Iranian hackers impersonate Boeing and DJI, post fake job offers

Iranian cyberespionage hackers, posing as recruiters from Boeing or drone manufacturer DJI among other phishing efforts, are targeting the aerospace, aviation, and defense industries, the latest Mandiant report warns.

The main targets are organizations in Israel, the United Arab Emirates (UAE), potentially Turkey, India, Albania, and other Middle East countries.

The new cyberespionage campaign is attributed “with moderate confidence” to the Iranian hacking group UNC1549, which overlaps with threat actor Tortoiseshell. Both are linked to the Islamic Revolutionary Guard Corps. Iranian hackers have previously attempted to compromise defense contractors and IT providers.

Mandiant has observed an Israel-Hamas war-themed campaign that masquerades as the “Bring Them Home Now” movement, which calls for the return of the Israelis kidnapped and held hostage by Hamas.


Iranian hackers also deployed multiple fake recruiting websites, such as 1stemployer[.]com or careers-finder[.]com, with similar templates. Fake job offers from major international companies lure victims to then deliver malware. The fake job offers were for tech and defense-related positions, specifically in the aviation, aerospace, or thermal imaging sectors.

Researchers shared screenshots of fake login pages masquerading as the aerospace company Boeing or as a manufacturer of thermal imaging devices Teledyne FLIR. There are also fake job offers from drone manufacturing company DJI.


“Mandiant observed this campaign deploy multiple evasion techniques to mask their activity, most prominently the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS.”

The intelligence collected is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations.

The gang lures victims via spearphishing

Hackers use spearphishing and credential harvesting as primary methods to gain access. A typical chain of attack consists of several stages.

First, spearphishing emails or social media correspondence leads victims to fake websites containing Israel-Hamas-related content or fake job offers. The websites would eventually lead to downloading a malicious payload.

The payload is a compressed archive of two main bundles, providing full backdoor functionality (MINIBIKE and MINIBUS).

Second, after payload installation and device compromise, the hackers leverage access to collect intelligence and as a stepping stone for further access into the targeted network.

To evade detection, Iranian hackers abuse Microsoft Azure infrastructure for control and command or hosting. That makes it hard to discern malicious activity from legitimate network traffic. They choose domain names and job titles that would seem legitimate to network defenders.

More from Cybernews:

UnitedHealth gives update on cyberattack and pharmacy backlog

Matthew Perry’s X account hacked by scammers

OpenAI hits back at NYT: you hacked our chatbot

Odysseus moon lander has less than 20 hrs of battery life left

DDoS attack led to a $104K bill from hosting provider: “I thought it was a joke”

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked