MalwareUsed by 1 actor

OATBOAT

OATBOAT is a loader/backdoor associated with the Iranian state-sponsored threat actor UNC1860, which Mandiant assesses is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It is described as a loader that loads and executes shellcode payloads, including TOFULOAD and TOFUPIPE, and has been referred to as a main-stage implant/backdoor used against high-value targets. The related payloads TOFULOAD and TOFUPIPE are described as TCP-based passive listeners, and broader UNC1860 reporting emphasizes the group’s use of passive implants that avoid initiating outbound traffic, complicating network detection. OATBOAT appears in intrusion chains following exploitation of vulnerable internet-facing systems and deployment of web shells or droppers used by UNC1860. The actor has targeted high-priority networks in the Middle East, especially government and telecommunications organizations, with additional reporting also citing media, academia, and critical infrastructure. Mentioned OATBOAT samples include variants masquerading as CyveraConsole.exe, cct.exe, systemre.exe, and wlbsctrl.dll, including samples containing encrypted TOFULOAD shellcode or payloads such as TOFUPIPE. High-confidence associations in the provided content tie OATBOAT to UNC1860’s stealth-focused tooling ecosystem alongside TEMPLEDOOR, TEMPLEDROP, SASHEYAWAY, TOFULOAD, WINTAPIX, and related utilities.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC1860

OATBOAT ... CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD ... OATBOAT with TOFULOAD shellcode

via contagiodump blogcontagiodump.blogspot.com

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique

T1595Active ScanningEvidence1

"Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations"

Command and Control

2 techniques

T1105Ingress Tool TransferEvidence1

"Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors"

T1573.002Asymmetric CryptographyEvidence1

"Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads."

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

dark readingNews

Sep 24, 2024

A main-stage backdoor/loader that loads and executes additional payloads (including passive TCP listeners) and leverages stealthy techniques (e.g., undocumented HTTP.sys functionality) to evade detection.

the hacker newsNews

Sep 20, 2024

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Loader used to load and execute shellcode payloads.

contagiodump blogNews

Sep 19, 2024

contagio: 2024-09-19 UNC1860 Iran APT - Temple of Oats ( OATBOAT, TEMPLEDOOR, SASHEYAWAY, OBFUSLAY, WINTAPIX, CRYPTOSLAY) Samples

A loader/staging component used to carry or load encrypted TOFULOAD or TOFUPIPE shellcode.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.