Google Finds New Malware Backdoors Linked to Iran

Hacking Group Deploys Raft of Custom Malware Variants Akshaya Asokan (asokan_akshaya) • November 18, 2025

An Iranian state hacking group with a history of targeting aerospace, aviation and defense industries across the Middle East has improved its tooling with multiple custom malware variants, warned Google.

See Also: OnDemand | North Korea's Secret IT Army and How to Combat It

The group, tracked by Google-owned Mandiant as UNC1549, is suspected of having ties to the Iranian Revolutionary Guard Corps. Mandiant first identified the group's activity in the Middle East in early 2024 (see: iReport Says Iranian Hackers Targeting Israeli Defense Sector).

In the roughly two years since, the group has evolved, with Mandiant uncovering multiple malware variants used by the group to establish network foothold.

"The use of multiple custom backdoors signals a significant leap in sophistication and operational security for this group," said Austin Larsen, a Mandiant ...