MiniBike
MINIBIKE is a custom modular C++ backdoor, also referred to as SlugResin, associated with the Iran-linked espionage cluster UNC1549, also known as Nimbus Manticore, Subtle Snail, and overlapping with reporting on Tortoiseshell/Smoke Sandstorm. It has been used since at least June 2022 in campaigns targeting aerospace, aviation, defense, telecommunications, and related supply-chain organizations, primarily in the Middle East and also in Europe and the United States. Reported targeting includes aviation and defense organizations across the Middle East between 2023 and 2025, European telecom firms via LinkedIn recruitment lures, and broader Dream Job-style operations against defense-sector personnel.
Observed initial access and delivery methods include spear-phishing with job-themed or recruitment-themed lures, fake career and interview websites, fraudulent resume/personality-test applications, and abuse of stolen credentials and third-party relationships. MINIBIKE has been delivered via DLL side-loading/search-order hijacking using legitimate executables, including in fake recruitment workflows where a ZIP archive contains an executable that side-loads a malicious MINIBIKE DLL. Reporting also notes use through cloud-backed infrastructure, especially Azure, for command and control.
High-confidence capabilities described across the source material include system reconnaissance and information gathering; file upload and exfiltration; command execution; directory and file enumeration; fetching and deploying additional payloads; credential theft including Microsoft Outlook credentials and browser data from Chrome, Brave, and Edge; keystroke and clipboard logging; screenshot capture; process listing and termination; and execution of EXE, DLL, BAT, and CMD payloads. Some reporting specifically describes MINIBIKE as supporting 12 commands and being used for Microsoft Outlook credential theft, persistence, and broader post-compromise reconnaissance. It has also been described as maintaining persistence via Windows Registry changes and as being built/deployed in victim-specific DLL variants to hinder detection and forensics.
Operationally, MINIBIKE communications have been observed through Azure cloud infrastructure and Azure-proxied C2, with operators using cloud-hosted subdomains and infrastructure intended to blend with legitimate traffic. Mandiant reported MINIBIKE variants evolving over time in lures, persistence methods, obfuscation, export DLL names, and Azure C2 usage. Associated activity frequently co-deploys other UNC1549 malware and tooling including TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, CRASHPAD, DCSYNCER.SLICK, SIGHTGRAB, and TRUSTTRAP.
The malware is tied to long-term espionage objectives, including theft of technical data, emails, credentials, and other sensitive information, with reporting noting long dwell time, stealth, and persistence in compromised environments. One report states UNC1549 maintained access to a victim environment for more than two years using stolen VPN credentials and MiniBike malware and stole nearly one terabyte of proprietary data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mandiant observed the following custom malware families used in the suspected UNC1549 activity. MINIBIKE — A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.
"MINIBIKE (aka SlugResin), a known C++ backdoor that gathers system information and fetches additional payloads..."
Iranian groups deploy MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD in Dream Job-style campaigns...
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
Both state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The websites would eventually lead to downloading a malicious payload.
Tortoiseshell is described as “targeting supply chains”; Curious Serpens attacked “through phishing and supply chain compromises.”
"Each potential victim receives unique login credentials in advance through spear-phishing communications."
This suspected UNC1549 campaign uses two primary methods to achieve initial access to the targets: spear-phishing and credential harvesting. A typical chain of attack consists of several stages: Spear-phishing emails or social media correspondence, disseminating links to fake websites containing Israel-Hamas related content or fake job offers.
Execution
5 techniques
Execution
actors linked to Iran and China, who maintained access to the victim environment well over a year and a half
MINIBIKE ... provides a full backdoor functionality, including ... running additional processes. MINIBUS provides a more flexible code-execution and command interface, including the ability to run an executable.
Persistence
3 techniques
Persistence
actors linked to Iran and China, who maintained access to the victim environment well over a year and a half
Both state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging directory and setting the following Run registry key... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveFileCoAuth.exe ... MINIBUS ... sets persistence for the backdoor using the following registry run key.
Privilege Escalation
3 techniques
Privilege Escalation
actors linked to Iran and China, who maintained access to the victim environment well over a year and a half
Both state-sponsored actors and financially-motivated hackers mostly leveraged compromised identities
The loader/installer sets persistence for the MINIBIKE payload by moving it to its staging directory and setting the following Run registry key... HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveFileCoAuth.exe ... MINIBUS ... sets persistence for the backdoor using the following registry run key.
Stealth
4 techniques
Stealth
The tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation
A benign lure in the form of an application like OneDrive (MINIBIKE) or, in the case of MINIBUS, a custom application presenting content related to Israelis kidnapped by Hamas... Using domain naming schemes that include strings that would likely seem legitimate to network defenders.
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor previously deployed by Nimbus Manticore in attacks against aviation and defense organizations across the Middle East.
Backdoor malware used to maintain long-term access in a victim environment and facilitate theft of nearly one terabyte of proprietary data.
Backdoor family delivered via spear-phishing (including job-themed lures) and leveraging cloud infrastructure (e.g., Azure) for C2; used in supply-chain-oriented espionage.
Tortoiseshell custom backdoor family used for initial footholds and persistent espionage access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.