TWOSTROKE

Google-owned Mandiant linked a cluster it tracks as UNC1549 to a campaign from late 2023 through 2025 in which suspected Iranian espionage actors used backdoors including TWOSTROKE and DEEPROOT to target aerospace, aviation and defence organisations by exploiting third-party credentials, VDI breakouts and targeted phishing.