An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn.
Swiss cybersecurity company PRODAFT is tracking the cluster under the name Subtle Snail. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The targeted 11 companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States.
“The group operates by posing as HR representatives from legitimate entities to engage employees, then compromises them through deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services to bypass detection,” the company said in a report shared with The Hacker News.
UNC1549 (aka TA455), believed to be active since at least June 2022, shares overlaps with two other Iranian hacking groups known as Smoke Sandstorm and Crimson Sandstorm (aka Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc). The threat actor was first documented by Google-owned Mandiant in February 2024.
The use of job-themed lures by UNC1549 was subsequently detailed by Israeli cybersecurity company ClearSky, which highlighted the adversary’s targeting of the aerospace industry as far back as September 2023 to deliver malware families such as SnailResin and SlugResin.
“The group’s primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes,” PRODAFT said.
Attacks chains involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments.
In the next phase, the threat actors have been observed sending spear-phishing emails to validate the email addresses and collect additional information before enacting the crucial part of the operation – the fake recruitment drive.
To accomplish this, the attackers set up convincing HR account profiles on LinkedIn and reach out to prospective targets with non-existent job opportunities, gradually building trust and credibility to increase the likelihood of success of the scheme. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim.
Should the victim express interest in the offer, they are subsequently contacted via email to schedule a time for an interview by clicking on a fraudulent domain that mimics companies like Telespazio or Safran Group. Entering the necessary information automatically triggers the download of a ZIP archive.
Present within the ZIP file is an executable that, once launched, uses DLL side-loading to launch a malicious DLL named MINIBIKE (aka SlugResin), which then gathers system information and awaits additional payloads in the form of Microsoft Visual C/C++ DLLs to conduct reconnaissance, log keystrokes and clipboard content, steal Microsoft Outlook credentials, collect web browser data from Google Chrome, Brave, and Microsoft Edge, and take screenshots.
The web browser stealer, in particular, incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google in order to decrypt and steal passwords stored in the browser.
“The Subtle Snail team builds and deploys a victim-specific and unique DLL to the machine each time, even for collecting network configuration information from devices,” PRODAFT noted. “The malicious DLL files used by the threat actor exhibit similar characteristics in the export section.”
“Legitimate DLL files are modified to facilitate a seamless execution of a DLL side-loading attack, where function names are substituted with direct string variables. This tactic allows the attacker to bypass typical detection mechanisms by manipulating the DLL’s export table, making it appear as a legitimate file while carrying out malicious activities.”
MINIBIKE is a fully-featured, modular backdoor with support for 12 distinct commands to facilitate C2 communication, allowing it to enumerate files and directories, list running processes and terminate specific ones, upload files in chunks, as well as run exe, DLL, BAT, or CMD payloads.
Besides blending its C2 traffic with regular cloud communications by using legitimate Azure cloud services and Virtual Private Servers (VPSes) as proxy infrastructure, the malware makes Windows Registry modifications such that it’s automatically loaded after system startup.
It also features anti-debugging and anti-sandbox techniques to hinder analysis, and uses methods like Control Flow Flattening and custom hashing algorithms to resolve Windows API functions at runtime in an effort to resist reverse engineering and make it difficult to understand its overall functionality.
“Subtle Snail’s operations cause serious damage by combining intelligence gathering with long-term access to critical telecommunications networks,” PRODAFT said. “They do not just infect devices; they actively search for sensitive data and ways to keep their access alive.”
“They use predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control. They also hunt for confidential files stored in shared folders, which can expose business secrets and personal data.”
MuddyWater’s Diversified Toolkit Exposed
The disclosure comes as Group-IB shed light on the infrastructure and malware toolset of another Iranian state-sponsored hacking group known as MuddyWater, which has “significantly” reduced its reliance on Remote Monitoring and Management (RMM) tools in favor of bespoke backdoors and tools like –
- BugSleep (First seen in May 2024), a Python-based backdoor designed to execute commands and facilitate file transfers
- LiteInject (First seen in February 2025), a portable executable injector
- StealthCache (First seen in March 2025), a feature-rich backdoor with capabilities to read/write files, terminate or restart itself, scan for security processes, and steal credential and files
- Fooder (First seen in March 2025), a loader capable of loading, decrypting, and running an encrypted payload in memory
- Phoenix (First seen in April 2025), a malware that’s used to deploy a stripped-down variant of BugSleep
- CannonRat, a malicious tool designed for remote control of compromised systems
- UDPGangster, a basic backdoor that communicates with its C2 server over the UDP protocol
MuddyWater, active since 2017, is assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). Also tracked as Boggy Serpens, Mango Sandstorm, and TA450, the threat actor has a history of targeting telecom, government, energy, defense, and critical infrastructure entities in the Middle East, with a newfound spike in attacks targeting Europe and the United States.
“Recent activity shows that they still rely on phishing for delivery, leveraging maldocs with malicious macros for infection. Infrastructure analysis has revealed active use of Amazon Web Services (AWS) for hosting malicious assets, and Cloudflare services have been leveraged to hide infrastructure fingerprints and impede analysis,” Group-IB researcher Mansour Alhmoud said.
“MuddyWater’s persistent campaigns underscore its role in supporting Iranian intelligence requirements while maintaining plausible deniability for state-directed cyber operations against both regional competitors and Western targets.”
Subtle Snail and Nimbus Manticore Share Tactical Overlaps
In a follow-up analysis published on September 22, 2025, Check Point said the threat actor it tracks as Nimbus Manticore – which overlaps with Smoke Sandstorm, UNC1549, and the Iranian version of the Dream Job operations – has targeted defense manufacturing, telecommunications, and aviation sectors, with a heightened focus on Denmark, Sweden, and Portugal.
The attacks, which employ the same infection mechanism as detailed above by PRODAFT, lead to the deployment of an updated version of MINIBIKE called MiniJunk and a stealer codenamed MiniBrowse. MiniJunk supports capabilities to collect system information, perform file operations, load DLLs, and enumerate files in a folder.
MiniBrowse is the name assigned to a lightweight information stealer that comes in two flavors, each of which targets Google Chrome and Microsoft Edge to steal credentials. What’s notable here is that the MINIBIKE version used by Subtle Snail not only implements a different set of commands but also lacks evasion or obfuscation techniques associated with MiniJunk.
“The tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation that renders samples ‘irreversible’ for regular advanced static analysis,” Check Point said.
The cybersecurity company also said it’s tracking Subtle Snail as a “separate cluster of activity” that, while broadly aligning with those detected in Nimbus Manticore operations, is distinguished by its unique malware capabilities, C2 infrastructure, and targeting preferences.
When reached for comment, PRODAFT told The Hacker News that conclusive attribution tying these two activities to a single cluster or a unified group, or determining whether they should be treated as a sub-group, is “difficult.” But it emphasized the overlaps, suggesting that these campaigns share very similar objectives.
“From our perspective, there appears to be a malware development team (or a company) supporting multiple Iran-linked threat clusters by providing the necessary tooling and infrastructure,” the company said.
(The story was updated after publication on September 22, 2025, with insights from Check Point.)
