Iranian hackers have increased cyber operations against Middle East defense and aerospace organizations. Recently, investigators revealed that UNC1549 ran attacks from late 2023 to October 2025. Iranian hackers primarily aimed to steal sensitive data and support strategic intelligence goals.
Moreover, the group deployed two advanced malware tools during this campaign. First, TWOSTROKE, a lightweight Windows implant built in C++, allows attackers to execute commands, manipulate files, capture screenshots, and maintain persistent access. Second, DEEPROOT, a cross-platform backdoor developed in Go, enables attackers to run shell commands and transfer files on both Windows and Linux systems.
Iranian hackers gained access mainly through spear-phishing emails. These emails included job recruitment lures targeting defense and aviation professionals. They also exploited weaknesses in third-party software vendors and virtual desktop infrastructure providers. Once inside, the attackers deployed additional tools such as SIGHTGRAB for screenshots and CRASHPAD for credential harvesting and data staging.
Furthermore, Iranian hackers disguised command-and-control traffic using compromised Microsoft Azure accounts. This strategy blended malicious activity with legitimate cloud operations, helping the attackers evade detection. Their approach demonstrates growing sophistication and advanced operational capabilities.
As a result, attackers extracted sensitive information from multiple networks, though authorities have not disclosed the exact content. Analysts believe these operations support Iranian state interests, particularly in strategic intelligence collection. These events highlight the continuing threat Iranian hackers pose to critical industries in the Middle East.
To defend against these attacks, organizations in aerospace, aviation, and defense must strengthen email security, monitor third-party vendors, and enhance cloud protection. Additionally, companies should train staff to recognize phishing emails and suspicious activity.
Finally, Iranian hackers continue evolving their tools and tactics. Organizations adopting proactive cybersecurity measures can better protect sensitive data and reduce the risk of future attacks. By acting now, companies can stay ahead of these persistent, state-linked threats.