{ "type": "Domain", "indicator": "thetacticstore.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thetacticstore.com", "alexa": "http://www.alexa.com/siteinfo/thetacticstore.com", "indicator": "thetacticstore.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4133734188, "indicator": "thetacticstore.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "691bd5c16cda885503b01c6a", "name": "Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem", "description": "UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.", "modified": "2025-12-18T02:03:21.499000", "created": "2025-11-18T02:11:13.651000", "tags": [ "dcsyncer.slick", "third-party compromise", "sightgrab", "aerospace", "trusttrap", "lateral movement", "minibike", "defense", "espionage", "lightrail", "deeproot", "crashpad", "twostroke", "pollblend", "custom malware", "phishing", "privilege escalation", "ghostline" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense" ], "public": 1, "adversary": "UNC1549", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1213.002", "name": "Sharepoint", "display_name": "T1213.002 - Sharepoint" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" } ], "industries": [ "Aerospace", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 9, "hostname": 2, "YARA": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386976, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d1c1ecdb0b4acf0cc29af1", "name": "Nimbus Manticore Deploys New Malware Targeting Europe", "description": "The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes the MiniJunk backdoor and MiniBrowse stealer, which have evolved to employ advanced evasion techniques like multi-stage DLL sideloading, heavy obfuscation, and code signing. The malware infrastructure leverages Azure App Services for resilient command and control. Nimbus Manticore's recent activities demonstrate increased focus on stealth, operational security, and expanding their targeting to align with Iranian strategic priorities.", "modified": "2025-09-22T21:45:35.034000", "created": "2025-09-22T21:38:52.052000", "tags": [ "APT", "telecommunications", "spear-phishing", "DLL sideloading", "obfuscation" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [ "Denmark", "Sweden", "Portugal", "Israel" ], "malware_families": [], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 36, "domain": 28, "hostname": 17 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 386974, "modified_text": "253 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691db7e6f9b3774b1c9280e3", "name": "UNC1549 Threat Group Hijacking Trusted DLLs and Executing VDI Breakouts", "description": "UNC1549, a threat group suspected to be linked to Iran has sharply expanded its cyber-espionage operations across the aerospace, aviation, and defence sectors.", "modified": "2025-12-19T12:00:56.285000", "created": "2025-11-19T12:28:22.797000", "tags": [ "iocs", "keep antivirus", "domain", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 10 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d271d2b93ffe288b9cc6f", "name": "IOC - Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Google Cloud Blog", "description": "A new report from security firm Mandiant outlines the tactics and tools used by a group targeting the aerospace, aviation and defense industries in the Middle East in late 2023 to mid-2024.", "modified": "2025-12-19T02:00:55.846000", "created": "2025-11-19T02:10:37.809000", "tags": [ "unc1549", "twostroke", "mandiant", "minibike", "dll search", "lightrail", "dlls", "c2 server", "zip file", "lastenzug", "february", "compiler", "virustotal", "c++", "deeproot", "linux", "azure ad", "trusttrap", "dcsyncer.slick" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TWOSTROKE", "display_name": "TWOSTROKE", "target": null }, { "id": "C++", "display_name": "C++", "target": null }, { "id": "DEEPROOT", "display_name": "DEEPROOT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Azure AD", "display_name": "Azure AD", "target": null }, { "id": "TRUSTTRAP", "display_name": "TRUSTTRAP", "target": null }, { "id": "DCSYNCER.SLICK", "display_name": "DCSYNCER.SLICK", "target": null }, { "id": "LIGHTRAIL", "display_name": "LIGHTRAIL", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Aerospace", "Defense", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 9, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4fb941dcf34b04c6769e4", "name": "Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research", "description": "", "modified": "2025-09-25T08:21:40.204000", "created": "2025-09-25T08:21:40.204000", "tags": [ "minijunk", "minibrowse", "minibike", "command", "israel", "europe", "june", "ttps", "prodaft", "unc1549", "service", "virustotal", "cluster", "first" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 27, "hostname": 17 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d35a1965f5431ca22c402a", "name": "New Malware Campaign by Nimbus Manticore Hits Defense and Telecom Industries", "description": "Since early 2025, the Iranian threat actor Nimbus Manticore, also known as UNC1549 or Smoke Sandstorm, has intensified its cyber campaigns targeting defense, telecommunications, and aviation sectors in Western Europe, particularly Denmark, Sweden, and Portugal. Aligned with IRGC priorities, the group employs sophisticated spearphishing, impersonating firms like Boeing and Airbus to lure victims to fake career portals with unique URLs and credentials for tracking. These portals, built on React templates and hidden behind Cloudflare, deliver malicious ZIP archives like \"Survey.zip,\" initiating a multistage DLL sideloading chain. This chain exploits undocumented NT APIs to sideload malicious DLLs (\"userenv.dll\" and \"xmllite.dll\") via legitimate executables, ensuring persistence through scheduled tasks and registry keys.", "modified": "2025-09-24T02:40:25.291000", "created": "2025-09-24T02:40:25.291000", "tags": [ "minijunk", "minibrowse", "minibike", "command", "israel", "europe", "june", "ttps", "prodaft", "unc1549", "service", "virustotal", "cluster", "first" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 27, "hostname": 17 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d30086e8e03e7f3e17174b", "name": "Nimbus Manticore Expands Malware Campaigns", "description": "", "modified": "2025-09-23T20:18:14.908000", "created": "2025-09-23T20:18:14.908000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 26, "hostname": 103 }, "indicator_count": 237, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "252 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d241d5aa9ba180c83e82c0", "name": "Nimbus Manticore Deploys New Malware Targeting Europe", "description": "", "modified": "2025-09-23T06:44:37.851000", "created": "2025-09-23T06:44:37.851000", "tags": [ "APT", "telecommunications", "spear-phishing", "DLL sideloading", "obfuscation" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [ "Denmark", "Sweden", "Portugal", "Israel" ], "malware_families": [], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "68d1c1ecdb0b4acf0cc29af1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 36, "domain": 28, "hostname": 17 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "252 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d23bd257129a4d6b2f91bf", "name": "IOC - Nimbus Manticore Deploys New Malware Targeting Europe", "description": "", "modified": "2025-09-23T06:18:58.756000", "created": "2025-09-23T06:18:58.756000", "tags": [ "APT", "telecommunications", "spear-phishing", "DLL sideloading", "obfuscation" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [ "Denmark", "Sweden", "Portugal", "Israel" ], "malware_families": [], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "68d1c1ecdb0b4acf0cc29af1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 36, "domain": 28, "hostname": 17 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "252 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "week3.pdf", "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/", "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/", "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe", "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense", "Nov.Week2.csv" ], "related": { "alienvault": { "adversary": [ "UNC1549" ], "malware_families": [], "industries": [ "Aerospace", "Defense" ] }, "other": { "adversary": [ "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428" ], "malware_families": [ "C++", "Azure ad", "Deeproot", "Twostroke", "Trusttrap", "Lightrail", "Dcsyncer.slick", "Linux" ], "industries": [ "Aerospace", "Defense", "Aviation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "691bd5c16cda885503b01c6a", "name": "Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem", "description": "UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.", "modified": "2025-12-18T02:03:21.499000", "created": "2025-11-18T02:11:13.651000", "tags": [ "dcsyncer.slick", "third-party compromise", "sightgrab", "aerospace", "trusttrap", "lateral movement", "minibike", "defense", "espionage", "lightrail", "deeproot", "crashpad", "twostroke", "pollblend", "custom malware", "phishing", "privilege escalation", "ghostline" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense" ], "public": 1, "adversary": "UNC1549", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1213.002", "name": "Sharepoint", "display_name": "T1213.002 - Sharepoint" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" } ], "industries": [ "Aerospace", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 9, "hostname": 2, "YARA": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386976, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d1c1ecdb0b4acf0cc29af1", "name": "Nimbus Manticore Deploys New Malware Targeting Europe", "description": "The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes the MiniJunk backdoor and MiniBrowse stealer, which have evolved to employ advanced evasion techniques like multi-stage DLL sideloading, heavy obfuscation, and code signing. The malware infrastructure leverages Azure App Services for resilient command and control. Nimbus Manticore's recent activities demonstrate increased focus on stealth, operational security, and expanding their targeting to align with Iranian strategic priorities.", "modified": "2025-09-22T21:45:35.034000", "created": "2025-09-22T21:38:52.052000", "tags": [ "APT", "telecommunications", "spear-phishing", "DLL sideloading", "obfuscation" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [ "Denmark", "Sweden", "Portugal", "Israel" ], "malware_families": [], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 36, "domain": 28, "hostname": 17 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 386974, "modified_text": "253 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691db7e6f9b3774b1c9280e3", "name": "UNC1549 Threat Group Hijacking Trusted DLLs and Executing VDI Breakouts", "description": "UNC1549, a threat group suspected to be linked to Iran has sharply expanded its cyber-espionage operations across the aerospace, aviation, and defence sectors.", "modified": "2025-12-19T12:00:56.285000", "created": "2025-11-19T12:28:22.797000", "tags": [ "iocs", "keep antivirus", "domain", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 10 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d271d2b93ffe288b9cc6f", "name": "IOC - Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Google Cloud Blog", "description": "A new report from security firm Mandiant outlines the tactics and tools used by a group targeting the aerospace, aviation and defense industries in the Middle East in late 2023 to mid-2024.", "modified": "2025-12-19T02:00:55.846000", "created": "2025-11-19T02:10:37.809000", "tags": [ "unc1549", "twostroke", "mandiant", "minibike", "dll search", "lightrail", "dlls", "c2 server", "zip file", "lastenzug", "february", "compiler", "virustotal", "c++", "deeproot", "linux", "azure ad", "trusttrap", "dcsyncer.slick" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TWOSTROKE", "display_name": "TWOSTROKE", "target": null }, { "id": "C++", "display_name": "C++", "target": null }, { "id": "DEEPROOT", "display_name": "DEEPROOT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Azure AD", "display_name": "Azure AD", "target": null }, { "id": "TRUSTTRAP", "display_name": "TRUSTTRAP", "target": null }, { "id": "DCSYNCER.SLICK", "display_name": "DCSYNCER.SLICK", "target": null }, { "id": "LIGHTRAIL", "display_name": "LIGHTRAIL", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Aerospace", "Defense", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 9, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4fb941dcf34b04c6769e4", "name": "Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research", "description": "", "modified": "2025-09-25T08:21:40.204000", "created": "2025-09-25T08:21:40.204000", "tags": [ "minijunk", "minibrowse", "minibike", "command", "israel", "europe", "june", "ttps", "prodaft", "unc1549", "service", "virustotal", "cluster", "first" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 27, "hostname": 17 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d35a1965f5431ca22c402a", "name": "New Malware Campaign by Nimbus Manticore Hits Defense and Telecom Industries", "description": "Since early 2025, the Iranian threat actor Nimbus Manticore, also known as UNC1549 or Smoke Sandstorm, has intensified its cyber campaigns targeting defense, telecommunications, and aviation sectors in Western Europe, particularly Denmark, Sweden, and Portugal. Aligned with IRGC priorities, the group employs sophisticated spearphishing, impersonating firms like Boeing and Airbus to lure victims to fake career portals with unique URLs and credentials for tracking. These portals, built on React templates and hidden behind Cloudflare, deliver malicious ZIP archives like \"Survey.zip,\" initiating a multistage DLL sideloading chain. This chain exploits undocumented NT APIs to sideload malicious DLLs (\"userenv.dll\" and \"xmllite.dll\") via legitimate executables, ensuring persistence through scheduled tasks and registry keys.", "modified": "2025-09-24T02:40:25.291000", "created": "2025-09-24T02:40:25.291000", "tags": [ "minijunk", "minibrowse", "minibike", "command", "israel", "europe", "june", "ttps", "prodaft", "unc1549", "service", "virustotal", "cluster", "first" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 27, "hostname": 17 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d30086e8e03e7f3e17174b", "name": "Nimbus Manticore Expands Malware Campaigns", "description": "", "modified": "2025-09-23T20:18:14.908000", "created": "2025-09-23T20:18:14.908000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "domain": 26, "hostname": 103 }, "indicator_count": 237, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "252 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d241d5aa9ba180c83e82c0", "name": "Nimbus Manticore Deploys New Malware Targeting Europe", "description": "", "modified": "2025-09-23T06:44:37.851000", "created": "2025-09-23T06:44:37.851000", "tags": [ "APT", "telecommunications", "spear-phishing", "DLL sideloading", "obfuscation" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/" ], "public": 1, "adversary": "", "targeted_countries": [ "Denmark", "Sweden", "Portugal", "Israel" ], "malware_families": [], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "68d1c1ecdb0b4acf0cc29af1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 36, "domain": 28, "hostname": 17 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "252 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thetacticstore.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thetacticstore.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780441475.6097348 }