APT / THREAT GROUP

UNC1549

🇮🇷Iran-attributed
1
campaigns
2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.

Threat Analysis

UNC1549 is a known-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

UNC1549 — Active Operations March 2026

UNC1549 is a unknown-motivation threat actor attributed to Iran. UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying c...

ACTIVEMEDIUM2026

Intelligence Reports Mentioning UNC1549

External References

Quick Facts

TypeAPT / Threat Group
Origin🇮🇷 Iran
Aliases2
SourceMalpedia

Also Known As

UNC1549Nimbus Manticore

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
UNC1549 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM