Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇮🇷 IR30 malware familiesExploits CVEs in the wild

UNC1860

Also known asShroudedSnooperUNC1860

UNC1860, also known as ShroudedSnooper, Scarred Manticore, and Storm-0861, is an Iranian state-sponsored threat actor likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Reporting describes it as a persistent, stealthy, and opportunistic actor focused on gaining initial access and maintaining footholds in high-priority Middle Eastern networks, especially telecommunications and government organizations, with additional targeting noted across media, academia, and critical infrastructure. Multiple sources assess that UNC1860 functions primarily as a state-sponsored initial access group or facilitator for other Iranian actors, including MOIS-affiliated groups such as APT34/OilRig, handing off established access for follow-on espionage and, in some reporting, destructive or disruptive operations. UNC1860 has been active since at least 2020 and has conducted intrusions across the Middle East, including Israel, Qatar, Saudi Arabia, and Iraq. Its tradecraft centers on opportunistic exploitation of vulnerable internet-facing systems, including SharePoint exploitation via CVE-2019-0604, followed by deployment of web shells and droppers such as STAYSHANTE and SASHEYAWAY. It then installs passive implants and backdoors designed to avoid traditional outbound command-and-control, including TEMPLEDOOR, FACEFACE, SPARKLOAD, TOFULOAD, WINTAPIX, OATBOAT, and TEMPLEDROP. Reporting states these passive implants use undocumented IOCTL or HTTP.sys-related mechanisms, do not initiate outbound traffic, and are intended to reduce network-detection opportunities. The actor’s tooling also includes GUI-based controllers TEMPLEPLAY and VIROGREEN, which support command execution, file transfer, payload deployment, and proxying or facilitation of RDP access for downstream operators. UNC1860 has demonstrated strong reverse-engineering and Windows internals expertise, including use of the repurposed legitimate Iranian Sheed AV kernel driver in TEMPLEDROP for stealthy persistence and file protection, and evasion techniques such as interfering with Windows Event Log service threads. Public reporting also notes overlap in victimology and operations with APT34/OilRig and assesses UNC1860 as a gateway enabling access for other Iranian nation-state actors.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Telecommunication Services
  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇮🇱 Israel

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics18 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
2 techniques
T1133
External Remote Services
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
TA0003
Persistence
2 techniques
T1133
External Remote Services
T1505
Server Software Component
T1505.003×4
Web Shell
TA0005
Stealth
4 techniques
T1014
Rootkit
T1027
Obfuscated Files or Information
T1036
Masquerading
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
TA0112
Defense Impairment
1 technique
T1222
File and Directory Permissions Modification
TA0011
Command and Control
3 techniques
T1090
Proxy
T1105×2
Ingress Tool Transfer
T1573
Encrypted Channel
T1573.002
Asymmetric Cryptography
ARSENAL

Associated malware families

30 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SASHEYAWAYWeb shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved.5Apr 11, 2026
TEMPLEDOORThese shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.5Apr 11, 2026
FACEFACEThese shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.4Apr 11, 2026
OATBOATOATBOAT ... CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD ... OATBOAT with TOFULOAD shellcode4Apr 11, 2026
STAYSHANTEWeb shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved.4Apr 11, 2026

25 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2019-0604Microsoft SharePoint Remote Code Execution VulnerabilityIn the wildEvidence1

"VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604... The framework provides post-exploitation capabilities including scanning for and exploiting CVE-2019-0604"

IOCS

Observables

134 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

134 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

Stealth-focused long-term access operations in telecom and government networks using passive backdoors, web shells, and a repurposed kernel driver to maintain low-visibility persistence.

Read more
talosintelligence otherNews
May 13, 2025
Redefining IABs: Impacts of compartmentalization on threat tracking and modeling

State-sponsored initial access group associated with Iran that gains footholds in victim networks, deploys webshells and passive implants, and transfers access to other Iranian threat groups for espionage, ransomware, or disruptive operations.

Read more
sentinelone labsNews
Jan 9, 2025
The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest | SentinelOne

MOIS-attributed Iranian threat actor focused on intelligence collection and initial access operations, including telecom and government intrusions in the Middle East.

Read more
dark readingNews
Sep 24, 2024

Iran-linked access broker providing initial access/footholds in high-value networks (especially telecommunications) and handing that access to other Iranian state hacking groups; uses a large set of custom passive implants/backdoors and inbound-only C2-like interaction to reduce detection.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping13

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal30

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables134

Domains, IPs, and hashes tied to this actor, refreshed continuously.