Cyber Attack

UNC1549 Hackers Abuse Microsoft Azure Cloud To Attack Defense Sectors

A new threat activity has been discovered that relates to the Iran-Nexus espionage activity that targets Aerospace, Aviation, and defense industries in multiple countries, including Israel, UAE, Turkey, India, and Albania.

This threat activity is also suspected to be linked with UNC1549 threat actor that has similarities with Tortoiseshell threat group.

The threat actor used several evasion techniques to hide their activity and has been using Microsoft Azure Cloud Infrastructure for social engineering two unique backdoors named MINIBIKE and MINIBUS.

Over 125 command and control Azure subdomains have been discovered in this attack campaign as part of their TTPs.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Hackers Abuse Microsoft Azure

According to Mandiant reports, the threat actors’ campaigns were related to a fake recruiting website that contains the MINIBUS payload.

Additionally, this campaign’s evasion method involved using cloud infrastructure for C2, which could be challenging for network defenders to prevent, detect, and mitigate this activity.

The Tortoiseshell threat actor previously used this job-lure campaign.

Fake Job Offer (Source: Mandiant)

As of the Attack Lifecycle, several stages of the attack chain were used, which include Spear-phishing with fake job offers in tech and defense-related positions, payload delivery, and installation of payloads on the device for compromising.

The fake job offers website was spread via social media and emails that contained malicious payloads for harvesting credentials.

These payloads were either MINIBIKE or MINIBUS, which have been used since at least 2022.

Once these payloads are installed on the victim’s device, the C2 communication is established through Microsoft Azure Cloud infrastructure, which collects information from the device and provides access.

Moreover, this stage was also found to be using the LIGHTRAIL tunneler. Some of the Azure C2 domains used were

  • ilengineeringrssfeed[.]azurewebsites[.]net (“IL Engineering RSS Feed”)
  • hiringarabicregion[.]azurewebsites[.]net (“Hiring Arabic Region”)
  • turkairline[.]azurewebsites[.]net (“Turk Airline”)
Fake Airline company website (Source: Mandiant)


This is a custom C++-based backdoor that is capable of exfiltrating files, command execution, uploading, and establishing communication to the Azure cloud infrastructure. 

Once installed, this malware provides full backdoor functionality to the compromised device. The malware consists of three utilities

  • The backdoor (.dll or .dat file)
  • A launcher (executed via search order hijacking (SoH))
  • Legitimate/Fake executable that masks the MINIBIKE


In addition to the functionalities offered in the MINIBIKE, this malware provides a more flexible code-execution interface and enhanced information-gathering features to the MINIBIKE malware.

This malware contains very few built-in features compared to MINIBIKE. The functionalities of this malware include,

  • Command interface for code execution
  • process enumeration feature
  • exporting DLL Names
  • C2 communications
  • Lures themes
  • Targeting and Geography


This tunneler has multiple connections with the MINIBIKE and MINIBUS malware, like the code base, Azure C2 infrastructure, and the same targets and victimology. This tunneler uses the open-source utility Lastenzug, a Sock4a proxy.

Indicators Of Compromise (IOCs)


  • 01cbaddd7a269521bf7b80f4a9a1982f
  • 054c67236a86d9ab5ec80e16b884f733
  • 1d8a1756b882a19d98632bc6c1f1f8cd
  • 2c4cdc0e78ef57b44f11f7ec2f6164cd
  • 3b658afa91ce3327dbfa1cf665529a6d
  • 409c2ac789015e76f9886f1203a73bc0
  • 601eb396c339a69e7d8c2a3de3b0296d
  • 664cfda4ada6f8b7bb25a5f50cccf984
  • 68f6810f248d032bbb65b391cdb1d5e0
  • 691d0143c0642ff783909f983ccb8ffd
  • 710d1a8b2fc17c381a7f20da5d2d70fc
  • 75d2c686d410ec1f880a6fd7a9800055
  • 909a235ac0349041b38d84e9aab3f3a1
  • a5e64f196175c5f068e1352aa04bc5fa
  • adef679c6aa6860aa89b775dceb6958b
  • bfd024e64867e6ca44738dd03d4f87b5
  • c12ff86d32bd10c6c764b71728a51bce
  • cf32d73c501d5924b3c98383f53fda51
  • d94ffe668751935b19eaeb93fed1cdbe
  • e3dc8810da71812b860fc59aeadcc350
  • e9ed595b24a7eeb34ac52f57eeec6e2b
  • eadbaabe3b8133426bcf09f7102088d4


  • ef262f571cd429d88f629789616365e4
  • 816af741c3d6be1397d306841d12e206
  • c5dc2c75459dc99a42400f6d8b455250
  • 05fcace605b525f1bece1813bb18a56c
  • 4ed5d74a746461d3faa9f96995a1eec8
  • f58e0dfb8f915fa5ce1b7ca50c46b51b


  • 0a739dbdbcf9a5d8389511732371ecb4
  • 36e2d9ce19ed045a9840313439d6f18d
  • aaef98be8e58be6b96566268c163b6aa
  • c3830b1381d95aa6f97a58fd8ff3524e
  • c51bc86beb9e16d1c905160e96d9fa29
  • a5fdf55c1c50be471946de937f1e46dd

Fake Job Offers

  • ec6a0434b94f51aa1df76a066aa05413
  • 89107ce5e27d52b9fa6ae6387138dd3e
  • 4a223bc9c6096ac6bae3e7452ed6a1cd

C2 And Hosting Infrastructure

  • 1stemployer[.]com
  • birngthemhomenow[.]co[.]il
  • cashcloudservices[.]com
  • jupyternotebookcollections[.]com
  • notebooktextcheckings[.]com
  • teledyneflir[.]com[.]de
  • vsliveagent[.]com
  • xboxplayservice[.]com

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

4 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

6 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

6 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

6 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

6 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

7 hours ago