From cc68b22fe2b160d48b86e4ed5c9f4ff11da61954 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 29 Feb 2024 10:38:27 -0800 Subject: [PATCH] [threat-actors] Add UNC1549 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2ce319c..af032c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15290,6 +15290,17 @@ }, "uuid": "0e3224a0-3544-47d7-b1ce-fb3eb21286ad", "value": "UAC-0184" + }, + { + "description": "UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.", + "meta": { + "country": "IR", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" + ] + }, + "uuid": "a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756", + "value": "UNC1549" } ], "version": 302