Iranian cybercriminals are targeting US defense targets with all-new malware

News
By published

Islamic Revolutionary Guard Corps are gathering intel on satellite comminications

Flag of Iran on a computer binary codes falling from the top and fading away
(Image credit: Getty Images)

Microsoft has released new intelligence claiming Iranian state-sponsored threat actor Peach Sandstorm is using a custom-built backdoor and password spraying attacks for intelligence operations on satellite communications.

The backdoor, named ‘Tickler’ by Microsoft Threat Intelligence, is a specialized multi-stage malware used to compromise target organizations, before moving laterally to gather intelligence using Server Message Block (SMB), remote monitoring and management (RMM) tools, and Active Directory (AD) snapshots.

Tickler has also been used to target oil and gas, and both state and federal level governments in the US and UAE.

Satellite Tickler

Microsoft's Threat Intelligence team says Peach Sandstorm has been observed using password spraying attacks to compromise accounts belonging to target organizations in the education, defense, space, and government sectors.

By compromising accounts in the education sector, Peach Sandstorm would use newly created or existing Azure student subscriptions to host command-and-control (C2) infrastructure. Through this C2 infrastructure, the group would then target organizations within the government, defense and space sectors to gather intelligence on satellite communications equipment.

Two versions of Tickler have been identified by Microsoft. The first was found within a file named ‘Network Security.zip’ alongside a pair of decoy PDF documents. The actual Tickler malware used the same file name as one of the benign PDFs, but was actually an executable with the suffix ‘.pdf.exe’. When launched, the executable file collects network information from the host device by decrypting kernell32.dll, and sends this information to the C2 infrastructure.

The second version functions in exactly the same way as the first, but is also able to download additional malware from the C2 infrastructure to deploy on the host device, allowing for DLL sideloading to establish a backdoor, from which the attackers can run numerous commands to delete files, execute commands, and both download and upload files from the C2 infrastructure.

As an Iranian state-sponsored threat actor, Peach Sandstorm is likely to be operating on the behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) to further the gathering of intelligence in line with Iranian state interests.

In order to mitigate the exploitation of Azure infrastructure by threat actors using compromised accounts, Microsoft began enforcing multi-factor authentication by default for all Azure administrators from July 2024, before rolling out MFA to all Azure accounts from October 2024.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
Russia
Major Russian hacking group shifts focus to US and UK targets
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
Latest in Pro
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Gmail at 20
Your Gmail search results are about to get a huge change - and I'm not sure you're going to be happy with it
A person holding out their hand with a digital AI symbol.
Taking AI to the edge for smaller, smarter, and more secure applications
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
Someone looking at a marketing graph
Why ‘boring’ tech will be 2025's biggest marketing trend
TinEye website
I like this reverse image search service the most
Latest in News
The Samsung Galaxy S21 series of phones lying face down.
Samsung announces One UI 7 is coming to older phones after all, but the launch is still a mess
Using Zipped files and folders in Windows 11
Windows 11 should soon be faster at extracting files from compressed ZIPs – and it’s about time, frankly
The player prepares for a fight in Metal Eden.
I loved the bits of Metal Eden that I played and soon you'll be able to try it too thanks to this upcoming free demo
Apple iPhone 16 Pro HANDS ON
The iPhone 18 might get a major chip upgrade after all
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Oppo Watch Mini X2 teaser
Oppo Watch X2 Mini teaser could be our first glimpse of the smaller OnePlus Watch 3
More about pro
TinEye website

I like this reverse image search service the most
UK Prime Minister Sir Kier Starmer

The UK releases timeline for migration to post-quantum cryptography

Image depicting a hand on a scanner

Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
See more latest
Most Popular
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
The Samsung Galaxy S21 series of phones lying face down.
Samsung announces One UI 7 is coming to older phones after all, but the launch is still a mess
The player prepares for a fight in Metal Eden.
I loved the bits of Metal Eden that I played and soon you'll be able to try it too thanks to this upcoming free demo
Attacking an enemy in FBC: Firebreak.
I can't wait to obliterate legions of sticky notes in FBC: Firebreak
Using Zipped files and folders in Windows 11
Windows 11 should soon be faster at extracting files from compressed ZIPs – and it’s about time, frankly
Philips Hue
Setting up your Philips Hue lights is now quicker and easier than ever thanks to the latest app update
Apple iPhone 16 Pro HANDS ON
The iPhone 18 might get a major chip upgrade after all
Apple Intelligence Bella Ramsey ad
The Bella Ramsey Apple Intelligence ad that disappeared, and why Apple is now facing a false advertising lawsuit
System Shock 2: 25th Anniversary Remaster
System Shock 2: 25th Anniversary Remaster is coming this year, and I can't wait to be creeped out by SHODAN all over again
Oppo Watch Mini X2 teaser
Oppo Watch X2 Mini teaser could be our first glimpse of the smaller OnePlus Watch 3