UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). This group specializes in gaining persistent access to high-priority networks, especially in the government and telecommunications sectors in the Middle East. UNC1860 is believed to provide initial access to other actors, facilitating more destructive attacks. Researchers identified a range of specialized tools and backdoors used by UNC1860 to establish long-term network access, emphasizing their role in espionage and potential cyber operations. Their techniques are closely related to other known Iranian threat groups like APT34.
UNC1860 employs a variety of tools, including two custom malware controllers: TEMPLEPLAY and VIROGREEN. TEMPLEPLAY is a GUI-based controller that manages the TEMPLEDOOR backdoor, offering capabilities like command execution, file upload/download, and HTTP proxying to support remote access. VIROGREEN is designed for post-exploitation, targeting vulnerable SharePoint servers and executing various payloads. Both tools allow remote operators to manage infected systems without prior knowledge, providing access for further attacks within compromised networks.
The group’s main strength lies in its ability to maintain long-term access through passive backdoors and specialized implants like STAYSHANTE and SASHEYAWAY. These tools are stealthy and designed to evade detection, leveraging techniques like encrypted HTTPS traffic and undocumented Windows kernel drivers (e.g., WINTAPIX and TOFUDRV). UNC1860 uses these implants to hide command-and-control traffic, making detection by standard network monitoring tools more difficult. Additionally, UNC1860 has demonstrated advanced reverse engineering skills, repurposing legitimate software, such as Iranian antivirus drivers, to shield their activities.