Scarred Manticore, HTTPSnoop
UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2022, UNC1860 has been identified as an initial access provider, facilitating unauthorized entry into high-profile networks, particularly in the Middle East. The group employs opportunistic exploitation of vulnerable internet-facing servers to deploy web shells and establish footholds within target environments.
Their toolkit includes specialized malware controllers, such as TEMPLEPLAY and VIROGREEN, which enable remote access via Remote Desktop Protocol (RDP) and facilitate post-exploitation activities like internal scanning and payload deployment. Notably, UNC1860 utilizes passive backdoors, including TEMPLEDOOR, FACEFACE, and SPARKLOAD, designed to maintain long-term, stealthy access without initiating outbound traffic, thereby evading detection. These capabilities underscore UNC1860's role in supporting various objectives, ranging from espionage to network attack operations.