TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware Activity
Summary
Hide ▲
Show ▼
The deployment of TWOSTROKE and DEEPROOT gave attackers persistent backdoor access for reconnaissance, command execution, and data theft against targeted organizations in the Middle East. The activity was part of a long-running espionage operation tied to UNC1549 and ran from late 2023 through 2025. Attackers reached victims through third-party relationships, VDI breakouts, and highly targeted phishing, making the intrusion set harder to detect and contain.
Related Happenings
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
Campaign
First: 28.01.2026 18:19
Last: 28.01.2026 18:19
Sources 1
About this happening:
Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
CampaignAbout this happening: Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Warp Panda North American legal, technology and manufacturing espionage campaign
Campaign
First: 05.12.2025 16:30
Last: 05.12.2025 16:30
Sources 1
About this happening:
Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...
Warp Panda North American legal, technology and manufacturing espionage campaign
CampaignAbout this happening: Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
UNC1549 Middle East aerospace and defense intrusion campaign
Campaign
First: 18.11.2025 14:54
Last: 18.11.2025 14:54
Sources 1
How related:
"Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said.
About this happening:
UNC1549 is running a **late 2023 through 2025** intrusion campaign against **aerospace, aviation, and defense** organizations in the **Middle East**, using **third-party relations...
UNC1549 Middle East aerospace and defense intrusion campaign
CampaignHow related: "Operating in late 2023 through 2025, UNC1549 employed sophisticated initial access vectors, including abuse of third-party relationships to gain entry (pivoting from service providers to their customers), VDI breakouts from third-parties, and highly targeted, role-relevant phishing," researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel, and Josh Goddard said.
About this happening: UNC1549 is running a **late 2023 through 2025** intrusion campaign against **aerospace, aviation, and defense** organizations in the **Middle East**, using **third-party relations...
Timeline
-
18.11.2025 14:54 2 articles · 6mo ago
Mandiant attributes UNC1549 to TWOSTROKE and DEEPROOT deployments
Initial DisclosureMandiant attributed a suspected Iran-linked espionage cluster tracked as UNC1549, also known as Nimbus Manticore or Subtle Snail, to continued attacks against aerospace, aviation, and defense organizations in the Middle East that involved TWOSTROKE and DEEPROOT backdoors. The activity used abuse of third-party relationships, VDI breakouts from third parties, and highly targeted role-relevant phishing for initial access, then expanded into reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, with additional use of tools such as AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC.
Show sources
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54