From cc68b22fe2b160d48b86e4ed5c9f4ff11da61954 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 29 Feb 2024 10:38:27 -0800
Subject: [PATCH] [threat-actors] Add UNC1549

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2ce319c..af032c6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15290,6 +15290,17 @@
       },
       "uuid": "0e3224a0-3544-47d7-b1ce-fb3eb21286ad",
       "value": "UAC-0184"
+    },
+    {
+      "description": "UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
+        ]
+      },
+      "uuid": "a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756",
+      "value": "UNC1549"
     }
   ],
   "version": 302