An Iranian advanced persistent threat (APT), likely tethered to the Ministry of Intelligence and Security (MOIS), has now emerged as an initial access enabler, offering remote access to infiltrate targeted networks.
Google’s Mandiant has been monitoring this activity under the alias UNC1860. Its tactics mirror those of intrusion operations tracked by Microsoft, Cisco Talos, and Check Point, which go by the names Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively.
“One significant characteristic of UNC1860 is its repertoire of highly specialized tools and silent backdoors. These elements support multiple objectives, such as its potential function as an initial access facilitator and its capacity to secure enduring entry into high-priority networks, including governmental and telecommunications sectors across the Middle East,” Mandiant disclosed.
The group first surfaced in July 2022 when it was associated with destructive cyber operations targeting Albania. These attacks employed a ransomware strain known as ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant, also dubbed Cl Wiper. Following this, additional cyber breaches in Albania and Israel were uncovered, involving new wiper variants called No-Justice and BiBi (also BABYWIPER).
Mandiant portrays UNC1860 as a “formidable adversary” wielding an array of passive backdoors designed to secure hidden footholds within victim networks, ensuring long-term access while avoiding detection.
Among these tools are two graphical user interface (GUI)-operated malware controllers, named TEMPLEPLAY and VIROGREEN. These are believed to provide MOIS-aligned threat actors with remote entry into compromised environments via Remote Desktop Protocol (RDP).
These controllers are specifically crafted to offer third-party operators a user interface for deploying custom payloads and conducting post-exploitation activities, such as internal network scans.
Mandiant has identified parallels between UNC1860 and APT34 (also known as Hazel Sandstorm, Helix Kitten, and OilRig). Organizations breached by APT34 in 2019 and 2020 were found to have also been infiltrated by UNC1860, and vice versa. Both clusters have been observed extending their operations to targets in Iraq, as highlighted by Check Point.
Their attack sequences typically involve exploiting internet-facing servers with known vulnerabilities to establish initial access, using tools like web shells and droppers such as STAYSHANTE and SASHEYAWAY. These in turn lead to the deployment of implants like TEMPLEDOOR, FACEFACE, and SPARKLOAD, which are embedded within the compromised servers.
“VIROGREEN, a custom framework, exploits vulnerable SharePoint servers using CVE-2019-0604,” researchers explained, further noting that it manages STAYSHANTE alongside a backdoor identified as BASEWALK.
“The framework supports post-exploitation capabilities, including controlling payloads and backdoors (like the STAYSHANTE web shell and BASEWALK backdoor), task assignment, and controlling compatible agents regardless of their implantation method. It also allows for executing commands and uploading/downloading files.”
TEMPLEPLAY (referred to internally as Client Http), a .NET-based controller, serves as the operational command center for TEMPLEDOOR. It processes backdoor commands via cmd.exe, allowing for file uploads and downloads between the infected host and target server, and facilitates proxy connections.
Analysts believe the adversary possesses a wide-ranging arsenal of passive utilities and main-stage backdoors aligned with its objectives of initial access, lateral network movement, and intelligence gathering.
Additional tools documented by Mandiant include:
- OATBOAT: A loader used to execute shellcode payloads.
- TOFUDRV: A malicious Windows driver overlapping with WINTAPIX.
- TOFULOAD: A passive implant that communicates via undocumented Input/Output Control (IOCTL) commands.
- TEMPLEDROP: A repurposed Iranian antivirus software driver known as Sheed AV, which protects files from modification.
- TEMPLELOCK: A .NET utility designed to evade defenses by disabling the Windows Event Log service.
- TUNNELBOI: A network controller that establishes connections with remote hosts and manages RDP sessions.
“As tensions in the Middle East fluctuate, we believe this group’s expertise in gaining initial access to high-value environments represents a critical asset for Iran’s cyber apparatus, capable of being exploited to meet shifting strategic objectives,” researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik stated.
This development follows revelations from the U.S. government regarding ongoing Iranian efforts to meddle in and influence the upcoming U.S. elections by stealing non-public data from former President Donald Trump’s campaign.
“In late June and early July, Iranian cyber operatives sent unsolicited emails to individuals linked to President Biden’s campaign. These emails contained text from stolen, non-public materials related to former President Trump’s campaign,” according to government reports.
“There is no current evidence to suggest that recipients responded. Furthermore, Iranian cyber actors have persisted in their efforts to send this stolen material to U.S. media outlets since June.”
Iran’s growing cyber activities against perceived adversaries coincide with a period of heightened regional involvement in the Middle East.
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian APT Lemon Sandstorm (also known as Fox Kitten) has engaged in ransomware attacks through covert partnerships with the NoEscape, RansomHouse, and BlackCat (also ALPHV) hacking groups.
Analysis from Censys of Lemon Sandstorm’s infrastructure has uncovered other active hosts likely linked to the group, based on shared geolocation, Autonomous System Numbers (ASNs), and patterns in ports and digital certificates.
“Despite attempts at obfuscation and randomization, human operators must still manage, operate, and eventually dismantle their digital infrastructure,” noted Matt Lembright of Censys.
“Even with technology that randomizes actions, human operators tend to follow identifiable patterns—whether in terms of Autonomous Systems, geolocations, hosting providers, software, port configurations, or digital certificate characteristics.”