Microsoft: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor dubbed "Tickler." Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering (intelligence gathering on LinkedIn). They described the Tickler malware, Azure resources abuse, and post-compromise activity:

• Lateral movement via Server Message Block (SMB)
• Downloading and installing a remote monitoring and management (RMM) tool
• Taking an Active Directory (AD) snapshot

IOC and hunting queries provided.

cc: @briankrebs @mttaggart @serghei @campuscodi @AAKL

#iran #peachsandstorm #cyberespionage #threatintel #IOC #tickler #backdoor #malwareanalysis #linkedin

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler.

^{Microsoft Threat Intelligence (Microsoft Security Blog)}