecommunications companies, satellite operators, and aerospace equipment manufacturers while expanding operations across the Middle East, Europe, and North America. The group uses LinkedIn recruiter lures, fake job openings, and phishing domains impersonating Telespazio or Safran Group to deliver the MiniBike backdoor and load DLL components for espionage-oriented data theft.
Show sources
- Iranian State APT Blitzes Telcos & Satellite Companies — www.darkreading.com — 19.09.2025 16:59
- Iranian State APT Blitzes Telcos & Satellite Companies — www.darkreading.com — 19.09.2025 16:59
- UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware — thehackernews.com — 19.09.2025 19:06