Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

TEMPLEDOOR

TEMPLEDOOR is a passive backdoor used by the Iranian state-sponsored threat actor UNC1860, which Mandiant assesses is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It is part of UNC1860’s post-compromise toolchain used in persistent, stealthy intrusions against high-priority Middle Eastern networks, especially government and telecommunications organizations. UNC1860 commonly gains initial access by opportunistically exploiting vulnerable internet-facing servers, then deploying web shells and droppers such as STAYSHANTE and SASHEYAWAY; SASHEYAWAY has been reported to embed and execute TEMPLEDOOR alongside FACEFACE and SPARKLOAD. TEMPLEDOOR is described as a full passive backdoor that can execute commands, transfer files, and interact with system services. Mandiant also reported TEMPLEPLAY, a .NET-based GUI controller internally named "Client Http," as a controller for TEMPLEDOOR that supports command execution via cmd.exe, file upload/download, and HTTP proxying to facilitate RDP access to internal systems behind NAT or firewalls. The malware is associated with UNC1860’s broader use of passive implants intended to reduce reliance on classic outbound C2 and complicate network detection.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC1860

These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.

via contagiodump blogcontagiodump.blogspot.com
Scarred Manticore

ShroudedSnooper built a sprawling toolkit of passive backdoors and web shells — including the LionTail framework, TEMPLEDOOR, SASHEYAWAY, and a repurposed Windows kernel driver derived from Iranian antivirus software — designed to sustain long-term, low-visibility access.

via trellix blogtrellix.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1595Active ScanningEvidence1

"Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations"

Persistence

1 technique
T1505.003Web ShellEvidence2

Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools.

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

Passive backdoor used by ShroudedSnooper for long-term low-visibility access.

Read more
huntio blogNews
Jun 17, 2025
Iranian Cyber Operations 2025: Escalation, Ransomware Collaboration, and Critical Infrastructure Targeting

Web shell/backdoor used by Iranian threat actors for persistence and remote access after exploiting VPN and firewall vulnerabilities.

Read more
dark readingNews
Sep 24, 2024

A more substantial follow-on backdoor downloaded/deployed by UNC1860 after initial foothold is established.

Read more
the hacker newsNews
Sep 20, 2024
Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Implant/backdoor executed via SASHEYAWAY; controlled by TEMPLEPLAY and supports command execution, file transfer, and proxying.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.