Introduction
Iran-aligned Charming Kitten has launched a focused campaign against telecommunications providers, satellite operators, aerospace firms and defense organizations. Security researchers track the cluster as Subtle Snail or UNC1549 and report that the attackers used LinkedIn-style job lures to deliver custom loaders such as MINIBIKE and MINIBUS while hiding command and control traffic behind popular cloud services.
Key takeaways
- Targets: telecommunications, satellite operators, aerospace and defense across multiple regions.
- Initial access: Social-engineering via fake recruitment approaches (LinkedIn and email) delivering lightweight downloaders and credential prompts.
- Tooling: Malware families named MINIBIKE, MINIBUS, Karkadann, and Azure-hosted infrastructure to blend into enterprise traffic.
- Ecosystem: Related clusters (Nimbus and Manticore) show Iranian investment in modular loaders and browsers like MiniJunk and MiniBrowse.
ATT&CK mapping
- Initial Access: Spearphishing/social media recruitment (T1566.002).
- Credential Access: Web-based prompts and infostealers (T1056, T1110).
- Defense Evasion & Command and Control: Azure-based C2 over HTTPS and living off the land (T1071.001, T1027).
Defensive guidance
- Recruiting controls: Train staff to route unsolicited “dream job” outreach to security.
- Cloud egress controls: Monitor unusual Azure endpoints and apply SSL inspection with privacy guardrails.
- Identity protection: Use Conditional Access, phishing-resistant MFA and token protection for identity providers.
Sources
This article is based on investigative reports from The Hacker News (source), Dark Reading (source), and Check Point Research (source).
redsec.ninja 
Leave a comment