Malware

Iranian Hackers Using Multi-Stage Malware To Attack Govt And Defense Sectors Via LinkedIn

Microsoft has identified a new Iranian state-sponsored threat actor, Peach Sandstorm, deploying a custom multi-stage backdoor named Tickler. 

This backdoor has been used to target various sectors, including satellite, communications equipment, oil and gas, and government, in the United States and the United Arab Emirates. Peach Sandstorm has also engaged in password spray attacks and intelligence gathering activities on LinkedIn

Microsoft assesses that this threat actor operates on behalf of the Iranian Islamic Revolutionary Guard Corps and is designed to support Iranian state interests by sharing this information to raise awareness and help organizations strengthen their defenses against such threats.

Peach Sandstorm attack chain

Peach Sandstorm, a threat actor known for password spray attacks and LinkedIn-based intelligence gathering, has recently evolved its tactics by deploying a new custom backdoor, Tickler, and utilizing fraudulent Azure subscriptions for command and control. 

It was observed between April and July 2024, which highlights the group’s adaptability and ongoing efforts to evade detection by identifying and disrupting the malicious Azure infrastructure involved in these operations, protecting affected organizations.

Peach Sandstorm is conducting intelligence gathering on LinkedIn using fake profiles and password spray attacks targeting various sectors. 

The group leveraged compromised accounts to gain access to Azure infrastructure and conduct further attacks, while Microsoft has implemented security measures like multi-factor authentication to mitigate such threats.

Network information collected by Tickler after deployment on target host

It deployed Tickler, a custom multi-stage backdoor, in compromised environments, which is a 64-bit PE file that collects network information and sends it to a C2 server. 

The second Tickler sample, sold.dll, is a Trojan dropper that downloads additional payloads, including a backdoor and legitimate files for DLL sideloading, which can run commands like systeminfo, dir, run, delete, interval, upload, and download.

Registry Run key added to set up persistence

Peach Sandstorm, a cyber threat group, abused Azure resources to create a command-and-control (C2) infrastructure by using compromised accounts to create Azure tenants and subscriptions, then deployed Azure Web Apps as C2 nodes. 

These nodes, identified by domain names like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net, were used to facilitate malicious activities, which are similar to those employed by other Iranian threat groups like Smoke Sandstorm.

The threat actors have been successfully compromising organizations in various sectors using customized tools.

After gaining initial access, they employ lateral movement techniques, such as SMB, to spread within the network. 

They also download and install remote monitoring and management tools, like AnyDesk, to maintain persistence and control.

In certain cases, they capture Active Directory snapshots to gather sensitive information and plan further attacks.

To mitigate Peach Sandstorm attacks, prioritize securing identity infrastructure by implementing conditional access policies, blocking legacy authentication, and enabling MFA. 

Strengthen password hygiene with least privilege practices, password protection, and identity protection.

Protect endpoints with cloud-delivered protection, real-time protection, and EDR in block mode. 

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

6 hours ago

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…

6 hours ago

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…

6 hours ago

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…

7 hours ago

Hackers Use Pahalgam Attack-Themed Decoys to Target Indian Government Officials

The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…

7 hours ago

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…

7 hours ago