The same group. Different names. The confusion is understandable: UNC1549 is tracked as Screening Serpens by one set of researchers, Nimbus Manticore by another, and Smoke Sandstorm by Microsoft. The designations reflect independent tracking programmes identifying the same underlying Iranian IRGC-affiliated cluster from different collection angles.
What they all describe is the same sustained espionage operation: an Iranian intelligence collection programme targeting aerospace manufacturers, defence contractors, military technology developers, and telecommunications providers with a patient, technically capable approach that has been running without interruption for years. The recent expansion into European targets and adoption of novel execution techniques — particularly AppDomainManager injection and cloud-hosted C2 infrastructure on legitimate Azure and OneDrive services — marks a capability maturation that warrants a full profile.
Group Overview
| Attribute | Detail |
|---|---|
| Common names | UNC1549, Screening Serpens, Nimbus Manticore, Smoke Sandstorm |
| Attribution | Iran, assessed with high confidence as IRGC (Islamic Revolutionary Guard Corps) affiliated |
| Confidence | High. Attributed by Mandiant/Google TI, CrowdStrike, Microsoft, and corroborated by Five Eyes partners |
| Active since | Documented operations from at least 2018; continuous activity |
| Primary mission | Espionage: technology theft from aerospace and defence sectors; telecommunications access for signals intelligence |
| Primary targets | Aerospace manufacturers, defence contractors, military technology developers, telecoms providers |
| Geographic focus | Israel, Middle East, Turkey, Pakistan; expanding to US defence contractors and European targets |
| Distinguishing characteristic | Sustained targeting of defence industrial base; sophisticated AppDomainManager injection; abuse of legitimate cloud services for C2 |
UNC1549 sits within a broader cluster of Iranian IRGC-affiliated cyber groups that include elements tracked as DEV-0842 and others. The IRGC affiliation distinguishes them from MOIS-affiliated groups like MuddyWater: the targeting priorities reflect military and defence intelligence requirements — technology theft, capability assessment of adversary systems, and access to communications infrastructure — rather than civilian diplomatic intelligence.
Operational Focus: The Defence Industrial Base
UNC1549’s most consistent and high-value targeting is the global aerospace and defence industrial base. The collection priorities are direct: Iran’s military planners require intelligence on adversary weapons programmes, defence acquisition timelines, and technological capabilities — particularly those of Israel, the United States, and their defence partners.
The targeting is not limited to prime contractors. The supply chain approach is explicit in UNC1549 operations: tier-2 and tier-3 suppliers that feed into major defence programmes carry less security investment than the primes, while holding access to technical specifications, manufacturing tolerances, component designs, and programme schedules that have direct intelligence value.
Confirmed targeting sectors:
- Aerospace manufacturers (commercial and defence, with focus on military aviation programmes)
- Defence electronics and weapons systems developers
- Military training and simulation providers
- Satellite communications and space technology firms
- Telecoms infrastructure providers in target geographies, particularly those supporting military and government communications
Technical Tradecraft
Initial Access: SEO Poisoning and Spearphishing
UNC1549 combines two primary initial access techniques depending on targeting context.
SEO poisoning involves creating websites optimised to appear in search results for queries made by target sector employees — job postings, technical documentation, industry news. Employees searching for legitimate resources land on attacker-controlled pages that deliver malware through drive-by download or fake document download prompts. This technique requires no prior relationship with the target and reaches individuals who may be alert to spearphishing.
Spearphishing with job-themed lures targeting defence sector employees remains a consistent technique. UNC1549 crafts convincing impersonations of defence contractor recruitment communications, using the genuine hunger for cleared defence sector talent to lure targets into opening malicious attachments or clicking links.
AppDomainManager Injection: A Technique Worth Understanding
UNC1549’s AppDomainManager injection technique represents a meaningful capability development. The technique abuses a feature of the .NET runtime: when a .NET application loads, it can be configured through an application configuration file or environment variable to load a custom AppDomainManager class. If an attacker can place a malicious DLL alongside a legitimate .NET application and configure the loading path, their DLL executes in the context of the legitimate process when that process starts.
The defensive challenge is significant. The malicious DLL is loaded by a legitimate, signed process. The execution chain starts with a legitimate binary. Many endpoint security products that track process execution chains will see only the legitimate parent process. Without specific detection coverage for AppDomainManager manipulation, the technique evades process-based behavioral detection.
Relevant conditions:
- Requires the ability to write files to a location accessible to a .NET application’s loading path
- Can be achieved through a prior foothold or by embedding in a malicious installer
- Particularly effective against targets using .NET-based enterprise applications
Cloud C2: Azure and OneDrive Infrastructure
UNC1549 has increasingly hosted command and control infrastructure on legitimate Microsoft Azure services and OneDrive. C2 communication over Azure endpoints is:
- Encrypted in transit using TLS with Microsoft’s certificates
- Indistinguishable from legitimate Microsoft cloud traffic at the network perimeter
- Unlikely to be blocked by outbound filtering rules that preserve legitimate cloud productivity tool access
This is the same operational logic driving the adoption of cloud C2 across multiple advanced threat actors: the ubiquity of Microsoft cloud traffic in enterprise environments makes it the ideal cover channel.
Custom Implant Families
UNC1549 operates several custom backdoors, with names varying across vendor tracking:
MINIBIKE is a .NET backdoor providing full access to the compromised system: file operations, command execution, process injection, and screenshot capability. It communicates over HTTPS with beacon intervals designed to blend with normal enterprise web traffic.
MINIBUS is a more capable variant with extended post-compromise functionality including keylogging, clipboard capture, and browser credential theft. MINIBUS is typically deployed following MINIBIKE as a second-stage implant on higher-value targets.
MiniUpdate and MiniJunk are lighter-weight implants used for persistence in environments where deploying a full-featured backdoor increases detection risk. MiniUpdate specifically focuses on maintaining callback to C2 and receiving tasking instructions, with more sophisticated capabilities loaded on demand.
MiniFast is a reconnaissance-focused implant used in the initial post-compromise phase to gather environment information — system details, network configuration, installed software, user accounts — before operators make decisions about whether to deploy more capable tooling.
The naming consistency across these implants reflects a structured development programme rather than ad-hoc capability creation.
Recent Expansion: Operation Epic Fury and European Targeting
Intelligence reporting covering activity through 2025-2026 identifies two significant developments:
Post-Operation Epic Fury reconstitution. A disruption operation targeting UNC1549 infrastructure in 2024-2025 (referenced in threat intelligence as Operation Epic Fury) temporarily degraded the group’s operational capacity. However, the group reconstituted with new infrastructure, new backdoor variants (the MiniUpdate and MiniFast additions to the implant suite post-date the disruption), and resumed operations within months.
European targeting expansion. Traditional UNC1549 operations focused on Middle East, South Asian, and North American targets. Recent campaigns have targeted European aerospace and telecommunications companies, reflecting either an expanded collection mandate or the downstream consequence of European organisations’ growing role in defence supply chains that are primary targets.
The European expansion is consistent with a broader pattern across IRGC-affiliated APTs: as European governments increase defence cooperation with Israel and the US, European defence contractors and suppliers enter the collection priority set.
Attribution Confidence
Attribution to Iran’s IRGC rests on multiple pillars:
- Infrastructure overlaps with previously attributed IRGC campaigns
- Tooling that has been exclusively associated with IRGC-affiliated operations
- Targeting that directly reflects IRGC intelligence collection requirements (defence technology, aerospace capability, military telecommunications)
- Operational timings consistent with Iranian working patterns
- Technical artefacts in implant code containing Farsi strings and Iranian development environment indicators
The IRGC attribution distinguishes UNC1549 from MOIS-affiliated groups and shapes the likely tasking structure: collection priorities are military intelligence requirements, and operations are likely directed at or coordinated with IRGC intelligence units.
Defensive Posture
AppDomainManager injection detection. Implement monitoring for .NET applications loading assemblies from unexpected paths or loading assemblies not in the application’s installed directory. Windows Event ID 4688 (process creation) and Sysmon Event ID 7 (image loaded) provide telemetry for assembly loading events. Any .NET application loading an unexpected DLL from a user-writable path warrants investigation.
Cloud C2 traffic analysis. Because UNC1549 routes C2 through Azure and OneDrive, blocking these services is not viable for most organisations. Instead: implement behavioural analytics on cloud connectivity patterns. Hosts making regular, periodic short-duration requests to Azure endpoints with consistent timing intervals (beacon patterns) are worth investigating, particularly when those hosts do not run enterprise applications that would explain the connectivity.
Defence sector employees are high-value targets. Personnel in aerospace, defence electronics, or military technology roles who interact with recruitment communications, technical specifications, or industry event information are UNC1549 targets. Specific training on job-themed lures and SEO-poisoned search results is warranted for this population.
Monitor for credential theft post-compromise. UNC1549 implants specifically target browser credential stores and may attempt to dump LSASS. Monitoring for LSASS access and browser data directory access from unexpected processes provides detection coverage for the post-initial-access phase.
Third-party supply chain assessment. If you are a defence prime contractor: your tier-2 and tier-3 suppliers are UNC1549 targets, and compromised suppliers are a pathway to you. Assess security requirements in your supply chain against the UNC1549 threat model, not just regulatory minimums.