Iranian State APT Blitzes Telcos & Satellite Companies
Summary
Researchers report that an Iran-linked APT cluster — Subtle Snail (aka UNC1549), associated with Charming Kitten — has recently stolen sensitive data from 11 global telecommunications firms, satellite operators and aerospace suppliers. The group has been active for several years across the Middle East, Europe and North America and has escalated its focus on satellite communications and aerospace-related targets.
The attackers conduct detailed reconnaissance on selected personnel, use convincing LinkedIn recruiter lures and bespoke phishing domains, then deploy a modular backdoor called “MiniBike”. MiniBike uses DLL sideloading and downloads purpose-built DLL components for each function, producing many slightly different variants to frustrate detection. The stolen haul ranges from system/network configs and credentials to PII, proprietary documents and call-detail records (CDRs), which appear to serve state-level espionage needs.
Key Points
- Subtle Snail (UNC1549) linked to Charming Kitten has targeted 11 telcos, satellite operators and aerospace firms.
- Attacks are highly customised: attackers research individuals, impersonate recruiters on LinkedIn and craft realistic job lures.
- The MiniBike backdoor is modular and relies on DLL sideloading; each capability is delivered as a slightly altered DLL to evade signature detection.
- Data stolen includes system/network info, VPN configs, credentials, PII (photos/passports), proprietary documents and CDRs.
- Researchers (Prodaft and others) observed campaigns across the Middle East, Europe and North America, with past focus on aerospace and defence.
- Attribution ties the cluster to Iran-state interests, likely supporting government customers such as the IRGC; split roles between access operators and malware developers are noted.
- Traditional AV struggles with the numerous minor variants; behaviour analysis helps but detection rules remain incomplete.
Why should I read this?
Short version: these folks are picking off telcos and satellite firms with bespoke, patient attacks — and they aren’t sloppy about it. If you work in comms, aerospace or security, this is the sort of campaign that can quietly harvest credentials, CDRs and IP. Read the full details so you know what to lock down and who to warn.
Context and Relevance
This story matters because telcos and satellite operators are high-value targets for state espionage — they hold subscriber and routing data, network configurations and communications records that have strategic use. The campaign shows two important trends: first, threat actors increasingly invest time in human-targeted social engineering (LinkedIn recruiter ruses); second, modular malware delivered via DLL sideloading creates a proliferation of near-identical variants that foil signature-based defences.
Organisations should review privileged access controls, enforce multi-factor authentication, harden endpoint detection for DLL sideloading, monitor for suspicious recruiter/social networking activity, and treat CDRs and network configuration files as highly sensitive. The campaign also underlines the value of threat intel sharing across the telecom and satellite sectors.