Find notable cyber news and cases, enriched with sources, timelines, and signals.

TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks

Malware Activity
First reported
Last updated
Happening score
H score 17
1 unique sources, 1 articles

Summary

Hide ▲

The deployment of TWOSTROKE and DEEPROOT gave attackers persistent backdoor access for reconnaissance, command execution, and data theft against targeted organizations in the Middle East. The activity was part of a long-running espionage operation tied to UNC1549 and ran from late 2023 through 2025. Attackers reached victims through third-party relationships, VDI breakouts, and highly targeted phishing, making the intrusion set harder to detect and contain.

Related Happenings

Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign

Campaign
H score38 First: 25.06.2026 17:15 Last: 25.06.2026 17:15 Sources 1

About this happening: An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Shadow-Void-044 and Shadow-Earth-045 PeckBirdy cyber-espionage campaigns

Campaign
H score34 First: 28.01.2026 18:19 Last: 28.01.2026 18:19 Sources 1

About this happening: Two **China-aligned** **PeckBirdy** espionage campaigns were identified, widening risk to **Chinese gambling websites**, **Asian government entities**, and a **Philippine educatio...

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
H score37 First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...

Warp Panda North American legal, technology and manufacturing espionage campaign

Campaign
H score32 First: 05.12.2025 16:30 Last: 05.12.2025 16:30 Sources 1

About this happening: Warp Panda is running a **sophisticated cyber-espionage campaign** against **North American legal, technology and manufacturing firms**, maintaining **persistent covert access** t...

Timeline

  1. 18.11.2025 14:54 2 articles · 7mo ago

    Mandiant attributes UNC1549 to TWOSTROKE and DEEPROOT deployments

    Initial Disclosure

    Mandiant attributed a suspected Iran-linked espionage cluster tracked as UNC1549, also known as Nimbus Manticore or Subtle Snail, to continued attacks against aerospace, aviation, and defense organizations in the Middle East that involved TWOSTROKE and DEEPROOT backdoors. The activity used abuse of third-party relationships, VDI breakouts from third parties, and highly targeted role-relevant phishing for initial access, then expanded into reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, with additional use of tools such as AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC.

    Show sources