UNC1549 Middle East aerospace and defense intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
UNC1549 is running a late 2023 through 2025 intrusion campaign against aerospace, aviation, and defense organizations in the Middle East, using third-party relationships and role-relevant phishing to gain access. The operation also uses VDI breakouts, credential theft, and malware delivery to move from partner environments into target networks. Its persistence and stealth posture increase the risk of long-term compromise and sensitive data theft.
Related Happenings
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
H score65
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
APT31 Russian IT sector cloud-services and phishing campaign
Campaign
H score31
First: 22.11.2025 17:19
Last: 22.11.2025 17:19
Sources 1
About this happening:
The **APT31** campaign targeted the **Russian IT sector** from **2024 to 2025**, using **cloud services** and **phishing** to evade detection and sustain espionage. The operation...
APT31 Russian IT sector cloud-services and phishing campaign
CampaignAbout this happening: The **APT31** campaign targeted the **Russian IT sector** from **2024 to 2025**, using **cloud services** and **phishing** to evade detection and sustain espionage. The operation...
TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware Activity
H score17
First: 18.11.2025 14:54
Last: 18.11.2025 14:54
Sources 1
How related:
Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.
About this happening:
The deployment of **TWOSTROKE** and **DEEPROOT** gave attackers persistent backdoor access for **reconnaissance**, **command execution**, and **data theft** against targeted organ...
TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware ActivityHow related: Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.
About this happening: The deployment of **TWOSTROKE** and **DEEPROOT** gave attackers persistent backdoor access for **reconnaissance**, **command execution**, and **data theft** against targeted organ...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Campaign
H score44
First: 24.09.2025 17:33
Last: 24.09.2025 17:33
Sources 1
About this happening:
**UNC5221** is an active **BRICKSTORM** espionage campaign targeting **U.S. legal services, SaaS providers, BPOs, and technology companies**. Recent reporting says the group used...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
CampaignAbout this happening: **UNC5221** is an active **BRICKSTORM** espionage campaign targeting **U.S. legal services, SaaS providers, BPOs, and technology companies**. Recent reporting says the group used...
Brickstorm long-dwell espionage activity targeting U.S. technology and legal organizations
Malware Activity
H score27
First: 24.09.2025 17:00
Last: 24.09.2025 17:00
Sources 1
About this happening:
**Brickstorm** is a **Go backdoor** used in a **China-linked cyber-espionage campaign** against **U.S. organizations** across the **technology and legal sectors**. CrowdStrike say...
Brickstorm long-dwell espionage activity targeting U.S. technology and legal organizations
Malware ActivityAbout this happening: **Brickstorm** is a **Go backdoor** used in a **China-linked cyber-espionage campaign** against **U.S. organizations** across the **technology and legal sectors**. CrowdStrike say...
Timeline
-
18.11.2025 14:54 2 articles · 7mo ago
UNC1549 Middle East aerospace and defense intrusion campaign
Initial DisclosureThe campaign begins with **third-party abuse** and **role-relevant phishing** to obtain initial access. Operators pivot from **service providers** or external partners into customer environments and can use **Citrix**, **VMWare**, or **Azure Virtual Desktop** credentials to establish a foothold.
Show sources
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks — thehackernews.com — 18.11.2025 14:54