Malware

Iranian Hackers Using Multi-Stage Malware To Attack Govt And Defense Sectors Via LinkedIn

Microsoft has identified a new Iranian state-sponsored threat actor, Peach Sandstorm, deploying a custom multi-stage backdoor named Tickler. 

This backdoor has been used to target various sectors, including satellite, communications equipment, oil and gas, and government, in the United States and the United Arab Emirates. Peach Sandstorm has also engaged in password spray attacks and intelligence gathering activities on LinkedIn

Microsoft assesses that this threat actor operates on behalf of the Iranian Islamic Revolutionary Guard Corps and is designed to support Iranian state interests by sharing this information to raise awareness and help organizations strengthen their defenses against such threats.

Peach Sandstorm attack chain

Peach Sandstorm, a threat actor known for password spray attacks and LinkedIn-based intelligence gathering, has recently evolved its tactics by deploying a new custom backdoor, Tickler, and utilizing fraudulent Azure subscriptions for command and control. 

It was observed between April and July 2024, which highlights the group’s adaptability and ongoing efforts to evade detection by identifying and disrupting the malicious Azure infrastructure involved in these operations, protecting affected organizations.

Peach Sandstorm is conducting intelligence gathering on LinkedIn using fake profiles and password spray attacks targeting various sectors. 

The group leveraged compromised accounts to gain access to Azure infrastructure and conduct further attacks, while Microsoft has implemented security measures like multi-factor authentication to mitigate such threats.

Network information collected by Tickler after deployment on target host

It deployed Tickler, a custom multi-stage backdoor, in compromised environments, which is a 64-bit PE file that collects network information and sends it to a C2 server. 

The second Tickler sample, sold.dll, is a Trojan dropper that downloads additional payloads, including a backdoor and legitimate files for DLL sideloading, which can run commands like systeminfo, dir, run, delete, interval, upload, and download.

Registry Run key added to set up persistence

Peach Sandstorm, a cyber threat group, abused Azure resources to create a command-and-control (C2) infrastructure by using compromised accounts to create Azure tenants and subscriptions, then deployed Azure Web Apps as C2 nodes. 

These nodes, identified by domain names like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net, were used to facilitate malicious activities, which are similar to those employed by other Iranian threat groups like Smoke Sandstorm.

The threat actors have been successfully compromising organizations in various sectors using customized tools.

After gaining initial access, they employ lateral movement techniques, such as SMB, to spread within the network. 

They also download and install remote monitoring and management tools, like AnyDesk, to maintain persistence and control.

In certain cases, they capture Active Directory snapshots to gather sensitive information and plan further attacks.

To mitigate Peach Sandstorm attacks, prioritize securing identity infrastructure by implementing conditional access policies, blocking legacy authentication, and enabling MFA. 

Strengthen password hygiene with least privilege practices, password protection, and identity protection.

Protect endpoints with cloud-delivered protection, real-time protection, and EDR in block mode. 

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

19 minutes ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

49 minutes ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

15 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

16 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

16 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

18 hours ago