Over the last few months, an Iranian state-sponsored threat actor has been deploying a new custom backdoor in attacks against various entities in the U.S. and United Arab Emirates, including organizations in the government, communications equipment, oil and gas and satellite sectors.
The threat actor, which is called Peach Sandstorm and was first uncovered last year, targets victims in many countries in order to collect intelligence, using password spraying as an initial access vector. Now, researchers with Microsoft said that between April and July, the group has been leveraging the novel backdoor that they call “Tickler” in attacks against several unnamed organizations.
“This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations,” said researchers on Wednesday. “Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.”
Though it was discovered last year, the threat group's activities go back for years. In 2024, it has continued to target victims with password spraying, where a list of passwords is leveraged against a large number of targeted accounts.
Researchers also observed attackers in the group pretending to be students, developers or talent acquisition managers on LinkedIn, sending targets messages with the goal of gathering intelligence to then use for social engineering attacks against the higher eduction or satellite sectors. These LinkedIn profiles were since taken down from the platform.
After gaining initial access, the threat group was seen signing in to compromised accounts from commercial VPN infrastructure, moving laterally via SMB and, in some cases, taking snapshots via Active Directory, which is a legitimate functionality for taking a read-only copy of the AD database that can be abused for malicious purposes.
Researchers found two samples of the backdoor used in attacks as recently as July, indicating that it is under active development. The malware enables attackers to download additional payloads from the C2 and set up persistence.
For its command-and-control (C2) server, the threat actor uses attacker-controlled Azure subscriptions, which are sometimes created using compromised accounts. Researchers said that they observed multiple other Iranian groups using similar tactics in recent months.
“Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service,” according to Microsoft. “Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.”
Iranian threat groups were recently uncovered both behind espionage and ransomware attacks. In a separate advisory released this week, several U.S. government agencies warned of recent activity by UNC757, an Iran-based group that has been linked to ransomware activity and separately associated with the government of Iran.