Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

Mandiant observed UNC1549 conducting targeted campaigns that used reconnaissance-driven spear-phishing of IT and administrators to obtain elevated credentials, deployed multiple custom backdoors (MINIBIKE, TWOSTROKE, DEEPROOT), abused DLL search-order hijacking for stealth and persistence across legitimate applications, and operated a custom tunneler (LIGHTRAIL) leveraging cloud infrastructure; the report includes technical breakdowns of TWOSTROKE's C2 protocol and victim ID generation and differences between LIGHTRAIL and its LastenZug source.