HanifNet
HanifNet is a custom backdoor used by the Iranian state-linked threat actor Lemon Sandstorm, also known as Parisite, Fox Kitten, Pioneer Kitten, Rubidium, and UNC757. It was observed in a sustained intrusion against a Middle Eastern critical national infrastructure entity that lasted from at least May 2023 to February 2025, with Fortinet reporting HanifNet was first deployed in August 2023. The malware is described as an unsigned .NET executable that retrieves commands from a command-and-control server and executes them on the victim system. HanifNet was part of a broader custom malware ecosystem that also included HXLibrary and NeoExpressRAT, and was used to maintain long-term access during a multi-phase campaign that began with stolen VPN or SSL VPN credentials and the deployment of web shells on external-facing Microsoft Exchange and other public-facing servers. The campaign involved long-term persistence, lateral movement, targeted email exfiltration, movement toward virtualization infrastructure, and reconnaissance of OT-adjacent network segments. Fortinet assessed the actor’s primary objective was long-term prepositioning toward the victim’s operational technology environment rather than significant data theft, with no evidence that the OT network itself was penetrated. HanifNet has been explicitly cited as one of more than a dozen tools used by Lemon Sandstorm in this campaign. High-confidence infrastructure associated with the broader activity included command-and-control overlaps such as apps.gist.githubapp[.]net and gupdate[.]net.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...the group executed a sustained, multi-phase campaign targeting Middle Eastern energy and infrastructure, beginning with VPN credential theft and progressively deepening access through a custom malware ecosystem that included HanifNet, HXLibrary, and NeoExpressRAT.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesExecution
1 techniquePersistence
4 techniques“Persistence was maintained through web shells and scheduled tasks …” / command lines show “schtasks /create …” and “Register-ScheduledTask …”
“Persistence was maintained through web shells…” and “IIS-based malware designed to blend seamlessly into legitimate network traffic.”
Privilege Escalation
2 techniquesStealth
1 techniqueRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Part of Parisite’s custom malware ecosystem used in a multi-phase campaign against Middle Eastern energy and infrastructure targets.
Custom malware used by the Iran-linked Lemon Sandstorm intrusion set as part of a long-term persistence-focused campaign against a critical national infrastructure (CNI) target, supporting sustained access rather than immediate data theft.
Custom backdoor used to maintain long-term, stealthy access for espionage and suspected network prepositioning.
Unsigned .NET backdoor that retrieves and executes commands from a C2 server.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.