💡

UNC1860

Aliases

Scarred Manticore, HTTPSnoop

Tags

State-Sponsored

Attribution

🇮🇷/MOIS

Incidents

UNC1860 Attacks Targeting the Middle East

References

https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/

Last edited

Jun 24, 2025 10:49 AM

Status

Finalized

Cloud-fluent

Unique Tools

ShroudedSnooper TEMPLEPLAY VIROGREEN STAYSHANTE SASHEYAWAY

UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2022, UNC1860 has been identified as an initial access provider, facilitating unauthorized entry into high-profile networks, particularly in the Middle East. The group employs opportunistic exploitation of vulnerable internet-facing servers to deploy web shells and establish footholds within target environments.

Their toolkit includes specialized malware controllers, such as TEMPLEPLAY and VIROGREEN, which enable remote access via Remote Desktop Protocol (RDP) and facilitate post-exploitation activities like internal scanning and payload deployment. Notably, UNC1860 utilizes passive backdoors, including TEMPLEDOOR, FACEFACE, and SPARKLOAD, designed to maintain long-term, stealthy access without initiating outbound traffic, thereby evading detection. These capabilities underscore UNC1860's role in supporting various objectives, ranging from espionage to network attack operations.