Iranian Espionage Campaign Uses DEEPROOT & TWOSTROKE in Aerospace and Defense Breach (2025)
Executive Summary
In late 2025, an Iranian-linked threat group known as UNC1549 targeted aerospace and defense organizations in the Middle East, deploying custom backdoors named TWOSTROKE and DEEPROOT. The attackers gained access through spear-phishing and strategic web compromises, establishing persistent footholds and enabling sustained espionage operations. Google-owned Mandiant attributed the campaign to advanced initial access and lateral movement techniques, allowing the threat actors to blend into legitimate network activity while exfiltrating sensitive intellectual property and operational data. The campaign underscored weaknesses in internal segmentation, encrypted traffic oversight, and anomaly detection within high-value verticals.
This incident highlights an uptick in sophisticated espionage attacks on critical infrastructure using tailored malware and stealthy, post-compromise tactics. The use of novel backdoors and multi-stage intrusion campaigns demonstrates an evolving threat landscape, emphasizing the need for deeper defense in depth and zero trust approaches among organizations handling sensitive data.
Why This Matters Now
Aerospace and defense organizations remain top targets for nation-state actors leveraging custom malware and advanced evasion tactics. As similar campaigns proliferate, urgency grows for organizations to adopt robust segmentation, east-west visibility, and proactive anomaly detection to counter persistent lateral threats poised to exploit gaps in hybrid and multicloud environments.
Attack Path Analysis
The Iranian threat actor UNC1549 began by gaining initial access to aerospace and defense cloud environments, likely via spearphishing or vulnerable remote services. They escalated privileges to establish deeper footholds and persisted, leveraging misconfigurations or hijacked credentials. Using backdoors like DEEPROOT and TWOSTROKE, the attacker moved laterally across internal east-west cloud networks to access sensitive workloads. Persistent command and control channels were established for adversary remote management. Data exfiltration likely occurred via covert outbound channels. Although the operation appeared espionage-motivated, the impact extended to unauthorized data theft and possible business risk.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access to cloud workloads, likely via phishing emails or exploiting exposed remote access services targeting aerospace and defense users.
Related CVEs
CVE-2021-26855
CVSS 9.1A server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
Affected Products:
Microsoft Exchange Server – 2013, 2016, 2019
Exploit Status:
exploited in the wildCVE-2020-0688
CVSS 8.8A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
Affected Products:
Microsoft Exchange Server – 2010, 2013, 2016, 2019
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing: Spearphishing Attachment
Command and Scripting Interpreter
Application Layer Protocol
Ingress Tool Transfer
Event Triggered Execution: Windows Service
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Technical and Organizational Measures for Risk Management
Control ID: Art. 21(2)
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Monitor and Validate User and Entity Identities
Control ID: Identity Pillar: Governance Visibility
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Aviation/Aerospace
Iranian UNC1549 espionage directly targeting aerospace with TWOSTROKE/DEEPROOT backdoors, compromising critical infrastructure requiring encrypted traffic protection and zero trust segmentation.
Defense/Space
Defense contractors face sophisticated Iranian state-sponsored attacks exploiting east-west traffic vulnerabilities, demanding enhanced threat detection and multicloud visibility controls.
Government Administration
Middle East government agencies targeted by espionage operations requiring egress security enforcement and anomaly response capabilities to prevent data exfiltration.
Computer/Network Security
Security professionals must implement inline IPS and cloud native security fabric solutions to counter advanced persistent threats and protect client infrastructures.
Sources
- Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attackshttps://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.htmlVerified
- UNC1549 Critical Infrastructure Espionage Attackhttps://filestore.fortinet.com/fortiguard/outbreak_alert/unc1549_critical_infrastructure_espionage_attack/report.pdfVerified
- Iranian APT UNC1549 Infiltrates Aerospace by Hijacking Trusted DLLs and Executing VDI Breakoutshttps://securityonline.info/iranian-apt-unc1549-infiltrates-aerospace-by-hijacking-trusted-dlls-and-executing-vdi-breakouts/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF Zero Trust controls such as segmentation, microsegmentation, east-west inspection, advanced egress filtering, inline IPS, and encrypted traffic enforcement would have significantly constrained adversary movement, data theft, and command channels across the cloud estate.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility would have detected suspicious new workload activity.
Control: Zero Trust Segmentation
Mitigation: Lateral privilege escalation would be contained to the compromised segment.
Control: East-West Traffic Security
Mitigation: Suspicious internal movement and service access would be blocked or flagged.
Control: Inline IPS (Suricata)
Mitigation: C2 traffic signatures and malicious payloads would be detected or blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts to unapproved destinations would be blocked.
Anomalies in usage and access are rapidly detected and escalated for response.
Impact at a Glance
Affected Business Functions
- Research and Development
- Intellectual Property Management
- Supply Chain Operations
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of sensitive technical data, including proprietary designs and strategic plans, leading to competitive disadvantage and regulatory scrutiny.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and east-west traffic controls to contain adversary lateral movement.
- • Enforce strict egress policy with FQDN filtering and encrypted traffic inspection to block exfiltration and C2.
- • Expand centralized multicloud visibility to monitor, baseline, and rapidly investigate anomalous traffic flows.
- • Deploy inline IPS and continuous anomaly detection across cloud environments for real-time adversary disruption.
- • Regularly audit access controls and privilege assignments for least privilege enforcement and rapid misconfiguration remediation.
