TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware Activity
Summary
Hide ▲
Show ▼
The deployment of TWOSTROKE and DEEPROOT gave attackers persistent backdoor access for reconnaissance, command execution, and data theft against targeted organizations in the Middle East. The activity was part of a long-running espionage operation tied to UNC1549 and ran from late 2023 through 2025. Attackers reached victims through third-party relationships, VDI breakouts, and highly targeted phishing, making the intrusion set harder to detect and contain.
Related Happenings
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
Campaign
H score38
First: 25.06.2026 17:15
Last: 25.06.2026 17:15
Sources 1
About this happening:
An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
CampaignAbout this happening: An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
Campaign
H score34
First: 28.01.2026 18:19
Last: 28.01.2026 18:19
Sources 1
About this happening:
Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns
CampaignAbout this happening: Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
H score37
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
**Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
Warp Panda North American legal, technology and manufacturing espionage campaign
Campaign
H score32
First: 05.12.2025 16:30
Last: 05.12.2025 16:30
Sources 1
About this happening:
Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...
Warp Panda North American legal, technology and manufacturing espionage campaign
CampaignAbout this happening: Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...
Timeline
-
18.11.2025 14:54 2 articles · 7mo ago
Mandiant attributes UNC1549 to TWOSTROKE and DEEPROOT deployments
Initial DisclosureMandiant attributed a suspected Iran-linked espionage cluster tracked as UNC1549, also known as Nimbus Manticore or Subtle Snail, to continued attacks against aerospace, aviation, and defense organizations in the Middle East that involved TWOSTROKE and DEEPROOT backdoors. The activity used abuse of third-party relationships, VDI breakouts from third parties, and highly targeted role-relevant phishing for initial access, then expanded into reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, with additional use of tools such as AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC.
Show sources
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54