Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via the professional networking platform LinkedIn.
Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.
Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment.
In a blog post, Microsoft said “As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity.”