Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

• Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem Mandiant Written by: Mohamed El-Banna, Daniel Lee, Mike Stokkel, Josh Goddard Overview Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. • In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. • Since mid-2024, Mandiant has responded to targeted campaigns by the threat group UNC1549 against the aerospace, aviation and defense industries. • To gain initial access into these environments, UNC1549 employed a dual approach: deploying well-crafted phishing campaigns designed to steal credentials or deliver malware and exploiting trusted connections with third-party suppliers and partners. • The latter technique is particularly strategic when targeting organizations with high security maturity, such as defense contractors. • While these primary targets often invest heavily in robust defenses, their third-party partners may possess less stringent security postures.

Article Summaries:

• Mandiant’s latest report details the tactics of threat group UNC1549, which has targeted aerospace, aviation and defense firms from late 2023 through 2025. The group gains initial access through a dual strategy: sophisticated, role‑specific phishing campaigns and exploitation of trusted third‑party suppliers. By compromising vendor credentials, UNC1549 pivots from partner environments-such as Citrix, VMWare and Azure Virtual Desktop-into the target’s network, then breaks out of virtual sessions to move laterally. Inside, the attackers use custom tools (e.g., DCSYNCER.SLICK for DCSync attacks), steal source code for look‑alike domain phishing, and abuse internal ticketing systems for credentials. They establish long‑term persistence with stealthy backdoors that remain dormant until eradication attempts, using reverse SSH shells and industry‑mimicking domains to limit forensic evidence.

Sources:

• https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/