Threat Advisories:
Operation Rewrite: How BadIIS Rewired the Web for SEO Poisoning Atomic Stealer Targeting Mac Users via Malicious GitHub Page Subtle Snail’s Silent Espionage Across Europe Gamaredon Tools Revive Turla’s Kazuar Backdoor to Target Ukraine Google Races to Patch Chrome’s Sixth Zero-Day CVE-2025-10585 SilentSync RAT Hides in Plain Sight on PyPI Shai-Hulud: Massive npm Supply Chain Attack Infects Hundreds of Packages From Bookings to Breaches: RevengeHotels Latest Attacks on Hospitality BlackNevas Ransomware: A Rising Global Cyber Threat Yurei Ransomware Haunts the Digital World Like a Restless Spirit Click, Paste, Compromise: Inside the New FileFix Campaign Hive0154 Evolves with SnakeDisk and EnhancedToneshell Backdoor HybridPetya: A Bootkit-Enabled Ransomware Threat EvilAI Malware Exploits the Trust in Artificial Intelligence kkRAT Malware Campaign Targeting Chinese-Speaking Users ZynorRAT: Go-Based Malware Taking Shape on Telegram Microsoft September 2025 Patch Tuesday Roundup The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Subtle Snail’s Silent Espionage Across Europe

Amber | Attack Report
Download PDF

Subtle Snail Espionage Campaign: MINIBIKE Backdoor Targets Telecom, Aerospace, and Defense

Summary

Subtle Snail (UNC1549), an Iran-linked cyber-espionage group also tracked as TA455, Smoke Sandstorm, Bohrium, DEV-0056, and Yellow Dev 13, has been conducting a covert campaign across Canada, USA, UK, France, and UAE since 2022. Using fake LinkedIn recruiter profiles and malicious ZIP payloads, the group deploys the MINIBIKE backdoor to gain persistent access, steal credentials, monitor communications, and exfiltrate sensitive files. By abusing signed binaries, DLL sideloading, and Microsoft Azure services, Subtle Snail effectively hides malicious traffic within legitimate cloud infrastructure, making detection challenging.

Attack Details

Subtle Snail has infiltrated 34 devices across 11 organizations in telecom, aerospace, and defense sectors. The group’s tactics include:

  • Social Engineering: Posing as recruiters, they lure victims with fake job opportunities and deliver malicious ZIP files disguised as job-related documents.

  • Malware Delivery: ZIP archives contain signed binaries that exploit DLL sideloading, injecting malicious code into trusted apps.

  • Core Payload: MINIBIKE backdoor provides reconnaissance, keylogging, browser data theft, credential harvesting, and command execution.

  • Persistence & Evasion: Leverages Windows DLL search order hijacking, registry-based persistence, and Microsoft Azure-hosted VPS infrastructure for stealthy C2 communications.

  • File Exfiltration: Data is encrypted, fragmented, and exfiltrated discreetly, with logs stored in public user folders to evade detection.

There is an operational overlap with Nimbus Manticore, another Iran-linked group, which deploys different tools (MiniJunk, MiniBrowse) but shares similar infection techniques.

Recommendations

  • User Awareness: Train employees to verify recruiter identities and avoid downloading unsolicited job-related attachments.

  • File Screening: Block unsigned or suspicious executables and enforce strict attachment filtering at email gateways.

  • Endpoint Security: Deploy NGAV and EDR solutions capable of detecting DLL sideloading and abnormal process injection.

  • Cloud Traffic Monitoring: Analyze outbound traffic for suspicious use of Azure services, domain generation patterns, and unusual file fragmentation activity.

  • Credential Hygiene: Rotate credentials regularly and enable MFA for all privileged accounts to reduce post-compromise impact.

Indicators of Compromise (IoCs)

MD5 Hashes
b40533e67e70b7ff7bb53d34a4b9170e, 67e09818d1aa650896a432b1de54d376, 63080b45ca4978fb5d2d71387dbaf610, 25d3a014c332aaa3adce429d0e714e31, 424f887f651371aa3058cf7c8e908d2a, 8db7338c487143a4d43ed1a22fec49a7, 7d887893a6107d7ae902e6771f30e080, a933c623e3b047292efd55e0e424c732

SHA256 Hashes (Samples)
0e4ff052250ade1edaab87de194e87a9afeff903695799bcbc3571918b131100,
23c0b4f1733284934c071df2bf953a1a894bb77c84cff71d9bfcf80ce3dc4c16,
0b2c137ef9087cb4635e110f8e12bb0ed43b6d6e30c62d1f880db20778b73c9a

Domains (Samples)
asylimed[.]azurewebsites[.]net, arabiccountriestalent[.]com, carebytesolutions[.]azurewebsites[.]net, vitatechlink[.]azurewebsites[.]net, boeing-careers[.]com, rheinmetallcareer[.]org, airbus[.]global-careers[.]com, cloudaskquestionanswers[.]azurewebsites[.]net, patientcare-portal[.]azurewebsites[.]net, rpcconnection[.]azurewebsites[.]net

MITRE ATT&CK TTPs

  • Reconnaissance: T1589 (Gather Victim Identity), T1591 (Org Information), T1598.003 (Spearphishing Link)

  • Resource Development: T1583 (Acquire Infrastructure), T1583.003 (Virtual Private Server), T1587.001 (Malware Development), T1585 (Establish Accounts), T1588.003 (Code Signing Certificates)

  • Initial Access: T1566 (Phishing), T1566.001 (Attachment), T1566.002 (Link)

  • Execution: T1204.001 (Malicious Link), T1059.003 (Windows Command Shell)

  • Persistence: T1574.001 (DLL Search Order Hijacking), T1547.001 (Registry Run Keys)

  • Defense Evasion: T1497 (Virtualization/Sandbox Evasion), T1036.003 (Rename Utilities), T1070.004 (File Deletion)

  • Credential Access: T1056.001 (Keylogging), T1555.003 (Browser Credentials), T1539 (Steal Web Session Cookie)

  • Discovery: T1082 (System Information), T1069.002 (Domain Groups), T1083 (File Discovery)

  • Collection & Exfiltration: T1119 (Automated Collection), T1560.001 (Archive via Utility), T1041 (Exfiltration Over C2)

  • Command & Control: T1071.001 (Web Protocols), T1029 (Scheduled Transfer)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cybersecurity Leaders Dinner In Houston

Learn how to reduce your exposure to imminent risk & Network with Industry Peers

Hosted by former CISO, Al Lindseth and Threat Exposure Evangelist, Critt Golden.

Tuesday, October 7th, 2025
6.00 pm to 9.00 pm
Del Friscos Double Eagle Steakhouse, Houston TX
Click here to Register!