UNC1860, an Iranian state-sponsored threat actor, has emerged as a formidable cyber force in the Middle East.
Likely tied to Iran’s Ministry of Intelligence and Security (MOIS), UNC1860 group is known for its specialized tooling and passive backdoors, which enable long-term access to critical networks, including government and telecommunications sectors.
Operating as an initial access provider, UNC1860 has displayed its ability to infiltrate high-priority networks across the region, aiding in espionage and cyberattacks.
UNC1860’s Role in Iran’s Cyber Campaigns
Mandiant identifies UNC1860 as a key player in Iran’s cyber ecosystem, paralleling other Iranian groups such as Shrouded Snooper, Scarred Manticore, and Storm-0861. These actors have targeted Middle Eastern telecommunications and government networks, potentially collaborating on major disruptive operations, including Israel’s BABYWIPER attacks in 2023 and Albania’s ROADSWEEP campaign in 2022.
Although direct involvement in these attacks by UNC1860 remains unverified, the group’s sophisticated malware controllers—TEMPLEPLAY and VIROGREEN—suggest its role as an initial access provider. These tools enable seamless hand-off operations, giving third-party actors remote access to victim networks, underlining UNC1860’s significance in Iran’s offensive cyber strategy.
Tools of the Trade: UNC1860’s Specialized Arsenal
UNC1860’s toolkit includes GUI-operated malware controllers and passive implants designed for stealth and persistence. One standout feature is a Windows kernel mode driver repurposed from an Iranian antivirus software filter. This reflects the group’s reverse engineering expertise and ability to evade detection.
By exploiting vulnerabilities in internet-facing servers, UNC1860 establishes initial footholds in target networks, deploying utilities and implants to evade detection. Their arsenal includes passive implants like OATBOAT and TOFUDRV, which avoid traditional command-and-control infrastructure, making detection by security teams difficult. These implants leverage HTTPS encryption and use undocumented Input/Output Control commands, ensuring secure and covert communications.
UNC1860 and APT34: A Cooperative Threat
Mandiant’s investigations suggest a close overlap between UNC1860 and APT34, another MOIS-linked threat actor. APT34, also known as Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, etc., is known to carry out supply chain attacks, using social engineering and recently patched vulnerabilities for attacks, explained researchers at Cyble Research and Intelligence Labs.
APT34 relies on custom DNS Tunneling protocols for command and control and data exfiltration, along with web-shells and backdoors for persistent access to servers. Cutting Kitten employs stolen account credentials for lateral movement and uses phishing sites to harvest credentials for accessing targeted organizations, Cyble added.
Both groups have been observed operating within the same victim environments, possibly sharing tools and access, Mandiant said. In multiple engagements between 2019 and 2020, organizations compromised by APT34 were later found to have been infiltrated by UNC1860, suggesting a coordinated approach to cyber espionage and lateral movement across networks.
This collaboration is further evidenced by both groups’ pivot to Iraq-based targets, highlighting their flexible and opportunistic nature. UNC1860’s use of web shells and droppers, including STAYSHANTE and SASHEYAWAY, allows for the smooth execution of their more advanced malware, which can be handed off to third-party actors for further exploitation.
TEMPLEPLAY and VIROGREEN: UNC1860’s Custom Controllers
UNC1860’s malware controllers TEMPLEPLAY and VIROGREEN offer advanced post-exploitation capabilities. TEMPLEPLAY, a .NET-based controller for the TEMPLEDOOR backdoor, allows operators to execute commands, upload and download files, and establish HTTP proxies to bypass network boundaries. Its user-friendly GUI provides third-party operators with easy access to infected machines, facilitating remote desktop connections and internal network scanning.
VIROGREEN, meanwhile, is designed to exploit vulnerable SharePoint servers using CVE-2019-0604. It includes functions for deploying backdoors like STAYSHANTE and BASEWALK, scanning for vulnerabilities, and controlling compromised systems. Together, these controllers represent a significant part of UNC1860’s toolkit, enabling them to maintain persistent access and facilitate further attacks.
Passive Backdoors: UNC1860’s Stealthy Persistence
One of UNC1860’s key strengths lies in its passive implants, which offer stealth and persistence in victim environments. These implants, including TOFUDRV and TEMPLEDROP, provide advanced evasion techniques by leveraging the Windows kernel. By avoiding outbound traffic and initiating communications from volatile sources, these implants make network monitoring exceedingly difficult. Their ability to function without traditional command-and-control infrastructure further complicates detection efforts.
UNC1860’s malware development includes custom Base64 encoding/decoding and XOR encryption/decryption methods. These custom libraries allow the group to bypass standard detection mechanisms and ensure compatibility across different .NET versions. By implementing these functions independently, UNC1860 demonstrates its deep understanding of Windows internals and its commitment to avoiding detection.
Long-Term Persistence: UNC1860’s Main-Stage Backdoors
UNC1860’s foothold utilities and backdoors are designed for long-term persistence, using obfuscation methods to evade detection. Their “main-stage” implants, including TEMPLEDOOR, further extend their operational security by providing robust footholds in victim environments. These backdoors are often reserved for high-priority targets, particularly in the telecommunications sector, and demonstrate UNC1860’s advanced capabilities in reverse engineering and defense evasion.
Conclusion: UNC1860’s Growing Influence
As cyber tensions rise in the Middle East, UNC1860’s role as an initial access provider and persistent threat actor continues to grow. Their sophisticated tooling and ability to gain and maintain access to high-value networks make them a significant player in Iran’s cyber operations. With deep expertise in reverse engineering and stealth, UNC1860 is likely to remain a critical asset in Iran’s cyber arsenal, capable of adapting to evolving objectives and shifting geopolitical landscapes.
UNC1860’s continued operations signal the growing complexity of state-sponsored cyber threats, particularly in the Middle East. Network defenders in the region must remain vigilant, as UNC1860’s advanced tradecraft and evasive techniques present a persistent challenge to cybersecurity efforts.