UNC1549 TTPs: Iranian APT Targeting Aerospace and Defense

SOC Prime Team

UNC1549 TTPs: Iranian APT Targeting Aerospace and Defense

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

UNC1549 is an Iran-linked cyber-espionage group targeting the global aerospace, aviation, and defense supply chain. The group runs sophisticated phishing operations that use fake React-based career portals to deliver multi-stage custom malware. Its campaigns are centered on credential theft, data exfiltration, and maintaining long-term persistence inside high-value organizations.

Investigation

The report outlines the operational evolution of UNC1549 from 2022 through late 2025, highlighting a shift from primarily regional targets in the Middle East to a broader focus on the global aerospace supply chain. Analysts identified several custom tools, including MiniJunk, MiniBrowse, SIGHTGRAB, and TRUSTRAP. Technical analysis also revealed advanced evasion methods such as binary padding and DLL search order hijacking.

Mitigation

Organizations should deploy strong email filtering to detect spear-phishing links and verify the legitimacy of career-related portals. Improving endpoint visibility to detect DLL sideloading, unauthorized registry changes, and suspicious PowerShell activity is essential. Monitoring for unauthorized RDP sessions and reverse SSH tunnels can also help reduce the risk of lateral movement and command-and-control activity.

Response

If UNC1549 activity is detected, responders should immediately isolate affected endpoints to prevent further lateral movement through RDP. A full audit of scheduled tasks and Windows Registry Run keys should be performed to identify persistence mechanisms. Teams should also review domain controller logs for evidence of DCSync activity and monitor for unusual outbound HTTPS or SSH traffic to known command-and-control infrastructure.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef technique fill:#f9f,stroke:#333,stroke-width:2px classDef exfil fill:#ff9999 %% Initial Access Phase action_phishing["Action – T1566.002 Phishing: Spearphishing Link Targeted emails with fraudulent React career portals mimicking Boeing and Airbus."] class action_phishing action action_download["Action: Malicious Archive Download Victims download archives after providing credentials."] class action_download action %% Execution and Reconnaissance Phase tech_powershell["Technique – T1059.001 Command and Scripting Interpreter: PowerShell Used for network reconnaissance and AD enumeration."] class tech_powershell technique tech_cmd["Technique – T1059.003 Command and Scripting Interpreter: Windows Command Shell Used for network reconnaissance and AD enumeration."] class tech_cmd technique action_recon["Action: AD Enumeration Execution of commands like net user."] class action_recon action %% Persistence Phase tech_schtask["Technique – T1053.005 Scheduled Task/Job: Scheduled Task Execution of MigAutoPlay.exe with sideloaded userenv.dll."] class tech_schtask technique tech_registry["Technique – T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Writing to registry keys to masquerade as OneDrive."] class tech_registry technique %% Defense Evasion Phase tech_obfuscation["Technique – T1027 Obfuscated Files or Information Compiler-level obfuscation and Binary Padding (T1027.001)."] class tech_obfuscation technique tech_masquerade["Technique – T1036 Masquerading Naming files after legitimate services."] class tech_masquerade technique tech_log_clear["Technique – T1070.001 Indicator Removal: Clear Windows Event Logs Deleting RDP connection history in the registry."] class tech_log_clear technique tech_hijack["Technique – T1574.001 Hijack Execution Flow: DLL Search Order Hijacking Planting malicious DLLs near legitimate binaries."] class tech_hijack technique %% Credential Access Phase tool_mimikatz["Tool – Modified Mimikatz Used for T1003.006 DCSSync to extract NTLM hashes."] class tool_mimikatz tool tool_minibrowse["Tool – MiniBrowse Used for T1555.003 Credentials from Web Browsers to steal Chrome and Edge data."] class tool_minibrowse tool tool_trustrap["Tool – TRUSTRAP Capturing credentials through fake authentication windows."] class tool_trustrap tool %% Lateral Movement Phase tech_rdp["Technique – T1021.001 Remote Services: Remote Desktop Protocol Accessing systems via RDP."] class tech_rdp technique tech_rdp_hijack["Technique – T1563.002 Remote Service Session Hijacking: RDP Hijacking Accessing active user sessions."] class tech_rdp_hijack technique %% Collection Phase tool_sightgrab["Tool – SIGHTGRAB Used for T1113 Screen Capture via periodic screenshots."] class tool_sightgrab tool %% Command and Control and Exfiltration Phase tech_tunneling["Technique – T1572 Protocol Tunneling Using reverse SSH tunnels to bypass telemetry."] class tech_tunneling technique tech_exfil["Technique – T1041 Exfiltration Over C2 Channel Moving stolen credentials and files via HTTPS."] class tech_exfil exfil %% Connections action_phishing –>|leads_to| action_download action_download –>|triggers| tech_powershell action_download –>|triggers| tech_cmd tech_powershell –>|performs| action_recon tech_cmd –>|performs| action_recon action_recon –>|establishes| tech_schtask action_recon –>|establishes| tech_registry tech_schtask –>|utilizes| tech_hijack tech_registry –>|utilizes| tech_masquerade tech_powershell –>|employs| tech_obfuscation tech_cmd –>|employs| tech_obfuscation tech_obfuscation –>|includes| tech_masquerade tech_masquerade –>|hides_via| tech_log_clear action_recon –>|leads_to| tool_mimikatz action_recon –>|leads_to| tool_minibrowse action_recon –>|leads_to| tool_trustrap tool_mimikatz –>|enables| tech_rdp tool_minibrowse –>|enables| tech_rdp tool_trustrap –>|enables| tech_rdp tech_rdp –>|leads_to| tech_rdp_hijack tech_rdp_hijack –>|leads_to| tool_sightgrab tool_sightgrab –>|requires| tech_tunneling tech_tunneling –>|facilitates| tech_exfil "

Attack Flow

Attack Narrative & Commands: An adversary, mimicking the UNC1549 actor, aims to establish persistence on a compromised workstation. They choose to hide their payload by creating a registry entry under a key that appears to belong to a legitimate OneDrive update process (OneDriveCoUpdate). To evade simple command-line detection, they wrap their execution in a PowerShell script block that contains the string FileCoAuth.exe, simulating a poorly obfuscated command that matches the detection rule’s signature.

Regression Test Script:

# Simulation Script: UNC1549 Persistence and Obfuscation
# This script mimics the specific registry path and PowerShell string patterns defined in the rule.

$registryPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$regName = "OneDriveCoUpdate"
$payload = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$cmd = 'FileCoAuth.exe'; Start-Process $cmd""

Write-Host "[+] Attempting to create malicious registry run key..."
New-ItemProperty -Path $registryPath -Name $regName -Value $payload -PropertyType String -Force

Write-Host "[+] Executing obfuscated PowerShell command to trigger detection..."
# The inclusion of 'FileCoAuth.exe' is required to trigger the 'selection_obfuscation' part of the rule
powershell.exe -Command "& { $encoded = 'FileCoAuth.exe'; Write-Host 'Executing' $encoded }"

Cleanup Commands:

# Cleanup Script
$registryPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$regName = "OneDriveCoUpdate"

Write-Host "[-] Removing malicious registry entry..."
Remove-ItemProperty -Path $registryPath -Name $regName -ErrorAction SilentlyContinue
Write-Host "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free