Cyber threat intelligence firm Prodaft provided details on Subtle Snail (UNC1549) is an Iran-nexus espionage group linked to Unyielding Wasp (Tortoiseshell), which is part of the Eclipsed Wasp (Charming Kitten) network.
The group has been active since at least June 2022 and recently shifted focus to European telecom, aerospace, and defense organizations. The group’s primary motivation involves infiltrating telecommunications entities while maintaining an interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data .
An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn.
Swiss cybersecurity company PRODAFT is tracking the cluster under the name Subtle Snail. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The targeted 11 companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States.
“The group operates by posing as HR representatives from legitimate entities to engage employees, then compromises them through deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services to bypass detection,” the company said in a report shared with The Hacker News.
UNC1549 (aka TA455), believed to be active since at least June 2022, shares overlaps with two other Iranian hacking groups known as Smoke Sandstorm and Crimson Sandstorm (aka Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc). The threat actor was first documented by Google-owned Mandiant in February 2024.
The use of job-themed lures by UNC1549 was subsequently detailed by Israeli cybersecurity company ClearSky, which highlighted the adversary’s targeting of the aerospace industry as far back as September 2023 to deliver malware families such as SnailResin and SlugResin.
(Courtesy: hackersnews)
