SEASHARPEE
SEASHARPEE is a web shell. Reported capabilities include executing commands on victim systems and timestomping files on compromised hosts. Mandiant reported that UNC215 deployed the SEASHARPEE web shell in April 2019 against financial and high-tech organizations in the Middle East and Asia. The same reporting states UNC215 used SEASHARPEE after the web shell’s code was leaked in March 2019 via the Telegram channel Lab Dookhtegan, and describes it as an Iranian-associated web shell. High-confidence context directly links SEASHARPEE to UNC215 post-compromise activity and use on victim web infrastructure for command execution and anti-forensics via timestamp manipulation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In April 2019, UNC215 deployed the SEASHARPEE web shell against financial and high-tech organizations in the Middle East and Asia.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 technique"CVE-2019-0604 was used to deliver web shells"; "pivoted to multiple OWA servers and installed web shells"
Stealth
1 techniqueAPT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Command and Control
2 techniquesMITRE ATT&CK Techniques list includes "T1071.001 ... Web Protocols"; web shells and C2 over common protocols are implied.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Web shell malware capable of timestomping files on victim systems.
Web shell (originally developed/used by Iranian APT actors prior to code leak) deployed for server-side access in UNC215 operations; used as part of post-exploitation tradecraft and likely for command execution and persistence on web servers.
Web shell used to maintain access on compromised servers.
Malware/tool capable of executing commands on victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.