Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosyste

    Tuesday, November 18, 2025 In: Threat Research Print

    Date: 11/18/2025

    Severity: High

    Summary

    UNC1549 often gained initial access by blending targeted social engineering with the use of compromised third-party accounts. Using credentials stolen from vendors or partners, the group took advantage of legitimate trust relationships to enter victim environments. Spear-phishing emails themed around job offers or recruitment were another key entry tactic, enticing targets to run malware-laced files. The group regularly abused Citrix, VMware, and Azure Virtual Desktop infrastructures that organizations shared with external partners. By using compromised third-party credentials, UNC1549 authenticated into supplier-managed systems to establish an initial foothold. After logging in, they executed techniques to bypass the security boundaries and limitations of the virtualized Citrix sessions. For persistence across breached networks, UNC1549 used a range of proprietary backdoors. Alongside MINIBIKE, they operated their custom malware families TWOSTROKE and DEEPROOT.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    politicalanorak.com

    ac-connection-status105.azurewebsites.net

    acc-cloud-connection.azurewebsites.net

    active-az-check-status45.azurewebsites.net

    active-az-check-status675.azurewebsites.net

    active-az-status45.azurewebsites.net

    active-az-status795.azurewebsites.net

    active-internal-log65.azurewebsites.net

    active-internal-logs.azurewebsites.net

    active-intranet-logs.azurewebsites.net

    airbus.usa-careers.com

    airlinecontrolsite.uaenorth.cloudapp.azure.com

    airlinecontrolsite.westus3.cloudapp.azure.com

    airplaneserviceticketings.com

    airseatregister.eastus.cloudapp.azure.com

    airseatsregister.qatarcentral.cloudapp.azure.com

    airseatsregistering.qatarcentral.cloudapp.azure.com

    airtravellog.com

    automationagencybusiness.azurewebsites.net

    automationagencybusiness.com

    browsercheckap.azurewebsites.net

    codesparkle.eastus.cloudapp.azure.com

    connect-acc-492.azurewebsites.net

    connect-acl-492.azurewebsites.net

    customerlistchange.eastus.cloudapp.azure.com

    developercodepro.azurewebsites.net

    developercodevista.azurewebsites.net

    dreamtiniventures.azurewebsites.net

    fdtsprobusinesssolutions.azurewebsites.net

    fdtsprobusinesssolutions.com

    fdtsprobusinesssolutions.eastus.cloudapp.azure.com

    fdtsprobusinesssolutions.northeurope.cloudapp.azure.com

    forcecodestore.com

    hserbhh43.westus3.cloudapp.azure.com

    infrasync-ac372.azurewebsites.net

    intra-az-check-status45.azurewebsites.net

    intra-az-check-status675.azurewebsites.net

    intra-az-status45.azurewebsites.net

    intra-az-status795.azurewebsites.net

    masterflexiblecloud.azurewebsites.net

    mso-internal-log65.azurewebsites.net

    mso-internal-logs.azurewebsites.net

    mso-intranet-logs.azurewebsites.net

    mydocs.qatarcentral.cloudapp.azure.com

    nx425-win4945.azurewebsites.net

    nx4542-win4957.azurewebsites.net

    nxlog-crash-1567.azurewebsites.net

    nxlog-win-1567.azurewebsites.net

    nxversion-win-1567.azurewebsites.net

    nxversion-win32-1127.azurewebsites.net

    overqatfa.northeurope.cloudapp.azure.com

    queuetestapplication.azurewebsites.net

    skychain13424.azurewebsites.net

    skychain41334.northeurope.cloudapp.azure.com

    skychains42745.eastus.cloudapp.azure.com

    skyticketgrant.azurewebsites.net

    snare-core.azurewebsites.net

    storageboxcloud.northeurope.cloudapp.azure.com

    storagewiz.co.azurewebsites.net

    swiftcode.eastus.cloudapp.azure.com

    swifttiniventures.azurewebsites.net

    terratechworld.eastus.cloudapp.azure.com

    thecloudappbox.azurewebsites.net

    thestorageboxcloud.northeurope.cloudapp.azure.com

    thetacticstore.com

    thevaultapp.westus3.cloudapp.azure.com

    thevaultspace.eastus.cloudapp.azure.com

    tini-ventures.com

    vcphone-ms.azurewebsites.net

    vcs-news.com

    vm-ticket-svc.azurewebsites.net

    vm-tools-svc.azurewebsites.net

    vmware-health-ms.azurewebsites.net

    IP Address : 

    104.194.215.88

    13.60.50.172

    167.172.137.208

    34.18.42.26

    4.188.75.206

    4.240.113.27

    40.119.176.233

    46.31.115.92

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("167.172.137.208","104.194.215.88","13.60.50.172","34.18.42.26","4.188.75.206","4.240.113.27","40.119.176.233","46.31.115.92") or srcipaddress IN ("167.172.137.208","104.194.215.88","13.60.50.172","34.18.42.26","4.188.75.206","4.240.113.27","40.119.176.233","46.31.115.92")

    Detection Query 2 :

    domainname like "airtravellog.com" or url like "airtravellog.com" or siteurl like "airtravellog.com" or domainname like "browsercheckap.azurewebsites.net" or url like "browsercheckap.azurewebsites.net" or siteurl like "browsercheckap.azurewebsites.net" or domainname like "thetacticstore.com" or url like "thetacticstore.com" or siteurl like "thetacticstore.com" or domainname like "thecloudappbox.azurewebsites.net" or url like "thecloudappbox.azurewebsites.net" or siteurl like "thecloudappbox.azurewebsites.net" or domainname like "masterflexiblecloud.azurewebsites.net" or url like "masterflexiblecloud.azurewebsites.net" or siteurl like "masterflexiblecloud.azurewebsites.net" or domainname like "airbus.usa-careers.com" or url like "airbus.usa-careers.com" or siteurl like "airbus.usa-careers.com" or domainname like "politicalanorak.com" or url like "politicalanorak.com" or siteurl like "politicalanorak.com" or domainname like "ac-connection-status105.azurewebsites.net" or url like "ac-connection-status105.azurewebsites.net" or siteurl like "ac-connection-status105.azurewebsites.net" or domainname like "acc-cloud-connection.azurewebsites.net" or url like "acc-cloud-connection.azurewebsites.net" or siteurl like "acc-cloud-connection.azurewebsites.net" or domainname like "active-az-check-status45.azurewebsites.net" or url like "active-az-check-status45.azurewebsites.net" or siteurl like "active-az-check-status45.azurewebsites.net" or domainname like "active-az-check-status675.azurewebsites.net" or url like "active-az-check-status675.azurewebsites.net" or siteurl like "active-az-check-status675.azurewebsites.net" or domainname like "active-az-status45.azurewebsites.net" or url like "active-az-status45.azurewebsites.net" or siteurl like "active-az-status45.azurewebsites.net" or domainname like "active-az-status795.azurewebsites.net" or url like "active-az-status795.azurewebsites.net" or siteurl like "active-az-status795.azurewebsites.net" or domainname like "active-internal-log65.azurewebsites.net" or url like "active-internal-log65.azurewebsites.net" or siteurl like "active-internal-log65.azurewebsites.net" or domainname like "active-internal-logs.azurewebsites.net" or url like "active-internal-logs.azurewebsites.net" or siteurl like "active-internal-logs.azurewebsites.net" or domainname like "airlinecontrolsite.uaenorth.cloudapp.azure.com" or url like "airlinecontrolsite.uaenorth.cloudapp.azure.com" or siteurl like "airlinecontrolsite.uaenorth.cloudapp.azure.com" or domainname like "active-intranet-logs.azurewebsites.net" or url like "active-intranet-logs.azurewebsites.net" or siteurl like "active-intranet-logs.azurewebsites.net" or domainname like "airlinecontrolsite.westus3.cloudapp.azure.com" or url like "airlinecontrolsite.westus3.cloudapp.azure.com" or siteurl like "airlinecontrolsite.westus3.cloudapp.azure.com" or domainname like "airplaneserviceticketings.com" or url like "airplaneserviceticketings.com" or siteurl like "airplaneserviceticketings.com" or domainname like "airseatregister.eastus.cloudapp.azure.com" or url like "airseatregister.eastus.cloudapp.azure.com" or siteurl like "airseatregister.eastus.cloudapp.azure.com" or domainname like "airseatsregister.qatarcentral.cloudapp.azure.com" or url like "airseatsregister.qatarcentral.cloudapp.azure.com" or siteurl like "airseatsregister.qatarcentral.cloudapp.azure.com" or domainname like "airseatsregistering.qatarcentral.cloudapp.azure.com" or url like "airseatsregistering.qatarcentral.cloudapp.azure.com" or siteurl like "airseatsregistering.qatarcentral.cloudapp.azure.com" or domainname like "automationagencybusiness.azurewebsites.net" or url like "automationagencybusiness.azurewebsites.net" or siteurl like "automationagencybusiness.azurewebsites.net" or domainname like "automationagencybusiness.com" or url like "automationagencybusiness.com" or siteurl like "automationagencybusiness.com" or domainname like "codesparkle.eastus.cloudapp.azure.com" or url like "codesparkle.eastus.cloudapp.azure.com" or siteurl like "codesparkle.eastus.cloudapp.azure.com" or domainname like "connect-acc-492.azurewebsites.net" or url like "connect-acc-492.azurewebsites.net" or siteurl like "connect-acc-492.azurewebsites.net" or domainname like "customerlistchange.eastus.cloudapp.azure.com" or url like "customerlistchange.eastus.cloudapp.azure.com" or siteurl like "customerlistchange.eastus.cloudapp.azure.com" or domainname like "developercodepro.azurewebsites.net" or url like "developercodepro.azurewebsites.net" or siteurl like "developercodepro.azurewebsites.net" or domainname like "developercodevista.azurewebsites.net" or url like "developercodevista.azurewebsites.net" or siteurl like "developercodevista.azurewebsites.net" or domainname like "dreamtiniventures.azurewebsites.net" or url like "dreamtiniventures.azurewebsites.net" or siteurl like "dreamtiniventures.azurewebsites.net" or domainname like "fdtsprobusinesssolutions.com" or url like "fdtsprobusinesssolutions.com" or siteurl like "fdtsprobusinesssolutions.com" or domainname like "fdtsprobusinesssolutions.eastus.cloudapp.azure.com" or url like "fdtsprobusinesssolutions.eastus.cloudapp.azure.com" or siteurl like "fdtsprobusinesssolutions.eastus.cloudapp.azure.com" or domainname like "fdtsprobusinesssolutions.northeurope.cloudapp.azure.com" or url like "fdtsprobusinesssolutions.northeurope.cloudapp.azure.com" or siteurl like "fdtsprobusinesssolutions.northeurope.cloudapp.azure.com" or domainname like "forcecodestore.com" or url like "forcecodestore.com" or siteurl like "forcecodestore.com"

    Detection Query 3 :

    domainname like "hserbhh43.westus3.cloudapp.azure.com" or siteurl like "hserbhh43.westus3.cloudapp.azure.com" or url like "hserbhh43.westus3.cloudapp.azure.com" or domainname like "infrasync-ac372.azurewebsites.net" or siteurl like "infrasync-ac372.azurewebsites.net" or url like "infrasync-ac372.azurewebsites.net" or domainname like "intra-az-check-status45.azurewebsites.net" or siteurl like "intra-az-check-status45.azurewebsites.net" or url like "intra-az-check-status45.azurewebsites.net" or domainname like "intra-az-check-status675.azurewebsites.net" or siteurl like "intra-az-check-status675.azurewebsites.net" or url like "intra-az-check-status675.azurewebsites.net" or domainname like "intra-az-status45.azurewebsites.net" or siteurl like "intra-az-status45.azurewebsites.net" or url like "intra-az-status45.azurewebsites.net" or domainname like "intra-az-status795.azurewebsites.net" or siteurl like "intra-az-status795.azurewebsites.net" or url like "intra-az-status795.azurewebsites.net" or domainname like "mso-internal-log65.azurewebsites.net" or siteurl like "mso-internal-log65.azurewebsites.net" or url like "mso-internal-log65.azurewebsites.net" or domainname like "mso-internal-logs.azurewebsites.net" or siteurl like "mso-internal-logs.azurewebsites.net" or url like "mso-internal-logs.azurewebsites.net" or domainname like "mso-intranet-logs.azurewebsites.net" or siteurl like "mso-intranet-logs.azurewebsites.net" or url like "mso-intranet-logs.azurewebsites.net" or domainname like "mydocs.qatarcentral.cloudapp.azure.com" or siteurl like "mydocs.qatarcentral.cloudapp.azure.com" or url like "mydocs.qatarcentral.cloudapp.azure.com" or domainname like "nx425-win4945.azurewebsites.net" or siteurl like "nx425-win4945.azurewebsites.net" or url like "nx425-win4945.azurewebsites.net" or domainname like "nx4542-win4957.azurewebsites.net" or siteurl like "nx4542-win4957.azurewebsites.net" or url like "nx4542-win4957.azurewebsites.net" or domainname like "nxlog-crash-1567.azurewebsites.net" or siteurl like "nxlog-crash-1567.azurewebsites.net" or url like "nxlog-crash-1567.azurewebsites.net" or domainname like "nxlog-win-1567.azurewebsites.net" or siteurl like "nxlog-win-1567.azurewebsites.net" or url like "nxlog-win-1567.azurewebsites.net" or domainname like "nxversion-win-1567.azurewebsites.net" or siteurl like "nxversion-win-1567.azurewebsites.net" or url like "nxversion-win-1567.azurewebsites.net" or domainname like "nxversion-win32-1127.azurewebsites.net" or siteurl like "nxversion-win32-1127.azurewebsites.net" or url like "nxversion-win32-1127.azurewebsites.net" or domainname like "overqatfa.northeurope.cloudapp.azure.com" or siteurl like "overqatfa.northeurope.cloudapp.azure.com" or url like "overqatfa.northeurope.cloudapp.azure.com" or domainname like "queuetestapplication.azurewebsites.net" or siteurl like "queuetestapplication.azurewebsites.net" or url like "queuetestapplication.azurewebsites.net" or domainname like "skychain13424.azurewebsites.net" or siteurl like "skychain13424.azurewebsites.net" or url like "skychain13424.azurewebsites.net" or domainname like "skychain41334.northeurope.cloudapp.azure.com" or siteurl like "skychain41334.northeurope.cloudapp.azure.com" or url like "skychain41334.northeurope.cloudapp.azure.com" or domainname like "skychains42745.eastus.cloudapp.azure.com" or siteurl like "skychains42745.eastus.cloudapp.azure.com" or url like "skychains42745.eastus.cloudapp.azure.com" or domainname like "skyticketgrant.azurewebsites.net" or siteurl like "skyticketgrant.azurewebsites.net" or url like "skyticketgrant.azurewebsites.net" or domainname like "terratechworld.eastus.cloudapp.azure.com" or siteurl like "terratechworld.eastus.cloudapp.azure.com" or url like "terratechworld.eastus.cloudapp.azure.com" or domainname like "thestorageboxcloud.northeurope.cloudapp.azure.com" or siteurl like "thestorageboxcloud.northeurope.cloudapp.azure.com" or url like "thestorageboxcloud.northeurope.cloudapp.azure.com" or domainname like "thevaultapp.westus3.cloudapp.azure.com" or siteurl like "thevaultapp.westus3.cloudapp.azure.com" or url like "thevaultapp.westus3.cloudapp.azure.com" or domainname like "thevaultspace.eastus.cloudapp.azure.com" or siteurl like "thevaultspace.eastus.cloudapp.azure.com" or url like "thevaultspace.eastus.cloudapp.azure.com" or domainname like "tini-ventures.com" or siteurl like "tini-ventures.com" or url like "tini-ventures.com" or domainname like "vcphone-ms.azurewebsites.net" or siteurl like "vcphone-ms.azurewebsites.net" or url like "vcphone-ms.azurewebsites.net" or domainname like "vcs-news.com" or siteurl like "vcs-news.com" or url like "vcs-news.com" or domainname like "vm-ticket-svc.azurewebsites.net" or siteurl like "vm-ticket-svc.azurewebsites.net" or url like "vm-ticket-svc.azurewebsites.net" or domainname like "vm-tools-svc.azurewebsites.net" or siteurl like "vm-tools-svc.azurewebsites.net" or url like "vm-tools-svc.azurewebsites.net" or domainname like "vmware-health-ms.azurewebsites.net" or siteurl like "vmware-health-ms.azurewebsites.net" or url like "vmware-health-ms.azurewebsites.net"

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense


    Tags

    MalwareThreat ActorUNC1549TWOSTROKEDEEPROOTBackdoorMINIBIKESocial EngineeringDefense Industrial BasePhishingSpear Phishing

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.