Shrouded Snooper

Also known asshrouded_snooper

Shrouded Snooper is an Iran-linked threat actor referenced by Cisco Talos as a regional actor and by Mandiant as having tradecraft and targeting that parallel UNC1860, Scarred Manticore, and Storm-0861. The provided content does not include a direct standalone profile of Shrouded Snooper, but it places the actor in the context of Iranian cyber activity focused on the Middle East. Talos references Shrouded Snooper in prior research on regional actors and notes that Iranian-linked actors have historically conducted espionage, destructive attacks, and hack-and-leak operations. Mandiant states that UNC1860’s tradecraft and targeting parallel Shrouded Snooper, in the context of targeting government and telecommunications networks throughout the Middle East and using opportunistic exploitation of internet-facing systems, web shells, droppers, and stealthy passive implants to maintain access. Based on the provided content, Shrouded Snooper is associated with Iranian regional cyber operations and is discussed alongside Scarred Manticore and Storm-0861, but further high-confidence details, including confirmed aliases, sub-groups, or directly attributed tooling, are not available in the supplied material.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

telecommunications
government

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

talos intelligence blogNews

Mar 3, 2026

Talos on the developing situation in the Middle East

Referenced as a regional actor in the Middle East conflict context; no specific operations, tooling, or targeting details are provided in the content beyond general expectations of espionage/destructive/hack-and-leak activity by Iranian groups.

dark readingNews

Sep 24, 2024

Named threat actor referenced for comparison/visibility; no specific operations described in this content beyond being mentioned alongside other Iranian groups.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.