Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Tickler (Backdoor) – Malware

February 16, 2025
Reading Time: 4 mins read
in Malware
Tickler (Backdoor) – Malware

Tickler

Type of Malware

Backdoor

Country of Origin

Iran

Targeted Countries

United States
United Arab Emirates

Date of Initial Activity

2024

Associated Groups

Peach Sandstorm

Motivation

Cyberwarfare

Attack Vectors

Software Vulnerabilities
Phishing

Targeted Systems

Windows

Overview

Tickler malware, identified by Microsoft Threat Intelligence, represents a new phase in the ongoing cyber operations of the Iranian state-sponsored threat actor Peach Sandstorm. This custom, multi-stage backdoor has been actively deployed between April and July 2024, with the primary objective of gathering intelligence from high-value targets in critical sectors such as satellite communications, defense, oil and gas, as well as government entities in the United States and the United Arab Emirates. Tickler’s introduction marks an evolution in Peach Sandstorm’s tactics, showcasing a blend of sophisticated tradecraft and strategic innovation designed to support long-term intelligence operations. Tickler malware is designed to provide attackers with deep access to compromised systems, enabling them to gather network information and deploy additional payloads with stealth and persistence. This malware is delivered through seemingly benign documents, including decoy PDFs, which, once executed, unleash a series of complex actions. These actions include encrypting and exfiltrating system data to the attacker’s command-and-control (C2) infrastructure. The malware’s ability to blend with legitimate network processes and its multi-stage infection mechanism make it particularly difficult to detect, enhancing the effectiveness of Peach Sandstorm’s espionage activities.

Targets

Public Administration Mining, Quarrying, and Oil and Gas Extraction Information

How they operate

Upon initial infection, Tickler malware typically enters a target system through phishing emails, which contain malicious attachments disguised as benign documents. These attachments are often PDF files that, when opened, trigger a series of malicious actions. The malware payload is hidden within these documents, leveraging embedded scripts or macros to exploit vulnerabilities in the system. Once executed, the malware establishes communication with a command-and-control (C2) server, which is often hosted on compromised cloud services, such as Microsoft Azure. This enables the attackers to control the infected system remotely and issue commands without the need for direct interaction with the compromised machine. Tickler’s core functionality revolves around persistence, privilege escalation, and data exfiltration. After the initial execution, the malware ensures its continued presence on the system by adding registry keys or creating scheduled tasks. These methods enable Tickler to re-execute upon system reboot, preventing removal and allowing persistent access. Additionally, Tickler employs techniques to escalate its privileges, potentially exploiting vulnerabilities to gain higher levels of access within the network. This ability is critical for the attackers, as it allows them to move laterally across the compromised network and access more sensitive systems. One of Tickler’s most concerning capabilities is its data exfiltration technique. The malware collects critical information from the compromised system, including network configurations, user credentials, and other sensitive data. It then sends this information back to the C2 server using encrypted HTTP POST requests. This exfiltration process is designed to be stealthy, making it difficult for security tools to detect the outgoing data. By leveraging legitimate communication channels, Tickler can avoid triggering traditional network defense mechanisms, allowing attackers to gather intelligence over extended periods without raising suspicion. In addition to data exfiltration, Tickler malware can also facilitate further compromise by enabling lateral movement within the target network. By communicating with other systems on the network, it spreads to other devices, often using remote services or file-sharing protocols. This expansion of control is crucial for the attackers, as it allows them to infiltrate additional systems and steal more sensitive data or deploy other malicious tools. The modular design of Tickler malware contributes to its adaptability and effectiveness. It can deliver additional payloads to the compromised systems, depending on the attacker’s goals. These payloads may include more advanced malware or tools designed to collect specific types of data, further enhance the attackers’ access, or disrupt network operations. This flexibility makes Tickler a versatile tool in the arsenal of cybercriminals and nation-state actors, capable of evolving in response to changing network environments.

MITRE Tactics and Techniques

1. Initial Access (T1071)
Phishing: Tickler malware is often delivered through decoy documents, such as PDFs that appear to be legitimate but contain embedded malicious payloads. These documents may be distributed via email or social engineering, leading to the first stage of compromise.
2. Execution (T1059)
Command and Scripting Interpreter (PowerShell, CMD): The malware executes commands within the system once the malicious payload is triggered. Tickler uses various techniques to run its code, potentially leveraging legitimate system processes to avoid detection.
3. Persistence (T1547)
Registry Run Keys / Startup Folder: Once executed, Tickler malware establishes persistence on the system by adding registry keys or creating scheduled tasks to ensure it re-executes upon reboot, facilitating continuous access for the attackers.
4. Privilege Escalation (T1088)
Exploitation of Vulnerability: While not directly mentioned in the specifics of Tickler, privilege escalation often follows once access is established. Attackers may seek to gain higher levels of access to the compromised system.
5. Credential Access (T1071)
Input Capture: As part of its functionality, Tickler malware collects information from the compromised network and sends it back to the command-and-control (C2) server. This could include user credentials, system details, and network configuration.
6. Command and Control (T1071)
Application Layer Protocol: Tickler uses HTTP POST requests to communicate with its C2 server, exfiltrating network information to orient itself and maintain control over the compromised system. Cloud Storage and Remote Services: Peach Sandstorm’s use of compromised Azure accounts to host C2 infrastructure is an example of cloud-based command-and-control techniques (T1071).
7. Exfiltration (T1041)
Exfiltration Over Command and Control Channel: Tickler malware sends collected network data back to the attacker’s C2 infrastructure via HTTP POST requests. This exfiltration is key to Peach Sandstorm’s intelligence-gathering objectives.
8. Lateral Movement (T1071)
Remote File Copy and Remote Services: While this isn’t always explicitly mentioned for Tickler, lateral movement is implied as the malware may be used to move laterally across systems, especially if additional payloads are downloaded to extend the reach within a network.
9. Collection (T1074)
System Network Configuration Discovery: The malware collects information about the compromised network, such as system configuration and connected devices, to better inform the attackers about their targets’ infrastructure.  
References:
  • Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Tags: BackdoorGasIranMalwareMicrosoftMiningOilPDFPeach SandstormPhishingQuarryingThreat ActorsTicklerUnited Arab EmiratesUnited States
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial