An Iran-nexus cyber espionage group known as UNC1549, also tracked as Subtle Snail, has been attributed to a campaign targeting European telecommunications firms, with researchers reporting 34 infected devices across 11 organizations in a recruitment-themed operation conducted via LinkedIn.
Swiss cybersecurity firm PRODAFT attributes the activity to Subtle Snail and assesses the group to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The targeted companies span Canada, France, the United Arab Emirates, the United Kingdom, and the United States.
According to PRODAFT, the operators engage potential victims by posing as HR representatives from legitimate organizations to initiate contact, then compromise them through the deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services to bypass detection.
UNC1549 – also known as TA455 – has been active since at least June 2022 and is believed to overlap with other Iranian actors such as Smoke Sandstorm and Crimson Sandstorm. The campaign also mirrors earlier descriptions of Subtle Snail’s targeting of aerospace and defense sectors, with researchers noting a long-term interest in telecommunications environments to establish persistence and data exfiltration capabilities.
In practice, the attackers run LinkedIn reconnaissance operations to identify researchers, developers, and IT administrators with elevated access, then dispatch spear-phishing emails to validate contact details before launching the fake recruitment drive. When a target engages, they are directed to a fraudulent domain that mimics legitimate companies, and submitting the requested information triggers a ZIP archive download that contains a malicious executable. Once opened, the DLL side-loading technique loads a bespoke MINIBIKE DLL, enabling data collection and staged payload delivery for broader reconnaissance and credential theft.
MINIBIKE is described by PRODAFT as a modular backdoor supporting 12 commands for C2 communication, including file enumeration, process listing and termination, chunked file uploads, and the ability to execute payloads in various forms. The malware blends C2 traffic with legitimate Azure cloud services and VPS proxies, and it modifies Windows Registry to ensure persistence on startup. Analysts note anti-debugging and anti-sandbox features, plus techniques such as Control Flow Flattening and runtime API function resolution to hinder reverse engineering. The group also uses a Chrome-based browser data theft approach that leverages the Chrome-App-Bound-Encryption-Decryption tool from GitHub to bypass app-bound encryption protections when stealing browser data: Chrome-App-Bound-Encryption-Decryption.
Researchers warn that Subtle Snail’s operations aim to maximize long-term access to critical telecom networks and to harvest sensitive information, including emails, VPN configurations, and data stored in shared folders, to facilitate ongoing espionage activities. The campaign underscores the group’s preference for targeted, victim-specific DLL deployments, even for collecting routine network configuration details from devices, according to PRODAFT.
Separately, threat intelligence firm Group-IB has highlighted MuddyWater (aka APT35, among other names) as another Iranian state-sponsored actor with a diversified toolkit that has increasingly relied on bespoke backdoors and non-RMM tooling. Group-IB notes a shift toward AWS hosting and Cloudflare-driven obfuscation to hinder analysis, alongside a suite of tools including BugSleep, LiteInject, StealthCache, Fooder, Phoenix, CannonRat, and UDPGangster.
Group-IB researcher Mansour Alhmoud described MuddyWater as an enduring element of Iran’s intelligence apparatus, with a history of targeting telecom, government, energy, and defense sectors in the Middle East, and a recent uptick in activity against Europe and the United States. The report notes continued reliance on phishing with malicious macros and the use of AWS hosting to stage malicious assets, alongside Cloudflare services to mask infrastructure fingerprints.