UNC1549 MINIBUS Backdoor Technical Analysis

This blog post comes from the UNC1549 MINIBUS Backdoor Technical Analysis report. If you want to download it as a PDFclick here


In the evolving cyber espionage landscape, state-sponsored threat actors’ activities targeting critical sectors have become increasingly sophisticated and widespread. A notable example of such activities is the campaign orchestrated by the Iranian threat actor known as UNC1549. This group, which has been active since at least June 2022 and continues its operations as of February 2024, has been implicated in espionage efforts primarily targeting the aerospace, aviation, and defense industries across the Middle East, including Israel, the United Arab Emirates (UAE), and potentially extending to Turkey, India, and Albania.

According to a blog post, Mandiant [1], a leading cybersecurity firm, attributes these activities with moderate confidence to UNC1549 and notes that the group overlaps with Tortoiseshell, a threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The current situation seems consistent, given the strategic importance of the targeted sectors and the background of regional tensions such as the Israel-Hamas conflict. In one of its campaigns, UNC1549 exploited themes related to the Israel-Hamas war by disguising itself as the Bring Them Home Now movement advocating the release of Israelis held captive by Hamas.

This detailed technical analysis report aims to dissect the architecture, functionalities, and implications of the MINIBUS Backdoor, shedding light on its role within the broader context of regional cyber espionage activities. The deployment of MINIBUS through deceptive means, such as spear-phishing campaigns and fake job recruitment websites, underscores the threat actor’s emphasis on stealth and evasion. By masquerading as legitimate entities and exploiting trusted cloud infrastructure for command and control (C2) communications, UNC1549 has demonstrated high sophistication and an ability to circumvent traditional security measures. This report will delve into the technical specifics of the MINIBUS malware, including its payload delivery mechanisms, C2 infrastructure, and the unique features that distinguish it from previous tools used by the group.


Written LanguageN/A
First Seen / Detection Date2024-01-03
Initial Infection VectorPhishing Attachment
Table 1: Archive File Fingerprints
FiletypeWin32 DLL
Written LanguageC/C++
First Seen / Detection Date2024-01-04
Initial Infection VectorZIP Archive
Table 2: Minibus Installer Fingerprints
FiletypeWin32 DLL
Written LanguageC/C++
First Seen / Detection Date2024-01-04
Initial Infection VectorZIP Archive
Table 3: Minibus Backdoor Fingerprints
Figure 1: Fake extracting dialog message window

Mitigation Strategies

  • Implement strict access control policies. Ensure that users have only the access they need to perform their jobs.
  • Use email scanning solutions to detect malicious attachments and links within emails.
  • Conduct regular training to educate users about the latest phishing tactics and how to recognize suspicious emails and links.
  • You can search the FileCoAuth.exe data for the malware we found to use Registry Run Keys to ensure persistence.
  • Detecting suspicious traffic can be challenging because UNC1549 often uses legitimate services to hide network traffic and avoid detection in its campaigns. However, you can catch suspicious traffic by monitoring the HTTP header information that we found to be generated in web requests.
  • You can check the existence of the %LOCALAPPDATA%\Microsoft\OneDrive\cache\logger directory and the files copied to the directory, if any.


The malware’s ability to masquerade as legitimate applications and utilize cloud infrastructure for command and control (C2) communications complicates detection efforts and necessitates a multi-layered approach to security. The operational context in which MINIBUS has been deployed—targeting critical sectors with significant geopolitical implications—emphasizes the importance of sector-specific threat intelligence and collaboration. Sharing insights and indicators of compromise (IoCs) across organizations and industries can enhance collective defense mechanisms and prevent the successful execution of espionage campaigns. It is also a stark reminder of organizations’ need to foster a culture of security awareness, training employees to recognize and respond to social engineering tactics that are often the first step in such sophisticated attacks.

This blog post comes from the UNC1549 MINIBUS Backdoor Technical Analysis report. If you want to download it as a PDFclick here


[1] Mandiant. Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors.

url: https://www.mandiant.com/resources/blog/suspectediranian-unc1549-targets-israel-middle-east. (Accessed: 28.02.2024).

Share This: