Threat Research

“UNC1860 and Iran’s Role in Middle Eastern Networks”

GoogleCloudIntel

UNC1860 is an Iranian state-sponsored threat actor linked to espionage and cyber operations in the Middle East, deploying specialized tools and backdoors to persistently access high-priority networks. The group uses GUI-based controllers TEMPLEPLAY and VIROGREEN, collaborates with MOIS-affiliated actors such as APT34, and leverages passive implants and kernel-level techniques to evade detection and maintain access. Hashtags: #UNC1860 #TEMPLEPLAY #VIROGREEN #TEMPLEDOOR #SASHEYAWAY #APT34 #MOIS #OATBOAT #WINTAPIX #TOFUDRV #ROADSWEEP #BABYWIPER #Israel #SaudiArabia #Iraq

Keypoints

  • UNC1860 is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
  • The group uses custom GUI-operated malware controllers (TEMPLEPLAY and VIROGREEN) to provide remote access and enable hand-off operations.
  • UNC1860 has ties to other Iranian actors (e.g., APT34), suggesting a collaborative, ecosystem approach to cyber operations.
  • Specialized tooling includes passive backdoors and utilities designed for stealth, persistence, and detection evasion, including kernel-level components.
  • Recent activity targets vulnerabilities and networks in Saudi Arabia and Iraq and involves operations against Israeli entities.
  • The malware arsenal supports long-term footholds, covert communication, and data exfiltration with evasion of standard security tooling.

MITRE Techniques

  • [T1078] Initial Access – Exploiting vulnerable internet-facing servers to deploy web shells. “Exploiting vulnerable internet-facing servers to deploy web shells.”
  • [T1203] Execution – Utilizing custom GUI-operated malware controllers for executing commands on target systems. “Utilizing custom GUI-operated malware controllers for executing commands on target systems.”
  • [T1050] Persistence – Deploying passive backdoors and utilities for long-term access. “Deploying passive backdoors and utilities for long-term access.”
  • [T1068] Privilege Escalation – Leveraging Windows kernel components to evade detection and gain higher privileges. “Leveraging Windows kernel components to evade detection and gain higher privileges.”
  • [T1562] Defense Evasion – Using custom obfuscation methods and passive implants to avoid detection by security tools. “Using custom obfuscation methods and passive implants to avoid detection by security tools.”
  • [T1003] Credential Access – Validating credentials across multiple domains to gain access to additional accounts. “Validating credentials across multiple domains to gain access to additional accounts.”
  • [T1071] Command and Control – Utilizing HTTP/S encrypted traffic for command and control communications. “Utilizing HTTP/S encrypted traffic for command and control communications.”
  • [T1041] Exfiltration – Using backdoors to extract sensitive data from compromised networks. “Using backdoors to extract sensitive data from compromised networks.”

Indicators of Compromise

  • [MD5 Hash] Google Threat Intelligence collection indicators related to UNC1860 activity – 1176381da7dea356f3377a59a6f0e799, 41f4732ed369f2224a422752860b0bc5, and 2 more hashes
  • [File Name] – STAYSHANTE, SASHEYAWAY, TEMPLEDOOR, TEMPLELOCK (and 2 more filenames)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/