Cyber Crime
Iranian Hackers Target Aerospace with Fake Job Lures, Deploying New SnailResin Malware
Iranian hackers linked to TA455, an Iranian state-sponsored group, are leveraging fake job offers to deploy malware aimed at the aerospace sector, according to a recent report from Israeli cybersecurity firm ClearSky.
This campaign, first noted in September 2023, follows tactics seen in North Korean operations, using enticing job opportunities to trick targets into downloading harmful software known as SnailResin.
Once active, SnailResin initiates the SlugResin backdoor, enabling hackers to infiltrate and control systems remotely.
ALSO READ: Nominations Open for ‘Women in Cyber’ Honors at FutureCrime Summit 2025
Google-owned Mandiant has also tracked TA455 under the aliases UNC1549 and Yellow Dev 13, linking it as a sub-group within APT35, a faction tied to Iran’s Islamic Revolutionary Guard Corps (IRGC).
This group, also referred to by various other names like Charming Kitten, Newscaster, and Mint Sandstorm, exhibits overlapping strategies with other Iranian threat clusters such as Smoke Sandstorm and Crimson Sandstorm.
Since early 2023, TA455 has been identified as responsible for a wave of attacks targeting the aerospace, aviation, and defense sectors in countries including Israel, Turkey, India, and the U.A.E.
The attacks employ social engineering, using job offers to deliver two specific malware strains called MINIBIKE and MINIBUS. Cybersecurity firm Proofpoint observed that TA455 often sets up legitimate-seeming front companies to engage targets professionally, sometimes using Contact Us pages or sales inquiries to initiate contact.
In one campaign documented in PwC’s “Cyber Threats 2022” report, TA455 posed as recruiters on social media to engage victims, even using AI-generated images to make its fake personas more convincing.
ClearSky identified significant similarities between TA455’s techniques and those of North Korea’s Lazarus Group, including DLL side-loading and fake job lures, suggesting potential tool-sharing or deliberate mimicry to obscure attribution.
The malware is delivered through fake recruiting websites like “careers2find[.]com” and LinkedIn profiles, which lead targets to download a ZIP archive. Among the files, the executable “SignedConnection.exe” and the malicious DLL “secur32.dll” activate SnailResin, which loads SlugResin, an updated version of the BassBreaker backdoor that enables remote access for further infiltration.
The multi-stage infection process includes spear-phishing emails with ZIP files that contain both legitimate and malicious content, designed to evade security scans and deceive victims into executing the malware.
TA455 also conceals its command-and-control infrastructure within GitHub repositories, blending malicious activities with regular network traffic.