UNC1549 exploits third-party access, VDI breakouts and custom malware

TL;DR

Mandiant's follow-up analysis details UNC1549 campaigns from late 2023 through 2025 targeting aerospace, aviation and defense sectors using supplier compromise, VDI breakouts and tailored phishing. The group deploys custom backdoors and tunnellers, abuses DLL search order hijacking, and emphasizes long-term stealth and reentry after remediation attempts.

What happened

Mandiant responded to targeted incidents attributed to UNC1549 beginning in mid-2024 and operating from late 2023 into 2025, focused on organizations in the aerospace, aviation and defense ecosystem. The group combined carefully crafted spear-phishing — often role-relevant lures such as job or recruitment messages — with compromises of third-party suppliers and partners to obtain legitimate credentials and access. Attackers exploited virtual desktop infrastructure (Citrix, VMware, Azure Virtual Desktop/Application) to escape constrained sessions and reach host systems or adjacent segments. After gaining footholds, UNC1549 used search-order DLL hijacking to load malicious payloads and deployed multiple custom backdoors and tunnellers (including TWOSTROKE, LIGHTRAIL, DEEPROOT and variants such as DCSYNCER.SLICK). Post-compromise behavior emphasized stealth: unique hashes for post-exploitation binaries, extended silent beaconing, reverse SSH shells to reduce forensic traces, and planting mechanisms designed to reactivate access after apparent cleanup.

Why it matters

• Supply-chain and third-party access can bypass strong perimeter defenses at primary targets.
• VDI breakout and credential theft methods enable lateral movement into high-value environments like defense contractors.
• Use of search-order hijacking and unique per-deployment binaries complicates detection and forensic analysis.
• Long-dormant backdoors and stealthy C2 techniques increase the risk of re-compromise even after incident response.

Key facts

• Mandiant published this follow-up on campaigns it observed from UNC1549 targeting aerospace, aviation and defense.
• Initial access methods combined targeted spear-phishing and abuse of compromised third-party/vendor credentials.
• Attackers exploited Citrix, VMware and Azure Virtual Desktop/Application instances to break out of VDI sessions.
• UNC1549 abused DLL search order hijacking to execute payloads against legitimate Fortigate, VMware, Citrix, Microsoft and NVIDIA executables.
• Custom tooling observed includes TWOSTROKE, LIGHTRAIL, DEEPROOT, MINIBIKE and a DCSync variant called DCSYNCER.SLICK.
• Post-exploitation payloads were uniquely hashed per deployment, including multiple distinct samples of the same backdoor within single networks.
• TWOSTROKE communicates over SSL/TCP port 443 and supports commands for file transfer, execution, DLL injection, and information gathering; it generates a unique bot ID via an XOR/hex routine on the host FQDN.
• LIGHTRAIL is a tunneler based on LastenZug with modifications (hardcoded port/path, increased connection limits, altered XOR key) and uses Azure infrastructure and a WebSocket-based connection pattern.
• UNC1549 favored persistence and stealth, using backdoors that may beacon quietly for months and reverse SSH shells to limit forensic artifacts.

What to watch next

• continued exploitation of third-party supplier access and VDI breakout techniques against high-security organizations
• further customization of tooling with unique hashes and expanded use of DLL search order hijacking
• not confirmed in the source

Quick glossary

• DLL search order hijacking: A technique where attackers place a malicious DLL in a location where a legitimate application will load it instead of the intended library, allowing arbitrary code execution.
• VDI breakout: A method for escaping virtual desktop infrastructure sessions to interact with the underlying host or neighboring network resources.
• C2 (Command and Control): Infrastructure and channels used by attackers to issue commands to and receive data from compromised systems.
• DCSync: An attack technique that abuses Active Directory replication APIs to request password hash data from domain controllers without needing direct compromise of those controllers.

Reader FAQ

Is UNC1549 attributed to a nation-state in this report?
not confirmed in the source

How did UNC1549 commonly gain initial access?
Through a dual approach of targeted spear-phishing and compromising third-party/vendor accounts to leverage legitimate access pathways.

What types of custom malware did Mandiant observe?
Mandiant identified custom backdoors and tools including TWOSTROKE, LIGHTRAIL, DEEPROOT, MINIBIKE and a DCSync variant called DCSYNCER.SLICK.

Why are these intrusions hard to eradicate?
The group used stealthy persistence (silent beaconing for months), unique per-deployment binaries, reverse SSH shells to limit forensic traces, and mechanisms designed to regain access after remediation.

Written by: Mohamed El-Banna, Daniel Lee, Mike Stokkel, Josh Goddard Overview Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries…

Sources

• Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem
• Mandiant tracks surge in UNC1549 campaigns, hitting …
• UNC1549 Critical Infrastructure Espionage Attack
• Iran-linked hackers hit Mideast defense, space firms with …

Related posts

• Beyond the Watering Hole — APT24 Shifts to Multi-Vector Espionage Attacks
• Sanctioned Intellexa Continues to Deploy Multiple Mobile Zero-Day Exploits
• Multiple Threat Actors Exploiting React2Shell (CVE-2025-55182)