Iranian APT UNC1549 uses SSL.com certificates to sign malware

First reported

26.09.2025 18:28

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Iranian state-sponsored cyber espionage group UNC1549 (also known as Subtle Snail, Nimbus Manticore, Smoke Sandstorm, and Tortoiseshell) has been using SSL.com digital certificates to sign malware, making it harder to detect. This activity has been observed targeting European organizations with new backdoor and infostealer binaries. The use of valid digital certificates has significantly reduced the detection rates of these malware strains by antimalware and threat detection platforms. The certificates were issued to seemingly fraudulent or impersonated companies, including Insight Digital B.V. in the Netherlands and RGC Digital AB and Sevenfeet Software AB in Sweden. These certificates have been used since at least May 2025, and some remain valid. The misuse of SSL.com certificates raises concerns about the certificate authority's verification processes and the broader risks to networks.

Timeline

26.09.2025 18:28 1 articles · 3d ago

UNC1549 uses SSL.com certificates to sign malware
The Iranian APT UNC1549 has been using SSL.com certificates to sign malware, making it harder to detect. The certificates were issued to seemingly fraudulent or impersonated companies and have been used since at least May 2025. This activity has been observed targeting European organizations with new backdoor and infostealer binaries.
Show sources

Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
Open in new tab

Information Snippets

UNC1549 has been using SSL.com certificates to sign malware, reducing detection rates.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The malware targets European organizations with backdoors and infostealers.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
Certificates were issued to Insight Digital B.V., RGC Digital AB, and Sevenfeet Software AB.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The certificates have been in use since at least May 2025, with some still valid.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The misuse of SSL.com certificates highlights potential weaknesses in the CA's verification processes.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The certificates were used to sign binaries for backdoors and infostealers.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The certificates were issued to companies with suspicious or incomplete online presences.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28
The misuse of certificates poses significant detection challenges and risks to networks.
First reported: 26.09.2025 18:28

1 source, 1 article
Show sources
- Iranian State Hackers Use SSL.com Certificates to Sign Malware — www.darkreading.com — 26.09.2025 18:28