When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets
Israeli and Middle East Aerospace and Defense Sectors
By Mandiant
Published: 2024-02-27 · Archived: 2026-04-02 10:41:00 UTC
Written by: Ofir Rozmann, Chen Evgi, Jonathan Leathery
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the
aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab
Emirates (UAE) and potentially Turkey, India, and Albania. 
Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps
with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps
(IRGC). Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and
IT providers.  
The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war. Notably, Mandiant observed
an Israel-Hamas war-themed campaign that masquerades as the “Bring Them Home Now” movement,
which calls for the return of the Israelis kidnapped and held hostage by Hamas.
This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February
2024. While regional in nature and focused mostly in the Middle East, the targeting includes entities operating
worldwide.
Mandiant observed this campaign deploy multiple evasion techniques to mask their activity, most prominently
the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to
disseminate two unique backdoors: MINIBIKE and MINIBUS.
This blog post details the suspected UNC1549 operations since June 2022, the ongoing development of their
proprietary malware, their network of over 125 Azure command-and-control (C2) subdomains, and their attack
lifecycle, which includes tactics, techniques, and procedures (TTPs) Mandiant has not previously seen deployed
by Iran.
Attribution
Mandiant assesses with moderate confidence that this activity has ties to UNC1549, an Iran-based espionage
group, which overlaps with activities publicly known as Tortoiseshell and Smoke Sandstorm/BOHRIUM. 
Namely, a fake recruiting website (1stemployer[.]com) was observed hosting a MINIBUS payload in November
2023. The template used for the fake recruiting website had been used previously in another fake recruiting
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 1 of 26

website, careers-finder[.]com, which was used by UNC1549. 
In this campaign, the MINIBUS backdoor was hosted on a fake job website (1stemployer[.]com) using the
exact same written contents as careers-finder[.]com used by UNC1549 in early 2022, for example, “After
considering the career and education background we introduce you to the employer companies which are
looking for the indicated skills and expertise.”
Figure 1: Fake job website 1stemployer[.]com deploying a template similar to a previous UNC1549 website
In addition, like in previous UNC1549 activities, this campaign leveraged .NET applications to deliver the
malware—this time the attackers implemented it by using a fake Hamas-affiliated application to deliver the
MINIBUS backdoor.
According to public reporting, Tortoiseshell, which is tied to UNC1549, is potentially linked to the IRGC.
In addition, the focused targeting of Middle East entities affiliated with the aerospace and defense sectors is
consistent with other Iran-nexus clusters of activity, some of which are affiliated with the IRGC as well.
Outlook and Implications
Mandiant research indicates this campaign remains active as of February 2024, and targeted entities are related to
defense, aerospace, and aviation in the Middle East, particularly in Israel and the UAE and potentially in Turkey,
India, and Albania. 
The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for
espionage as well as kinetic operations. This is further supported by the potential ties between UNC1549 and the
IRGC.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 2 of 26

The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of
cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this
activity. The intelligence and indicators provided in this report may support these efforts and enhance them.
Attack Lifecycle
This suspected UNC1549 campaign uses two primary methods to achieve initial access to the targets: spear-phishing and credential harvesting. A typical chain of attack consists of several stages:
Spear-phishing emails or social media correspondence, disseminating links to fake websites containing
Israel-Hamas related content or fake job offers. The websites would eventually lead to downloading a
malicious payload.
Figure 2: Fake website posing as the “Bring Them Home Now” movement, calling for the return of Israelis
kidnapped by Hamas
The fake job offers were for tech and defense-related positions, specifically in the aviation,
aerospace, or thermal imaging sectors. 
Mandiant also observed some of the fake job websites that hosted malicious payloads were also
used during 2023 to harvest credentials.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 3 of 26

Figure 3: Fake login page masquerading as the aerospace company Boeing
Payload delivery, downloaded from the previously mentioned websites to the target’s computer. The
payload is a compressed archive that typically includes two main bundles:
MINIBIKE or MINIBUS—two unique backdoors deployed at least since 2022 (MINIBIKE) and
2023 (MINIBUS), providing full backdoor functionality (see the Technical Appendix for more
information).
A benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS,
a custom application presenting content related to Israelis kidnapped by Hamas hosted on the fake
website birngthemhomenow[.]co[.]il mentioned previously.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 4 of 26

Figure 4: Decoy content used by MINIBUS, related to the “Bring Them Home Now” movement
Payload installation and device compromise, achieved after the MINIBIKE or MINIBUS backdoors
establish C2 communication, in most cases via Microsoft Azure cloud infrastructure. 
The access to the device can be leveraged for multiple purposes, including intelligence collection
and as a stepping stone for further access into the targeted network.
This stage may be supported by the use of LIGHTRAIL, a unique tunneler used in the campaign
(see the following details).
This suspected UNC1549 campaign deployed several evasion techniques to mask their activity:
Abusing Microsoft Azure infrastructure for C2 and hosting, making it difficult to discern the activity from
legitimate network traffic. In some cases, servers geolocated in the targeted countries (Israel and the UAE)
were used, further masking the activity.
Using domain naming schemes that include strings that would likely seem legitimate to network defenders,
like countries, organizations names, languages or descriptions related to the targeted sector. Following are
several examples of indicative Azure domains: 
ilengineeringrssfeed[.]azurewebsites[.]net (“IL Engineering RSS Feed”)
hiringarabicregion[.]azurewebsites[.]net (“Hiring Arabic Region”)
turkairline[.]azurewebsites[.]net (“Turk Airline”)
Using job-themed lures, offering various IT and tech-related positions, which are likely to be disseminated
legitimately. One of these fake job offers is presented in Figure 5.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 5 of 26

Figure 5: Fake job offer on behalf of DJI, a drone manufacturing company (MD5:
4a223bc9c6096ac6bae3e7452ed6a1cd)
Malware Families
Mandiant observed the following custom malware families used in the suspected UNC1549 activity.
Malware
Family
Description First Seen
Last
Seen
MINIBIKE
A custom backdoor written in C++ capable of file exfiltration
and upload, command execution, and more. Communicates
using Azure cloud infrastructure.
June 2022
October
2023
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 6 of 26

MINIBUS
A custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features
compared to MINIBIKE
August
2023
January
2024
LIGHTRAIL
A tunneler, likely based on an open-source Socks4a proxy,
that communicates using Azure cloud infrastructure
November
2022
August
2023
MINIBIKE is a custom malware written in C++, used since at least June 2022. Once MINIBIKE is installed, it
provides a full backdoor functionality, including directory and file enumeration, collection of system files and
information, uploading files, and running additional processes. 
The MINIBIKE platform usually consists of three utilities bundled in an archive, delivered via spear phishing:
1. The MINIBIKE backdoor, usually in the form of a .dll or a .dat file
2. A launcher, executed via search-order-hijacking (SoH), deploying MINIBIKE and setting its persistence
using registry keys
3. A legitimate/fake executable, used to mask the malicious MINIBIKE deployment. Mandiant observed
different MINIBIKE versions use three applications for this purpose: Microsoft SharePoint, Microsoft
OneDrive, and a fake Hamas-related .NET application.
The MINIBIKE platform has been in use since at least June 2022, gradually being developed to several versions
distinct from each other in lures, features, and functionality. While Mandiant did not observe any embedded
version numbers, the MINIBIKE instances can be divided to the following versions.
Ver. Date Changes (Compared to Earlier Version) Geographies Example MD5
1.0 June 2022
- First version
- C2 server geolocated in Iran (not Azure)
- Submitted to a public malware
repository from Iran
- Legitimate SharePoint installation as a
lure
- Bundled in an IMG drive
(“Screenshot.img”)
- Export DLL name: “update.dll”
Iran
adef679c6aa6860a
a89b775dceb6958b
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 7 of 26

1.1
October–
November
2022
- First use of Azure subdomains for C2 -
Three embedded, only one used
- First use of OneDrive installation as a
lure and as a registry key for persistence
- Export DLL name: “Mini.dll”
UAE, Turkey
409c2ac789015e76
f9886f1203a73bc0
2.0 August 2023
- Three to five Azure C2 domains used
subsequently in a loop
- Bundled in a ZIP file (“Survey.zip”)
- Additional obfuscation
- Additional functionality and commands
- Export DLL name: “Mini-Junked.dll”
Israel, UAE
691d0143c0642ff7
83909f983ccb8ffd
2.1 August 2023
- Uses “Image Photo Viewer“ registry key
for persistence
- Additional obfuscation
- Three Azure C2 domains
Israel, India
e3dc8810da71812b
860fc59aeadcc350
2.2
August–
October 2023
- Four Azure C2 domains
- Reverts back to OneDrive registry key
for persistence
- Additional functionality and commands
- Additional obfuscation
- Beacon communication looping over
three “files”: index.html, favicon.ico,
icon.svg
- Export DLL name: “Micro.dll”
Israel, UAE
054c67236a86d9ab
5ec80e16b884f733
MINIBUS: A RoBUSt Successor?
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 8 of 26

Mandiant observed a second backdoor deployed in this campaign, which bears multiple similarities to MINIBIKE
and was therefore named MINIBUS. The MINIBUS platform has been used since at least August 2023, likely
during the same time as the latest MINIBIKE versions, though not necessarily to target the same victims. 
MINIBUS is a more advanced, updated platform when compared to MINIBIKE. While similar in
functionality and code base, MINIBUS contains fewer built-in features and a more flexible code-execution
and command interface in addition to more advanced reconnaissance features. 
This might make the MINIBUS platform a more suitable option for an experienced operator, which instead of
using ready-to-use features may require a more flexible platform. Such an operator may be concerned with
operational security (OpSec), possibly as an early stage in a more elaborate  operation.
The following is a more detailed list of the key differences between the MINIBIKE and MINIBUS platforms.
Functionality
MINIBUS has fewer built-in commands and features when compared with MINIBIKE. Instead, MINIBUS
provides a more flexible code-execution and command interface, including the ability to run an executable
(for example, a possible next-stage implant) using a single command, unlike MINIBIKE.
MINIBUS has a process enumeration feature. A process list generated by MINIBUS may be useful to
avoid detection, for example, by identifying processes related to Virtual Machine (VM) utilities or security
applications (such as an EDR). 
Export DLL Names
The MINIBUS bundle contains DLLs with the names “torvaldinitial.dll” for its launcher/installer and
“torvaldspersist.dll” for its payload, unlike MINIBIKE, which utilizes export DLL names like “Dr2.dll” or
“MspUpdate.dll”  (for its launchers) and “Mini-Junked.dll” or “Micro.dll” (for its payloads).
C2 Communication
MINIBUS uses a combination of an Azure subdomain and unique *.com domains for C2 communications, unlike
MINIBIKE, which relies only on Azure infrastructure.
Lures and Themes
MINIBUS deployed lures related to the Israel-Hamas war, including a fake .NET application with themes and
contents abusing the “Bring Them Home Now” movement, which calls for the return of the Israeli hostages
kidnapped by Hamas. In another MINIBUS instance, Mandiant observed a lure related to Quizora, possibly
referring to a quiz application.
Targeting and Geography
Like MINIBIKE, Mandiant observed MINIBUS targeting Israel and possibly India and the UAE. In addition, a
MINIBUS C2 domain (cashcloudservices[.]com) had a subdomain with the prefix nsalbaniahack[.]*,
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 9 of 26

suggesting an interest in Albania as well, which is consistent with Iran interests but not yet observed in a
MINIBIKE-related activity.
LIGHTRAIL: Highway to Where?
In addition to the MINIBIKE and MINIBUS backdoors, Mandiant observed a tunneler named LIGHTRAIL likely
affiliated with UNC1549 as well.
LIGHTRAIL has several connections to MINIBIKE and MINIBUS in the form of (1) a shared code base, (2)
Azure C2 infrastructure with similar patterns and naming, and (3) overlapping targets and victimology.
LIGHTRAIL communicates with an Azure C2 subdomain of the form *[.]*[.]cloudapp[.]azure[.]com. Mandiant
assesses with medium confidence that both LIGHTRAIL and MINIBIKE were used to target the same victim
environment at least once.
LIGHTRAIL likely leverages the open-source utility “Lastenzug” (“freight train” in German), a Socks4a proxy
based on websockets with a “static obfuscation on [the] assembly level.” LIGHTRAIL’s export DLL is named
“lastenzug.dll,” and it shares the same hard-coded User Agent as Lastenzug.
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135
Safari/537.36 Edge/12.10136
Mandiant observed two LIGHTRAIL versions used at least since November 2022. Similarly to MINIBIKE, no
“official” versions were embedded in LIGHTRAIL’s code, but the instances can be divided to two versions.
Ver. Date Changes (Compared to Earlier Version) Geographies Example MD5
1.0
November
2022
- C2 domains:
tnlsowki[.]westus3[.]cloudapp[.]azure[.]com
tnlsowkis[.]westus3[.]cloudapp[.]azure[.]com
- Export DLL named “lastenzug.dll”, likely
referring to the open-source Socks4a proxy
Turkey
36e2d9ce19ed045a
9840313439d6f18d
2.0
August
2023
- C2 domain:
iaidevrssfeed[.]centralus[.]cloudapp[.]azure[.]com
- Export DLL named “Lastenzug.dll” (capital ‘L’)
- String obfuscation, similar to MINIBIKE
Israel
a5fdf55c1c50be47
1946de937f1e46dd
Credential Harvesting and Fake Job Offers
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 10 of 26

Mandiant observed that several websites hosting MINIBIKE payloads also hosted fake login pages in mid-2023
posing as job offers on behalf of legitimate defense and technology-related companies. More specifically, the
companies were affiliated with the  aerospace, aviation, and thermal imaging industries.
Figure 6: Fake login page masquerading as the aerospace company Boeing
Figure 7: Fake login page masquerading as Teledyne FLIR, a manufacturer of thermal imaging devices
In addition, Mandiant observed suspected UNC1549 infrastructure hosting job description documents for
positions in DJI,  a drone manufacturing company, in parallel to a MINIBIKE .zip file. 
The documents were likely used as lures in social engineering efforts, either for running malicious files or
harvesting credentials.
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 11 of 26

Figure 8: Fake DJI job offer (MD5: 4a223bc9c6096ac6bae3e7452ed6a1cd)
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 12 of 26

Figure 9: Fake DJI job offer (MD5: ec6a0434b94f51aa1df76a066aa05413)
Technical Appendix
MINIBIKE Technical Analysis
Mandiant observed the following versions of MINIBIKE deployed since 2022.
Version 1.x, June–November 2022
Payload: IMG archive named Screenshot.img (example MD5: 409c2ac789015e76f9886f1203a73bc0),
containing the following files:
Screenshots.lnk - a launcher LNK file (MD5: cb565b1bb128dfc20c8392974ff73e3f)
Setup.exe - a legitimate OneDrive/SharePoint executable (MD5:
400d7190012517677dd5ef2e471f2cd1)
secur32.dll - the MINIBIKE launcher, executed via search-order-hijacking (SoH) (MD5:
54848d17aa76d807e2fd6d196a01ce84)
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 13 of 26

configur.dll - the MINIBIKE backdoor (MD5: e9ed595b24a7eeb34ac52f57eeec6e2b)
Note: Most of the following analysis refers to version 1.0, but version 1.1 behaves in a similar manner.
Execution: once the IMG archive is mounted, the malicious launcher is executed via SoH and copies the
legitimate executable and the MINIBIKE backdoor to the following paths:
Legitimate executable: %LOCALAPPDATA%\Microsoft\OneDrive\configs\FileCoAuth.exe
MINIBIKE backdoor: %LOCALAPPDATA%\Microsoft\OneDrive\configs\secur32.dll
Persistence: The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging
directory and setting the following Run registry key:
Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveFileCoAuth.exe
Value: %LOCALAPPDATA%\Microsoft\OneDrive\configs\FileCoAuth.exe
Export DLL name:
Version 1.0: “update.dll”
Version 1.1: “Mini.dll”
User Agent:
Version 1.0: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/99.0.4844.82 Mobile Safari/537.36
Version 1.1: Mozilla/5.0
C2 infrastructure: 
Version 1.0: 158.255.74[.]25
Version 1.1: homefurniture[.]azurewebsites[.]net
C2 URIs:
Version 1.0:
/api/blogs/96752 - initial beacon and request command
/api/blogs/result/96752 - command/request response
/api/blogs/download/ - download file
/api/blogs/result/file/ - upload file
Version 1.1:
/news/notifications/235722 - initial beacon and request command
/news/update/ - command/request response
/news/image/ - download file
Affected geographies: UAE, Turkey, Iran
Version 2.x, August–October 2023
Payload: ZIP archive, usually named Survey.zip (example MD5: 691d0143c0642ff783909f983ccb8ffd),
containing the following files:
Setup.exe - a legitimate executable used to sideload the installer (MD5:
ce1054d542dbd999401236f2ce20f826)
secur32.dll - The MINIBIKE backdoor - (MD5: 1e7cf4c172bdabe48714b402d2255707)
lang.dat - a MINIBIKE installer (MD5: 909a235ac0349041b38d84e9aab3f3a1)
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 14 of 26

Execution: once the legitimate executable is run, the MINIBIKE installer is sideloaded and the files are
copied to the following paths:
Legitimate executable: %LOCALAPPDATA%\Microsoft\Internet Explorer\FileCoAuth.exe
MINIBIKE backdoor: %LOCALAPPDATA%\Microsoft\Internet Explorer\secur32.dll
Persistence: The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging
directory and setting the following Run registry key:
Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive FileCoAuth
Value: %LOCALAPPDATA%\Microsoft\Internet Explorer\secur32.dll
Note: Version 2.1 uses ‘Image Photo Viewer’ as a registry key
Export DLL name:
Versions 2.0 and 2.1: “Mini-Junked.dll”
Version 2.2: “Micro.dll”
Note: In a single instance Mandiant observed the use of “devobj.dll”
User Agent:
Version 2.0: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.180 (KHTML, like Gecko)
Chrome/110.0.0.2 Safari/538.36 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)
Chrome/111.0.0.2 Safari/538.46
Version 2.1: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)
Chrome/111.0.0.2 Safari/538.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/539.181 (KHTML, like Gecko)
Chrome/111.0.0.2 Safari/538.46
Version 2.2: 
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/115.0.0.0 Safari/537.36
Note: In a single instance Mandiant observed the use of “Mozilla/5.0” user agent.
C2 infrastructure: This version of MINIBIKE communicates with three to five Azure subdomains. After
every communication it uses the next C2 in a loop, for example:
blogvolleyballstatus[.]azurewebsites[.]net
blogvolleyballstatusapi[.]azurewebsites[.]net
marineblogapi[.]azurewebsites[.]net
C2 URIs: 
Versions 2.0 and 2.1:
/news/notifications/<six_digits> - initial beacon and request command
/news/update/ - command/request response
/news/image/ - download file
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 15 of 26

Version 2.2:
/assets/<six_or_eight_digits>/ {index.html / favicon.ico / icon.svg} - initial beacon and
request command
/assets/<six_or_eight_digits>/ - command/request response
/assets/<six_or_eight_digits>/ - download file
/assets/<six_or_eight_digits>/ - upload file
Note: In a single instance Mandiant observed the use of URIs of the form: blogs/<keywords>
Affected geographies: Israel, UAE, and potentially India
MINIBUS Analysis
Payload: ZIP archive named bringthemhomenow.zip (MD5: ef262f571cd429d88f629789616365e4),
containing the following files:
BringThemeHome.exe - a benign executable (MD5: ce1054d542dbd999401236f2ce20f826)
A MINIBUS installer - secur32.dll (MD5: c5dc2c75459dc99a42400f6d8b455250)
CoreUIComponent.dll - the MINIBUS backdoor (MD5: 816af741c3d6be1397d306841d12e206)
essential.dat - an additional archive containing decoy content: a “Bring Them Home” fake .NET
application created by  the threat actor (MD5: 251894b3af0ece374ed6df223ab09cab)
Execution: Once the legitimate executable is run, the MINIBUS installer is installed via search-order-hijacking (SoH). 
The installer DLL displays a message indicating the files are being extracted:
Figure 10: MINIBUS installer DLL installation message
The decoy contents are moved to their intended location on the targeted system:
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 16 of 26

Figure 11: Installer DLL message box
Two main decoy files are contained within the ZIP archive along with some dependency files, essential.dat (MD5:
251894b3af0ece374ed6df223ab09cab):
Decoy .NET application masquerading as an application related to Israeli hostages kidnapped by Hamas
during the Oct. 7 attack on
Israel: <extraction_directory>\BringThemeHomeNow\BringThemeHomeNow.exe [sic] (MD5:
dfed4468dd78ad2f5d762741df4c1755)
Figure 12: Fake “Bring Them Home Now”.NET application “BringThemeHomeNow.exe” [sic]
Decoy image: <extraction_directory>\BringThemeHomeNow\petition.jpg (MD5:
c0060a0c26df9fed7fdcdb7d26ff921f)
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 17 of 26

Figure 13: Decoy content "petition.jpg"
Upon execution, the .NET application initially checks of the existence of a flag file that indicates if the decoy has
previously run on the device: %LOCALAPPDATA%\Commons\lg
If the file does not exist, a splash screen is displayed prior to entering the application. If the file already exists, the
application presents the main screen (seen in Figure 12).
In addition to displaying decoy content to the victim, the installer DLL copies the backdoor and dependency files
to their staging directory, and it also sets persistence for the backdoor using the following registry run key:
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveCoUpdate
Value: %LOCALAPPDATA%\Microsoft\OneDrive\cache\logger\FileCoAuth.exe
C2 infrastructure: This version of MINIBIKE communicates with one Azure subdomain and two
dedicated domains:
vscodeupdater[.]azurewebsites[.]net
cashcloudservices[.]com
xboxplayservice[.]com
Affected geographies: Israel and India, as well as possibly UAE and Albania, based on the following
subdomains of cashcloudservices[.]com:
dubai-ae0043[.]cashcloudservices[.]com
nsalbaniahack[.]cashcloudservices[.]com
Detection and Mitigation
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 18 of 26

If you are a Google Chronicle Enterprise+ customer, Chronicle rules were released to your Emerging Threats rule
pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.  
Indicators of Compromise (IOCs)
MINIBIKE
01cbaddd7a269521bf7b80f4a9a1982f
054c67236a86d9ab5ec80e16b884f733
1d8a1756b882a19d98632bc6c1f1f8cd
2c4cdc0e78ef57b44f11f7ec2f6164cd
3b658afa91ce3327dbfa1cf665529a6d
409c2ac789015e76f9886f1203a73bc0
601eb396c339a69e7d8c2a3de3b0296d
664cfda4ada6f8b7bb25a5f50cccf984
68f6810f248d032bbb65b391cdb1d5e0
691d0143c0642ff783909f983ccb8ffd
710d1a8b2fc17c381a7f20da5d2d70fc
75d2c686d410ec1f880a6fd7a9800055
909a235ac0349041b38d84e9aab3f3a1
a5e64f196175c5f068e1352aa04bc5fa
adef679c6aa6860aa89b775dceb6958b
bfd024e64867e6ca44738dd03d4f87b5
c12ff86d32bd10c6c764b71728a51bce
cf32d73c501d5924b3c98383f53fda51
d94ffe668751935b19eaeb93fed1cdbe
e3dc8810da71812b860fc59aeadcc350
e9ed595b24a7eeb34ac52f57eeec6e2b
eadbaabe3b8133426bcf09f7102088d4
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 19 of 26

MINIBUS
ef262f571cd429d88f629789616365e4
816af741c3d6be1397d306841d12e206
c5dc2c75459dc99a42400f6d8b455250
05fcace605b525f1bece1813bb18a56c
4ed5d74a746461d3faa9f96995a1eec8
f58e0dfb8f915fa5ce1b7ca50c46b51b
LIGHTRAIL
0a739dbdbcf9a5d8389511732371ecb4
36e2d9ce19ed045a9840313439d6f18d
aaef98be8e58be6b96566268c163b6aa
c3830b1381d95aa6f97a58fd8ff3524e
c51bc86beb9e16d1c905160e96d9fa29
a5fdf55c1c50be471946de937f1e46dd
Fake Job Offers
ec6a0434b94f51aa1df76a066aa05413
89107ce5e27d52b9fa6ae6387138dd3e
4a223bc9c6096ac6bae3e7452ed6a1cd
C2 and Hosting Infrastructure
1stemployer[.]com
birngthemhomenow[.]co[.]il
cashcloudservices[.]com
jupyternotebookcollections[.]com
notebooktextcheckings[.]com
teledyneflir[.]com[.]de
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 20 of 26

vsliveagent[.]com
xboxplayservice[.]com
Azure Subdomains
airconnectionapi[.]azurewebsites[.]net
airconnectionsapi[.]azurewebsites[.]net
airconnectionsapijson[.]azurewebsites[.]net
airgadgetsolution[.]azurewebsites[.]net
airgadgetsolutions[.]azurewebsites[.]net
altnametestapi[.]azurewebsites[.]net
answerssurveytest[.]azurewebsites[.]net
apphrquestion[.]azurewebsites[.]net
apphrquestions[.]azurewebsites[.]net
apphrquizapi[.]azurewebsites[.]net
arquestionsapi[.]azurewebsites[.]net
arquestions[.]azurewebsites[.]net
audiomanagerapi[.]azurewebsites[.]net
audioservicetestapi[.]azurewebsites[.]net
blognewsalphaapijson[.]azurewebsites[.]net
blogvolleyballstatusapi[.]azurewebsites[.]net
blogvolleyballstatus[.]azurewebsites[.]net
boeisurveyapplications[.]azurewebsites[.]net
browsercheckap[.]azurewebsites[.]net
browsercheckingapi[.]azurewebsites[.]net
browsercheckjson[.]azurewebsites[.]net
changequestionstypeapi[.]azurewebsites[.]net
changequestionstypejsonapi[.]azurewebsites[.]net
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 21 of 26

changequestiontypesapi[.]azurewebsites[.]net
changequestiontypes[.]azurewebsites[.]net
checkapicountryquestions[.]azurewebsites[.]net
checkapicountryquestionsjson[.]azurewebsites[.]net
checkservicecustomerapi[.]azurewebsites[.]net
coffeeonlineshop[.]azurewebsites[.]net
coffeeonlineshoping[.]azurewebsites[.]net
connectairapijson[.]azurewebsites[.]net
connectionhandlerapi[.]azurewebsites[.]net
countrybasedquestions[.]azurewebsites[.]net
customercareserviceapi[.]azurewebsites[.]net
customercareservice[.]azurewebsites[.]net
emiratescheckapi[.]azurewebsites[.]net
emiratescheckapijson[.]azurewebsites[.]net
engineeringrssfeed[.]azurewebsites[.]net
engineeringssfeed[.]azurewebsites[.]net
exchtestcheckingapi[.]azurewebsites[.]net
exchtestcheckingapihealth[.]azurewebsites[.]net
flighthelicopterahtest[.]azurewebsites[.]net
helicopterahtest[.]azurewebsites[.]net
helicopterahtests[.]azurewebsites[.]net
helicoptersahtests[.]azurewebsites[.]net
hiringarabicregion[.]azurewebsites[.]net
homefurniture[.]azurewebsites[.]net
hrapplicationtest[.]azurewebsites[.]net
humanresourcesapi[.]azurewebsites[.]net
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 22 of 26

humanresourcesapijson[.]azurewebsites[.]net
humanresourcesapiquiz[.]azurewebsites[.]net
iaidevrssfeed[.]centralus[.]cloudapp[.]azure[.]com
iaidevrssfeed[.]centrualus[.]cloudapp[.]azure[.]com
iaidevrssfeed[.]cloudapp[.]azure[.]com
iaidevrssfeedp[.]cloudapp[.]azure[.]com
identifycheckapplication[.]azurewebsites[.]net
identifycheckapplications[.]azurewebsites[.]net
identifycheckingapplications[.]azurewebsites[.]net
ilengineeringrssfeed[.]azurewebsites[.]net
integratedblognewfeed[.]azurewebsites[.]net
integratedblognewsapi[.]azurewebsites[.]com
integratedblognewsapi[.]azurewebsites[.]net
integratedblognews[.]azurewebsites[.]net
intengineeringrssfeed[.]azurewebsites[.]net
intergratedblognewsapi[.]azurewebsites[.]net
javaruntime[.]azurewebsites[.]net
javaruntimestestapi[.]azurewebsites[.]net
javaruntimetestapi[.]azurewebsites[.]net
javaruntimeversioncheckingapi[.]azurewebsites[.]net
javaruntimeversionchecking[.]azurewebsites[.]net
jupyternotebookcollection[.]azurewebsites[.]net
jupyternotebookcollections[.]azurewebsites[.]net
jupyternotebookscollection[.]azurewebsites[.]net
logsapimanagement[.]azurewebsites[.]net
logsapimanagements[.]azurewebsites[.]net
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 23 of 26

logupdatemanagementapi[.]azurewebsites[.]net
logupdatemanagementapijson[.]azurewebsites[.]net
manpowerfeedapi[.]azurewebsites[.]net
manpowerfeedapijson[.]azurewebsites[.]net
marineblogapi[.]azurewebsites[.]net
notebooktextchecking[.]azurewebsites[.]net
notebooktextcheckings[.]azurewebsites[.]net
notebooktexts[.]azurewebsites[.]net
onequestionsapi[.]azurewebsites[.]net
onequestionsapicheck[.]azurewebsites[.]net
onequestions[.]azurewebsites[.]net
openapplicationcheck[.]azurewebsites[.]net
optionalapplication[.]azurewebsites[.]net
personalitytestquestionapi[.]azurewebsites[.]net
personalizationsurvey[.]azurewebsites[.]net
qaquestionapi[.]azurewebsites[.]net
qaquestionsapi[.]azurewebsites[.]net
qaquestionsapijson[.]azurewebsites[.]net
qaquestions[.]azurewebsites[.]net
queryfindquestions[.]azurewebsites[.]net
queryquestions[.]azurewebsites[.]net
questionsapplicationapi[.]azurewebsites[.]net
questionsapplicationapijson[.]azurewebsites[.]net
questionsapplicationbackup[.]azurewebsites[.]net
questionsdatabases[.]azurewebsites[.]net
questionsurveyapp[.]azurewebsites[.]net
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 24 of 26

questionsurveyappserver[.]azurewebsites[.]net
quiztestapplication[.]azurewebsites[.]net
refaeldevrssfeed[.]centralus[.]cloudapp[.]azure[.]com
regionuaequestions[.]azurewebsites[.]net
registerinsurance[.]azurewebsites[.]net
roadmapselectorapi[.]azurewebsites[.]net
roadmapselector[.]azurewebsites[.]net
sportblogs[.]azurewebsites[.]net
surveyappquery[.]azurewebsites[.]net
surveyonlinetestapi[.]azurewebsites[.]net
surveyonlinetest[.]azurewebsites[.]net
technewsblogapi[.]azurewebsites[.]net
testmanagementapi1[.]azurewebsites[.]net
testmanagementapis[.]azurewebsites[.]net
testmanagementapisjson[.]azurewebsites[.]net
testquestionapplicationapi[.]azurewebsites[.]net
testtesttes[.]azurewebsites[.]net
tiappschecktest[.]azurewebsites[.]net
tnlsowkis[.]westus3[.]cloudapp[.]azure[.]com
tnlsowki[.]westus3[.]cloudapp[.]azure[.]com
turkairline[.]azurewebsites[.]net
uaeaircheckon[.]azurewebsites[.]net
uaeairchecks[.]azurewebsites[.]net
vscodeupdater[.]azurewebsites[.]net
workersquestionsapi[.]azurewebsites[.]net
workersquestions[.]azurewebsites[.]net
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 25 of 26

workersquestionsjson[.]azurewebsites[.]net
Posted in
Threat Intelligence
Source: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
Page 26 of 26