Iranian Hackers Using Multi-Stage Malware To Attack Govt And Defense Sectors Via LinkedIn

Microsoft has identified a new Iranian state-sponsored threat actor, Peach Sandstorm, deploying a custom multi-stage backdoor named Tickler. 

This backdoor has been used to target various sectors, including satellite, communications equipment, oil and gas, and government, in the United States and the United Arab Emirates. Peach Sandstorm has also engaged in password spray attacks and intelligence gathering activities on LinkedIn

Microsoft assesses that this threat actor operates on behalf of the Iranian Islamic Revolutionary Guard Corps and is designed to support Iranian state interests by sharing this information to raise awareness and help organizations strengthen their defenses against such threats.

Peach Sandstorm attack chain

Peach Sandstorm, a threat actor known for password spray attacks and LinkedIn-based intelligence gathering, has recently evolved its tactics by deploying a new custom backdoor, Tickler, and utilizing fraudulent Azure subscriptions for command and control. 

It was observed between April and July 2024, which highlights the group’s adaptability and ongoing efforts to evade detection by identifying and disrupting the malicious Azure infrastructure involved in these operations, protecting affected organizations.

Peach Sandstorm is conducting intelligence gathering on LinkedIn using fake profiles and password spray attacks targeting various sectors. 

The group leveraged compromised accounts to gain access to Azure infrastructure and conduct further attacks, while Microsoft has implemented security measures like multi-factor authentication to mitigate such threats.

Network information collected by Tickler after deployment on target host

It deployed Tickler, a custom multi-stage backdoor, in compromised environments, which is a 64-bit PE file that collects network information and sends it to a C2 server. 

The second Tickler sample, sold.dll, is a Trojan dropper that downloads additional payloads, including a backdoor and legitimate files for DLL sideloading, which can run commands like systeminfo, dir, run, delete, interval, upload, and download.

Registry Run key added to set up persistence

Peach Sandstorm, a cyber threat group, abused Azure resources to create a command-and-control (C2) infrastructure by using compromised accounts to create Azure tenants and subscriptions, then deployed Azure Web Apps as C2 nodes. 

These nodes, identified by domain names like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net, were used to facilitate malicious activities, which are similar to those employed by other Iranian threat groups like Smoke Sandstorm.

The threat actors have been successfully compromising organizations in various sectors using customized tools.

After gaining initial access, they employ lateral movement techniques, such as SMB, to spread within the network. 

They also download and install remote monitoring and management tools, like AnyDesk, to maintain persistence and control.

In certain cases, they capture Active Directory snapshots to gather sensitive information and plan further attacks.

To mitigate Peach Sandstorm attacks, prioritize securing identity infrastructure by implementing conditional access policies, blocking legacy authentication, and enabling MFA. 

Strengthen password hygiene with least privilege practices, password protection, and identity protection.

Protect endpoints with cloud-delivered protection, real-time protection, and EDR in block mode. 

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

15 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago