Mandiant, the Google-owned security unit, attributed a sustained campaign against aerospace, aviation and defence organisations in the Middle East to a cluster it tracks as UNC1549. The investigators said suspected espionage-driven actors deployed backdoors including TWOSTROKE and DEEPROOT as part of operations observed between late 2023 and 2025.
According to Mandiant researchers Mohamed El-Banna, Daniel Lee, Mike Stokkel and Josh Goddard, the group used sophisticated initial access methods such as abusing third-party supplier relationships to pivot to target organisations, breaking out of virtual desktop infrastructure sessions, and highly targeted, role-relevant spear-phishing to steal credentials or distribute malware.
The intrusions often began via credentials harvested from external entities that provide services such as Citrix, VMware and Azure Virtual Desktop and Application environments, which the attackers used to establish footholds and escape virtualised sessions to access underlying hosts. The campaign also relied on recruitment-themed phishing and on IT and administrator accounts to obtain elevated privileges.
Once inside, the actors carried out reconnaissance, credential harvesting, lateral movement, defence evasion and information theft, collecting network documentation, intellectual property and email. The toolkit observed included custom backdoors and tunnelers such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL (reported as likely based on Lastenzug), GHOSTLINE and POLLBLEND, as well as utilities for credential extraction and screenshot capture.
Mandiant further reported use of publicly available tools including AD Explorer for Active Directory queries, remote administration tools and SCCMVNC for remote control, and noted deployment of a Windows utility derived from DCSyncer techniques to conduct privilege escalation. The researchers said the group prioritises stealth and long-term persistence, often planting backdoors that remain silent for months and using reverse SSH and industry-mimicking domains to limit forensic evidence.