RST TI Report Digest: 24 Nov 2025

UNC1549, an Iranian-linked APT, targets the aerospace and defense ecosystem using social engineering and compromised third-party accounts to gain access. The report describes custom backdoors (MINIBIKE, TWOSTROKE, DEEPROOT), persistence and evasion techniques (DLL search order hijacking, use of legitimate code-signing certificates), credential theft and reconnaissance, and the use of Microsoft Azure Web Apps for command-and-control, and includes a list of IPs, domains, and file hashes as IoCs.