IR

UNC1549UNC1549

Also known as: Nimbus Manticore · UNC1549

Origin
IR
Known aliases
2

Profile

UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.

Aliases· 2

Nimbus ManticoreUNC1549

References

  1. https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
  2. https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe
  3. https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
UNC215
Actor
UNC4841
Actor
UNC1860
Actor
UNC4990
Actor
UNC3890
Actor
UNC3524
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.