Meet UNC1860: Irans Low-Key Access Broker for State Hackers

The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

An advanced persistent threat (APT) tied to Irans Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.
UNC1860 has been the gateway for attacks by notorious groups like
Scarred Manticore
and
OilRig
(aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on
breaching and establishing a foothold
in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.
Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in
espionage of Mideast telecommunications companies
; prepared the ground for wiper attacks in Albania and Israel; and more.
In March, Israels National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called Stayshante and a dropper called Sasheyaway, just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.
UNC1860 isnt the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a targets network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors.
Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like Templedoor, Faceface, and Sparkload. For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like Templedrop, or Oatboat, which loads and executes payloads such as Tofupipe and Tofuload, TCP-based passive listeners.
To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy, says Stav Shulman, senior researcher with Mandiant by Google Cloud.
Most backdoors would leverage common API calling, so most engines would detect them, Shulman explains. But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you wont detect their calls.
Besides its lack of destructive behavior, theres another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesnt send any information out from target networks, and doesnt need to maintain any kind of command-and-control (C2) infrastructure.
Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests, Shulman says. That inbound traffic they listen to can come from any number of stealthy sources [including] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a targets network.
In 2020, for example, the group was observed using one of its victims networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.
And, as Shulman notes, To escalate the operation, they only need to send one command at any random point in time to activate the backdoor. Because the groups implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.
Shulman advises organizations to focus on how best to vet incoming network traffic.
How do we detect [malicious traffic]? How do we decide if incoming traffic is malicious or not? Shulman says. Because even [when UNC1860 is abusing] documented API calls that cybersecurity engines would catch, theres plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860s activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Meet UNC1860: Irans Low-Key Access Broker for State Hackers