{ "id": "af41da5e-fb1e-4050-863e-74cd7de3a079", "created_at": "2026-04-06T00:15:21.888264Z", "updated_at": "2026-04-10T03:33:28.994448Z", "deleted_at": null, "sha1_hash": "97e82cf39609df840da241a077ef7a50879cf45d", "title": "When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5681483, "plain_text": "When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets\r\nIsraeli and Middle East Aerospace and Defense Sectors\r\nBy Mandiant\r\nPublished: 2024-02-27 · Archived: 2026-04-02 10:41:00 UTC\r\nWritten by: Ofir Rozmann, Chen Evgi, Jonathan Leathery\r\nToday Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the\r\naerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab\r\nEmirates (UAE) and potentially Turkey, India, and Albania. \r\nMandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps\r\nwith Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps\r\n(IRGC). Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and\r\nIT providers.  \r\nThe potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war. Notably, Mandiant observed\r\nan Israel-Hamas war-themed campaign that masquerades as the “Bring Them Home Now” movement,\r\nwhich calls for the return of the Israelis kidnapped and held hostage by Hamas.\r\nThis suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February\r\n2024. While regional in nature and focused mostly in the Middle East, the targeting includes entities operating\r\nworldwide.\r\nMandiant observed this campaign deploy multiple evasion techniques to mask their activity, most prominently\r\nthe extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to\r\ndisseminate two unique backdoors: MINIBIKE and MINIBUS.\r\nThis blog post details the suspected UNC1549 operations since June 2022, the ongoing development of their\r\nproprietary malware, their network of over 125 Azure command-and-control (C2) subdomains, and their attack\r\nlifecycle, which includes tactics, techniques, and procedures (TTPs) Mandiant has not previously seen deployed\r\nby Iran.\r\nAttribution\r\nMandiant assesses with moderate confidence that this activity has ties to UNC1549, an Iran-based espionage\r\ngroup, which overlaps with activities publicly known as Tortoiseshell and Smoke Sandstorm/BOHRIUM. \r\nNamely, a fake recruiting website (1stemployer[.]com) was observed hosting a MINIBUS payload in November\r\n2023. The template used for the fake recruiting website had been used previously in another fake recruiting\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 1 of 26\n\nwebsite, careers-finder[.]com, which was used by UNC1549. \r\nIn this campaign, the MINIBUS backdoor was hosted on a fake job website (1stemployer[.]com) using the\r\nexact same written contents as careers-finder[.]com used by UNC1549 in early 2022, for example, “After\r\nconsidering the career and education background we introduce you to the employer companies which are\r\nlooking for the indicated skills and expertise.”\r\nFigure 1: Fake job website 1stemployer[.]com deploying a template similar to a previous UNC1549 website\r\nIn addition, like in previous UNC1549 activities, this campaign leveraged .NET applications to deliver the\r\nmalware—this time the attackers implemented it by using a fake Hamas-affiliated application to deliver the\r\nMINIBUS backdoor.\r\nAccording to public reporting, Tortoiseshell, which is tied to UNC1549, is potentially linked to the IRGC.\r\nIn addition, the focused targeting of Middle East entities affiliated with the aerospace and defense sectors is\r\nconsistent with other Iran-nexus clusters of activity, some of which are affiliated with the IRGC as well.\r\nOutlook and Implications\r\nMandiant research indicates this campaign remains active as of February 2024, and targeted entities are related to\r\ndefense, aerospace, and aviation in the Middle East, particularly in Israel and the UAE and potentially in Turkey,\r\nIndia, and Albania. \r\nThe intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for\r\nespionage as well as kinetic operations. This is further supported by the potential ties between UNC1549 and the\r\nIRGC.\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 2 of 26\n\nThe evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of\r\ncloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this\r\nactivity. The intelligence and indicators provided in this report may support these efforts and enhance them.\r\nAttack Lifecycle\r\nThis suspected UNC1549 campaign uses two primary methods to achieve initial access to the targets: spear-phishing and credential harvesting. A typical chain of attack consists of several stages:\r\nSpear-phishing emails or social media correspondence, disseminating links to fake websites containing\r\nIsrael-Hamas related content or fake job offers. The websites would eventually lead to downloading a\r\nmalicious payload.\r\nFigure 2: Fake website posing as the “Bring Them Home Now” movement, calling for the return of Israelis\r\nkidnapped by Hamas\r\nThe fake job offers were for tech and defense-related positions, specifically in the aviation,\r\naerospace, or thermal imaging sectors. \r\nMandiant also observed some of the fake job websites that hosted malicious payloads were also\r\nused during 2023 to harvest credentials.\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 3 of 26\n\nFigure 3: Fake login page masquerading as the aerospace company Boeing\r\nPayload delivery, downloaded from the previously mentioned websites to the target’s computer. The\r\npayload is a compressed archive that typically includes two main bundles:\r\nMINIBIKE or MINIBUS—two unique backdoors deployed at least since 2022 (MINIBIKE) and\r\n2023 (MINIBUS), providing full backdoor functionality (see the Technical Appendix for more\r\ninformation).\r\nA benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS,\r\na custom application presenting content related to Israelis kidnapped by Hamas hosted on the fake\r\nwebsite birngthemhomenow[.]co[.]il mentioned previously.\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 4 of 26\n\nFigure 4: Decoy content used by MINIBUS, related to the “Bring Them Home Now” movement\r\nPayload installation and device compromise, achieved after the MINIBIKE or MINIBUS backdoors\r\nestablish C2 communication, in most cases via Microsoft Azure cloud infrastructure. \r\nThe access to the device can be leveraged for multiple purposes, including intelligence collection\r\nand as a stepping stone for further access into the targeted network.\r\nThis stage may be supported by the use of LIGHTRAIL, a unique tunneler used in the campaign\r\n(see the following details).\r\nThis suspected UNC1549 campaign deployed several evasion techniques to mask their activity:\r\nAbusing Microsoft Azure infrastructure for C2 and hosting, making it difficult to discern the activity from\r\nlegitimate network traffic. In some cases, servers geolocated in the targeted countries (Israel and the UAE)\r\nwere used, further masking the activity.\r\nUsing domain naming schemes that include strings that would likely seem legitimate to network defenders,\r\nlike countries, organizations names, languages or descriptions related to the targeted sector. Following are\r\nseveral examples of indicative Azure domains: \r\nilengineeringrssfeed[.]azurewebsites[.]net (“IL Engineering RSS Feed”)\r\nhiringarabicregion[.]azurewebsites[.]net (“Hiring Arabic Region”)\r\nturkairline[.]azurewebsites[.]net (“Turk Airline”)\r\nUsing job-themed lures, offering various IT and tech-related positions, which are likely to be disseminated\r\nlegitimately. One of these fake job offers is presented in Figure 5.\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 5 of 26\n\nFigure 5: Fake job offer on behalf of DJI, a drone manufacturing company (MD5:\r\n4a223bc9c6096ac6bae3e7452ed6a1cd)\r\nMalware Families\r\nMandiant observed the following custom malware families used in the suspected UNC1549 activity.\r\nMalware\r\nFamily\r\nDescription First Seen\r\nLast\r\nSeen\r\nMINIBIKE\r\nA custom backdoor written in C++ capable of file exfiltration\r\nand upload, command execution, and more. Communicates\r\nusing Azure cloud infrastructure.\r\nJune 2022\r\nOctober\r\n2023\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 6 of 26\n\nMINIBUS\r\nA custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features\r\ncompared to MINIBIKE\r\nAugust\r\n2023\r\nJanuary\r\n2024\r\nLIGHTRAIL\r\nA tunneler, likely based on an open-source Socks4a proxy,\r\nthat communicates using Azure cloud infrastructure\r\nNovember\r\n2022\r\nAugust\r\n2023\r\nMINIBIKE is a custom malware written in C++, used since at least June 2022. Once MINIBIKE is installed, it\r\nprovides a full backdoor functionality, including directory and file enumeration, collection of system files and\r\ninformation, uploading files, and running additional processes. \r\nThe MINIBIKE platform usually consists of three utilities bundled in an archive, delivered via spear phishing:\r\n1. The MINIBIKE backdoor, usually in the form of a .dll or a .dat file\r\n2. A launcher, executed via search-order-hijacking (SoH), deploying MINIBIKE and setting its persistence\r\nusing registry keys\r\n3. A legitimate/fake executable, used to mask the malicious MINIBIKE deployment. Mandiant observed\r\ndifferent MINIBIKE versions use three applications for this purpose: Microsoft SharePoint, Microsoft\r\nOneDrive, and a fake Hamas-related .NET application.\r\nThe MINIBIKE platform has been in use since at least June 2022, gradually being developed to several versions\r\ndistinct from each other in lures, features, and functionality. While Mandiant did not observe any embedded\r\nversion numbers, the MINIBIKE instances can be divided to the following versions.\r\nVer. Date Changes (Compared to Earlier Version) Geographies Example MD5\r\n1.0 June 2022\r\n- First version\r\n- C2 server geolocated in Iran (not Azure)\r\n- Submitted to a public malware\r\nrepository from Iran\r\n- Legitimate SharePoint installation as a\r\nlure\r\n- Bundled in an IMG drive\r\n(“Screenshot.img”)\r\n- Export DLL name: “update.dll”\r\nIran\r\nadef679c6aa6860a\r\na89b775dceb6958b\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 7 of 26\n\n1.1\r\nOctober–\r\nNovember\r\n2022\r\n- First use of Azure subdomains for C2 -\r\nThree embedded, only one used\r\n- First use of OneDrive installation as a\r\nlure and as a registry key for persistence\r\n- Export DLL name: “Mini.dll”\r\nUAE, Turkey\r\n409c2ac789015e76\r\nf9886f1203a73bc0\r\n2.0 August 2023\r\n- Three to five Azure C2 domains used\r\nsubsequently in a loop\r\n- Bundled in a ZIP file (“Survey.zip”)\r\n- Additional obfuscation\r\n- Additional functionality and commands\r\n- Export DLL name: “Mini-Junked.dll”\r\nIsrael, UAE\r\n691d0143c0642ff7\r\n83909f983ccb8ffd\r\n2.1 August 2023\r\n- Uses “Image Photo Viewer“ registry key\r\nfor persistence\r\n- Additional obfuscation\r\n- Three Azure C2 domains\r\nIsrael, India\r\ne3dc8810da71812b\r\n860fc59aeadcc350\r\n2.2\r\nAugust–\r\nOctober 2023\r\n- Four Azure C2 domains\r\n- Reverts back to OneDrive registry key\r\nfor persistence\r\n- Additional functionality and commands\r\n- Additional obfuscation\r\n- Beacon communication looping over\r\nthree “files”: index.html, favicon.ico,\r\nicon.svg\r\n- Export DLL name: “Micro.dll”\r\nIsrael, UAE\r\n054c67236a86d9ab\r\n5ec80e16b884f733\r\nMINIBUS: A RoBUSt Successor?\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 8 of 26\n\nMandiant observed a second backdoor deployed in this campaign, which bears multiple similarities to MINIBIKE\r\nand was therefore named MINIBUS. The MINIBUS platform has been used since at least August 2023, likely\r\nduring the same time as the latest MINIBIKE versions, though not necessarily to target the same victims. \r\nMINIBUS is a more advanced, updated platform when compared to MINIBIKE. While similar in\r\nfunctionality and code base, MINIBUS contains fewer built-in features and a more flexible code-execution\r\nand command interface in addition to more advanced reconnaissance features. \r\nThis might make the MINIBUS platform a more suitable option for an experienced operator, which instead of\r\nusing ready-to-use features may require a more flexible platform. Such an operator may be concerned with\r\noperational security (OpSec), possibly as an early stage in a more elaborate  operation.\r\nThe following is a more detailed list of the key differences between the MINIBIKE and MINIBUS platforms.\r\nFunctionality\r\nMINIBUS has fewer built-in commands and features when compared with MINIBIKE. Instead, MINIBUS\r\nprovides a more flexible code-execution and command interface, including the ability to run an executable\r\n(for example, a possible next-stage implant) using a single command, unlike MINIBIKE.\r\nMINIBUS has a process enumeration feature. A process list generated by MINIBUS may be useful to\r\navoid detection, for example, by identifying processes related to Virtual Machine (VM) utilities or security\r\napplications (such as an EDR). \r\nExport DLL Names\r\nThe MINIBUS bundle contains DLLs with the names “torvaldinitial.dll” for its launcher/installer and\r\n“torvaldspersist.dll” for its payload, unlike MINIBIKE, which utilizes export DLL names like “Dr2.dll” or\r\n“MspUpdate.dll”  (for its launchers) and “Mini-Junked.dll” or “Micro.dll” (for its payloads).\r\nC2 Communication\r\nMINIBUS uses a combination of an Azure subdomain and unique *.com domains for C2 communications, unlike\r\nMINIBIKE, which relies only on Azure infrastructure.\r\nLures and Themes\r\nMINIBUS deployed lures related to the Israel-Hamas war, including a fake .NET application with themes and\r\ncontents abusing the “Bring Them Home Now” movement, which calls for the return of the Israeli hostages\r\nkidnapped by Hamas. In another MINIBUS instance, Mandiant observed a lure related to Quizora, possibly\r\nreferring to a quiz application.\r\nTargeting and Geography\r\nLike MINIBIKE, Mandiant observed MINIBUS targeting Israel and possibly India and the UAE. In addition, a\r\nMINIBUS C2 domain (cashcloudservices[.]com) had a subdomain with the prefix nsalbaniahack[.]*,\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 9 of 26\n\nsuggesting an interest in Albania as well, which is consistent with Iran interests but not yet observed in a\r\nMINIBIKE-related activity.\r\nLIGHTRAIL: Highway to Where?\r\nIn addition to the MINIBIKE and MINIBUS backdoors, Mandiant observed a tunneler named LIGHTRAIL likely\r\naffiliated with UNC1549 as well.\r\nLIGHTRAIL has several connections to MINIBIKE and MINIBUS in the form of (1) a shared code base, (2)\r\nAzure C2 infrastructure with similar patterns and naming, and (3) overlapping targets and victimology.\r\nLIGHTRAIL communicates with an Azure C2 subdomain of the form *[.]*[.]cloudapp[.]azure[.]com. Mandiant\r\nassesses with medium confidence that both LIGHTRAIL and MINIBIKE were used to target the same victim\r\nenvironment at least once.\r\nLIGHTRAIL likely leverages the open-source utility “Lastenzug” (“freight train” in German), a Socks4a proxy\r\nbased on websockets with a “static obfuscation on [the] assembly level.” LIGHTRAIL’s export DLL is named\r\n“lastenzug.dll,” and it shares the same hard-coded User Agent as Lastenzug.\r\nMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135\r\nSafari/537.36 Edge/12.10136\r\nMandiant observed two LIGHTRAIL versions used at least since November 2022. Similarly to MINIBIKE, no\r\n“official” versions were embedded in LIGHTRAIL’s code, but the instances can be divided to two versions.\r\nVer. Date Changes (Compared to Earlier Version) Geographies Example MD5\r\n1.0\r\nNovember\r\n2022\r\n- C2 domains:\r\ntnlsowki[.]westus3[.]cloudapp[.]azure[.]com\r\ntnlsowkis[.]westus3[.]cloudapp[.]azure[.]com\r\n- Export DLL named “lastenzug.dll”, likely\r\nreferring to the open-source Socks4a proxy\r\nTurkey\r\n36e2d9ce19ed045a\r\n9840313439d6f18d\r\n2.0\r\nAugust\r\n2023\r\n- C2 domain:\r\niaidevrssfeed[.]centralus[.]cloudapp[.]azure[.]com\r\n- Export DLL named “Lastenzug.dll” (capital ‘L’)\r\n- String obfuscation, similar to MINIBIKE\r\nIsrael\r\na5fdf55c1c50be47\r\n1946de937f1e46dd\r\nCredential Harvesting and Fake Job Offers\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 10 of 26\n\nMandiant observed that several websites hosting MINIBIKE payloads also hosted fake login pages in mid-2023\r\nposing as job offers on behalf of legitimate defense and technology-related companies. More specifically, the\r\ncompanies were affiliated with the  aerospace, aviation, and thermal imaging industries.\r\nFigure 6: Fake login page masquerading as the aerospace company Boeing\r\nFigure 7: Fake login page masquerading as Teledyne FLIR, a manufacturer of thermal imaging devices\r\nIn addition, Mandiant observed suspected UNC1549 infrastructure hosting job description documents for\r\npositions in DJI,  a drone manufacturing company, in parallel to a MINIBIKE .zip file. \r\nThe documents were likely used as lures in social engineering efforts, either for running malicious files or\r\nharvesting credentials.\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 11 of 26\n\nFigure 8: Fake DJI job offer (MD5: 4a223bc9c6096ac6bae3e7452ed6a1cd)\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 12 of 26\n\nFigure 9: Fake DJI job offer (MD5: ec6a0434b94f51aa1df76a066aa05413)\r\nTechnical Appendix\r\nMINIBIKE Technical Analysis\r\nMandiant observed the following versions of MINIBIKE deployed since 2022.\r\nVersion 1.x, June–November 2022\r\nPayload: IMG archive named Screenshot.img (example MD5: 409c2ac789015e76f9886f1203a73bc0),\r\ncontaining the following files:\r\nScreenshots.lnk - a launcher LNK file (MD5: cb565b1bb128dfc20c8392974ff73e3f)\r\nSetup.exe - a legitimate OneDrive/SharePoint executable (MD5:\r\n400d7190012517677dd5ef2e471f2cd1)\r\nsecur32.dll - the MINIBIKE launcher, executed via search-order-hijacking (SoH) (MD5:\r\n54848d17aa76d807e2fd6d196a01ce84)\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 13 of 26\n\nconfigur.dll - the MINIBIKE backdoor (MD5: e9ed595b24a7eeb34ac52f57eeec6e2b)\r\nNote: Most of the following analysis refers to version 1.0, but version 1.1 behaves in a similar manner.\r\nExecution: once the IMG archive is mounted, the malicious launcher is executed via SoH and copies the\r\nlegitimate executable and the MINIBIKE backdoor to the following paths:\r\nLegitimate executable: %LOCALAPPDATA%\\Microsoft\\OneDrive\\configs\\FileCoAuth.exe\r\nMINIBIKE backdoor: %LOCALAPPDATA%\\Microsoft\\OneDrive\\configs\\secur32.dll\r\nPersistence: The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging\r\ndirectory and setting the following Run registry key:\r\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDriveFileCoAuth.exe\r\nValue: %LOCALAPPDATA%\\Microsoft\\OneDrive\\configs\\FileCoAuth.exe\r\nExport DLL name:\r\nVersion 1.0: “update.dll”\r\nVersion 1.1: “Mini.dll”\r\nUser Agent:\r\nVersion 1.0: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/99.0.4844.82 Mobile Safari/537.36\r\nVersion 1.1: Mozilla/5.0\r\nC2 infrastructure: \r\nVersion 1.0: 158.255.74[.]25\r\nVersion 1.1: homefurniture[.]azurewebsites[.]net\r\nC2 URIs:\r\nVersion 1.0:\r\n/api/blogs/96752 - initial beacon and request command\r\n/api/blogs/result/96752 - command/request response\r\n/api/blogs/download/ - download file\r\n/api/blogs/result/file/ - upload file\r\nVersion 1.1:\r\n/news/notifications/235722 - initial beacon and request command\r\n/news/update/ - command/request response\r\n/news/image/ - download file\r\nAffected geographies: UAE, Turkey, Iran\r\nVersion 2.x, August–October 2023\r\nPayload: ZIP archive, usually named Survey.zip (example MD5: 691d0143c0642ff783909f983ccb8ffd),\r\ncontaining the following files:\r\nSetup.exe - a legitimate executable used to sideload the installer (MD5:\r\nce1054d542dbd999401236f2ce20f826)\r\nsecur32.dll - The MINIBIKE backdoor - (MD5: 1e7cf4c172bdabe48714b402d2255707)\r\nlang.dat - a MINIBIKE installer (MD5: 909a235ac0349041b38d84e9aab3f3a1)\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 14 of 26\n\nExecution: once the legitimate executable is run, the MINIBIKE installer is sideloaded and the files are\r\ncopied to the following paths:\r\nLegitimate executable: %LOCALAPPDATA%\\Microsoft\\Internet Explorer\\FileCoAuth.exe\r\nMINIBIKE backdoor: %LOCALAPPDATA%\\Microsoft\\Internet Explorer\\secur32.dll\r\nPersistence: The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging\r\ndirectory and setting the following Run registry key:\r\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive FileCoAuth\r\nValue: %LOCALAPPDATA%\\Microsoft\\Internet Explorer\\secur32.dll\r\nNote: Version 2.1 uses ‘Image Photo Viewer’ as a registry key\r\nExport DLL name:\r\nVersions 2.0 and 2.1: “Mini-Junked.dll”\r\nVersion 2.2: “Micro.dll”\r\nNote: In a single instance Mandiant observed the use of “devobj.dll”\r\nUser Agent:\r\nVersion 2.0: \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.180 (KHTML, like Gecko)\r\nChrome/110.0.0.2 Safari/538.36 \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)\r\nChrome/111.0.0.2 Safari/538.46\r\nVersion 2.1: \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)\r\nChrome/111.0.0.2 Safari/538.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)\r\nChrome/111.0.0.2 Safari/538.46\r\nVersion 2.2: \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/115.0.0.0 Safari/537.36\r\nNote: In a single instance Mandiant observed the use of “Mozilla/5.0” user agent.\r\nC2 infrastructure: This version of MINIBIKE communicates with three to five Azure subdomains. After\r\nevery communication it uses the next C2 in a loop, for example:\r\nblogvolleyballstatus[.]azurewebsites[.]net\r\nblogvolleyballstatusapi[.]azurewebsites[.]net\r\nmarineblogapi[.]azurewebsites[.]net\r\nC2 URIs: \r\nVersions 2.0 and 2.1:\r\n/news/notifications/\u003csix_digits\u003e - initial beacon and request command\r\n/news/update/ - command/request response\r\n/news/image/ - download file\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 15 of 26\n\nVersion 2.2:\r\n/assets/\u003csix_or_eight_digits\u003e/ {index.html / favicon.ico / icon.svg} - initial beacon and\r\nrequest command\r\n/assets/\u003csix_or_eight_digits\u003e/ - command/request response\r\n/assets/\u003csix_or_eight_digits\u003e/ - download file\r\n/assets/\u003csix_or_eight_digits\u003e/ - upload file\r\nNote: In a single instance Mandiant observed the use of URIs of the form: blogs/\u003ckeywords\u003e\r\nAffected geographies: Israel, UAE, and potentially India\r\nMINIBUS Analysis\r\nPayload: ZIP archive named bringthemhomenow.zip (MD5: ef262f571cd429d88f629789616365e4),\r\ncontaining the following files:\r\nBringThemeHome.exe - a benign executable (MD5: ce1054d542dbd999401236f2ce20f826)\r\nA MINIBUS installer - secur32.dll (MD5: c5dc2c75459dc99a42400f6d8b455250)\r\nCoreUIComponent.dll - the MINIBUS backdoor (MD5: 816af741c3d6be1397d306841d12e206)\r\nessential.dat - an additional archive containing decoy content: a “Bring Them Home” fake .NET\r\napplication created by  the threat actor (MD5: 251894b3af0ece374ed6df223ab09cab)\r\nExecution: Once the legitimate executable is run, the MINIBUS installer is installed via search-order-hijacking (SoH). \r\nThe installer DLL displays a message indicating the files are being extracted:\r\nFigure 10: MINIBUS installer DLL installation message\r\nThe decoy contents are moved to their intended location on the targeted system:\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 16 of 26\n\nFigure 11: Installer DLL message box\r\nTwo main decoy files are contained within the ZIP archive along with some dependency files, essential.dat (MD5:\r\n251894b3af0ece374ed6df223ab09cab):\r\nDecoy .NET application masquerading as an application related to Israeli hostages kidnapped by Hamas\r\nduring the Oct. 7 attack on\r\nIsrael: \u003cextraction_directory\u003e\\BringThemeHomeNow\\BringThemeHomeNow.exe [sic] (MD5:\r\ndfed4468dd78ad2f5d762741df4c1755)\r\nFigure 12: Fake “Bring Them Home Now”.NET application “BringThemeHomeNow.exe” [sic]\r\nDecoy image: \u003cextraction_directory\u003e\\BringThemeHomeNow\\petition.jpg (MD5:\r\nc0060a0c26df9fed7fdcdb7d26ff921f)\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 17 of 26\n\nFigure 13: Decoy content \"petition.jpg\"\r\nUpon execution, the .NET application initially checks of the existence of a flag file that indicates if the decoy has\r\npreviously run on the device: %LOCALAPPDATA%\\Commons\\lg\r\nIf the file does not exist, a splash screen is displayed prior to entering the application. If the file already exists, the\r\napplication presents the main screen (seen in Figure 12).\r\nIn addition to displaying decoy content to the victim, the installer DLL copies the backdoor and dependency files\r\nto their staging directory, and it also sets persistence for the backdoor using the following registry run key:\r\nKey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDriveCoUpdate\r\nValue: %LOCALAPPDATA%\\Microsoft\\OneDrive\\cache\\logger\\FileCoAuth.exe\r\nC2 infrastructure: This version of MINIBIKE communicates with one Azure subdomain and two\r\ndedicated domains:\r\nvscodeupdater[.]azurewebsites[.]net\r\ncashcloudservices[.]com\r\nxboxplayservice[.]com\r\nAffected geographies: Israel and India, as well as possibly UAE and Albania, based on the following\r\nsubdomains of cashcloudservices[.]com:\r\ndubai-ae0043[.]cashcloudservices[.]com\r\nnsalbaniahack[.]cashcloudservices[.]com\r\nDetection and Mitigation\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 18 of 26\n\nIf you are a Google Chronicle Enterprise+ customer, Chronicle rules were released to your Emerging Threats rule\r\npack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.  \r\nIndicators of Compromise (IOCs)\r\nMINIBIKE\r\n01cbaddd7a269521bf7b80f4a9a1982f\r\n054c67236a86d9ab5ec80e16b884f733\r\n1d8a1756b882a19d98632bc6c1f1f8cd\r\n2c4cdc0e78ef57b44f11f7ec2f6164cd\r\n3b658afa91ce3327dbfa1cf665529a6d\r\n409c2ac789015e76f9886f1203a73bc0\r\n601eb396c339a69e7d8c2a3de3b0296d\r\n664cfda4ada6f8b7bb25a5f50cccf984\r\n68f6810f248d032bbb65b391cdb1d5e0\r\n691d0143c0642ff783909f983ccb8ffd\r\n710d1a8b2fc17c381a7f20da5d2d70fc\r\n75d2c686d410ec1f880a6fd7a9800055\r\n909a235ac0349041b38d84e9aab3f3a1\r\na5e64f196175c5f068e1352aa04bc5fa\r\nadef679c6aa6860aa89b775dceb6958b\r\nbfd024e64867e6ca44738dd03d4f87b5\r\nc12ff86d32bd10c6c764b71728a51bce\r\ncf32d73c501d5924b3c98383f53fda51\r\nd94ffe668751935b19eaeb93fed1cdbe\r\ne3dc8810da71812b860fc59aeadcc350\r\ne9ed595b24a7eeb34ac52f57eeec6e2b\r\neadbaabe3b8133426bcf09f7102088d4\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 19 of 26\n\nMINIBUS\r\nef262f571cd429d88f629789616365e4\r\n816af741c3d6be1397d306841d12e206\r\nc5dc2c75459dc99a42400f6d8b455250\r\n05fcace605b525f1bece1813bb18a56c\r\n4ed5d74a746461d3faa9f96995a1eec8\r\nf58e0dfb8f915fa5ce1b7ca50c46b51b\r\nLIGHTRAIL\r\n0a739dbdbcf9a5d8389511732371ecb4\r\n36e2d9ce19ed045a9840313439d6f18d\r\naaef98be8e58be6b96566268c163b6aa\r\nc3830b1381d95aa6f97a58fd8ff3524e\r\nc51bc86beb9e16d1c905160e96d9fa29\r\na5fdf55c1c50be471946de937f1e46dd\r\nFake Job Offers\r\nec6a0434b94f51aa1df76a066aa05413\r\n89107ce5e27d52b9fa6ae6387138dd3e\r\n4a223bc9c6096ac6bae3e7452ed6a1cd\r\nC2 and Hosting Infrastructure\r\n1stemployer[.]com\r\nbirngthemhomenow[.]co[.]il\r\ncashcloudservices[.]com\r\njupyternotebookcollections[.]com\r\nnotebooktextcheckings[.]com\r\nteledyneflir[.]com[.]de\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 20 of 26\n\nvsliveagent[.]com\r\nxboxplayservice[.]com\r\nAzure Subdomains\r\nairconnectionapi[.]azurewebsites[.]net\r\nairconnectionsapi[.]azurewebsites[.]net\r\nairconnectionsapijson[.]azurewebsites[.]net\r\nairgadgetsolution[.]azurewebsites[.]net\r\nairgadgetsolutions[.]azurewebsites[.]net\r\naltnametestapi[.]azurewebsites[.]net\r\nanswerssurveytest[.]azurewebsites[.]net\r\napphrquestion[.]azurewebsites[.]net\r\napphrquestions[.]azurewebsites[.]net\r\napphrquizapi[.]azurewebsites[.]net\r\narquestionsapi[.]azurewebsites[.]net\r\narquestions[.]azurewebsites[.]net\r\naudiomanagerapi[.]azurewebsites[.]net\r\naudioservicetestapi[.]azurewebsites[.]net\r\nblognewsalphaapijson[.]azurewebsites[.]net\r\nblogvolleyballstatusapi[.]azurewebsites[.]net\r\nblogvolleyballstatus[.]azurewebsites[.]net\r\nboeisurveyapplications[.]azurewebsites[.]net\r\nbrowsercheckap[.]azurewebsites[.]net\r\nbrowsercheckingapi[.]azurewebsites[.]net\r\nbrowsercheckjson[.]azurewebsites[.]net\r\nchangequestionstypeapi[.]azurewebsites[.]net\r\nchangequestionstypejsonapi[.]azurewebsites[.]net\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 21 of 26\n\nchangequestiontypesapi[.]azurewebsites[.]net\r\nchangequestiontypes[.]azurewebsites[.]net\r\ncheckapicountryquestions[.]azurewebsites[.]net\r\ncheckapicountryquestionsjson[.]azurewebsites[.]net\r\ncheckservicecustomerapi[.]azurewebsites[.]net\r\ncoffeeonlineshop[.]azurewebsites[.]net\r\ncoffeeonlineshoping[.]azurewebsites[.]net\r\nconnectairapijson[.]azurewebsites[.]net\r\nconnectionhandlerapi[.]azurewebsites[.]net\r\ncountrybasedquestions[.]azurewebsites[.]net\r\ncustomercareserviceapi[.]azurewebsites[.]net\r\ncustomercareservice[.]azurewebsites[.]net\r\nemiratescheckapi[.]azurewebsites[.]net\r\nemiratescheckapijson[.]azurewebsites[.]net\r\nengineeringrssfeed[.]azurewebsites[.]net\r\nengineeringssfeed[.]azurewebsites[.]net\r\nexchtestcheckingapi[.]azurewebsites[.]net\r\nexchtestcheckingapihealth[.]azurewebsites[.]net\r\nflighthelicopterahtest[.]azurewebsites[.]net\r\nhelicopterahtest[.]azurewebsites[.]net\r\nhelicopterahtests[.]azurewebsites[.]net\r\nhelicoptersahtests[.]azurewebsites[.]net\r\nhiringarabicregion[.]azurewebsites[.]net\r\nhomefurniture[.]azurewebsites[.]net\r\nhrapplicationtest[.]azurewebsites[.]net\r\nhumanresourcesapi[.]azurewebsites[.]net\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 22 of 26\n\nhumanresourcesapijson[.]azurewebsites[.]net\r\nhumanresourcesapiquiz[.]azurewebsites[.]net\r\niaidevrssfeed[.]centralus[.]cloudapp[.]azure[.]com\r\niaidevrssfeed[.]centrualus[.]cloudapp[.]azure[.]com\r\niaidevrssfeed[.]cloudapp[.]azure[.]com\r\niaidevrssfeedp[.]cloudapp[.]azure[.]com\r\nidentifycheckapplication[.]azurewebsites[.]net\r\nidentifycheckapplications[.]azurewebsites[.]net\r\nidentifycheckingapplications[.]azurewebsites[.]net\r\nilengineeringrssfeed[.]azurewebsites[.]net\r\nintegratedblognewfeed[.]azurewebsites[.]net\r\nintegratedblognewsapi[.]azurewebsites[.]com\r\nintegratedblognewsapi[.]azurewebsites[.]net\r\nintegratedblognews[.]azurewebsites[.]net\r\nintengineeringrssfeed[.]azurewebsites[.]net\r\nintergratedblognewsapi[.]azurewebsites[.]net\r\njavaruntime[.]azurewebsites[.]net\r\njavaruntimestestapi[.]azurewebsites[.]net\r\njavaruntimetestapi[.]azurewebsites[.]net\r\njavaruntimeversioncheckingapi[.]azurewebsites[.]net\r\njavaruntimeversionchecking[.]azurewebsites[.]net\r\njupyternotebookcollection[.]azurewebsites[.]net\r\njupyternotebookcollections[.]azurewebsites[.]net\r\njupyternotebookscollection[.]azurewebsites[.]net\r\nlogsapimanagement[.]azurewebsites[.]net\r\nlogsapimanagements[.]azurewebsites[.]net\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 23 of 26\n\nlogupdatemanagementapi[.]azurewebsites[.]net\r\nlogupdatemanagementapijson[.]azurewebsites[.]net\r\nmanpowerfeedapi[.]azurewebsites[.]net\r\nmanpowerfeedapijson[.]azurewebsites[.]net\r\nmarineblogapi[.]azurewebsites[.]net\r\nnotebooktextchecking[.]azurewebsites[.]net\r\nnotebooktextcheckings[.]azurewebsites[.]net\r\nnotebooktexts[.]azurewebsites[.]net\r\nonequestionsapi[.]azurewebsites[.]net\r\nonequestionsapicheck[.]azurewebsites[.]net\r\nonequestions[.]azurewebsites[.]net\r\nopenapplicationcheck[.]azurewebsites[.]net\r\noptionalapplication[.]azurewebsites[.]net\r\npersonalitytestquestionapi[.]azurewebsites[.]net\r\npersonalizationsurvey[.]azurewebsites[.]net\r\nqaquestionapi[.]azurewebsites[.]net\r\nqaquestionsapi[.]azurewebsites[.]net\r\nqaquestionsapijson[.]azurewebsites[.]net\r\nqaquestions[.]azurewebsites[.]net\r\nqueryfindquestions[.]azurewebsites[.]net\r\nqueryquestions[.]azurewebsites[.]net\r\nquestionsapplicationapi[.]azurewebsites[.]net\r\nquestionsapplicationapijson[.]azurewebsites[.]net\r\nquestionsapplicationbackup[.]azurewebsites[.]net\r\nquestionsdatabases[.]azurewebsites[.]net\r\nquestionsurveyapp[.]azurewebsites[.]net\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 24 of 26\n\nquestionsurveyappserver[.]azurewebsites[.]net\r\nquiztestapplication[.]azurewebsites[.]net\r\nrefaeldevrssfeed[.]centralus[.]cloudapp[.]azure[.]com\r\nregionuaequestions[.]azurewebsites[.]net\r\nregisterinsurance[.]azurewebsites[.]net\r\nroadmapselectorapi[.]azurewebsites[.]net\r\nroadmapselector[.]azurewebsites[.]net\r\nsportblogs[.]azurewebsites[.]net\r\nsurveyappquery[.]azurewebsites[.]net\r\nsurveyonlinetestapi[.]azurewebsites[.]net\r\nsurveyonlinetest[.]azurewebsites[.]net\r\ntechnewsblogapi[.]azurewebsites[.]net\r\ntestmanagementapi1[.]azurewebsites[.]net\r\ntestmanagementapis[.]azurewebsites[.]net\r\ntestmanagementapisjson[.]azurewebsites[.]net\r\ntestquestionapplicationapi[.]azurewebsites[.]net\r\ntesttesttes[.]azurewebsites[.]net\r\ntiappschecktest[.]azurewebsites[.]net\r\ntnlsowkis[.]westus3[.]cloudapp[.]azure[.]com\r\ntnlsowki[.]westus3[.]cloudapp[.]azure[.]com\r\nturkairline[.]azurewebsites[.]net\r\nuaeaircheckon[.]azurewebsites[.]net\r\nuaeairchecks[.]azurewebsites[.]net\r\nvscodeupdater[.]azurewebsites[.]net\r\nworkersquestionsapi[.]azurewebsites[.]net\r\nworkersquestions[.]azurewebsites[.]net\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 25 of 26\n\nworkersquestionsjson[.]azurewebsites[.]net\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nhttps://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" ], "report_names": [ "suspected-iranian-unc1549-targets-israel-middle-east" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-10T02:00:03.598612Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775792008, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97e82cf39609df840da241a077ef7a50879cf45d.pdf", "text": "https://archive.orkl.eu/97e82cf39609df840da241a077ef7a50879cf45d.txt", "img": "https://archive.orkl.eu/97e82cf39609df840da241a077ef7a50879cf45d.jpg" } }