{ "id": "be886ffd-05cf-43c6-935a-cf6146a2c83b", "created_at": "2026-04-06T00:06:43.2597Z", "updated_at": "2026-04-10T13:12:42.909334Z", "deleted_at": null, "sha1_hash": "312b920fd532d17e43869e8839f7a70f88117179", "title": "UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 879732, "plain_text": "UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle\r\nEastern Networks\r\nBy Mandiant\r\nPublished: 2024-09-19 · Archived: 2026-04-05 17:24:48 UTC\r\nWritten by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik\r\nExecutive Summary\r\nUNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s\r\nMinistry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling\r\nand passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial\r\naccess provider and its ability to gain persistent access to high-priority networks, such as those in the government\r\nand telecommunications space throughout the Middle East.\r\nUNC1860’s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the\r\nMiddle East. These groups have also reportedly provided initial access for destructive and disruptive operations\r\nthat targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant\r\ncannot independently corroborate that UNC1860 was involved in providing initial access for these operations.\r\nHowever, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are\r\nlikely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860.\r\nUNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed\r\nto gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage\r\nbackdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter\r\ndriver, reflecting the group’s reverse engineering capabilities of Windows kernel components and detection\r\nevasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports\r\nvarious objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in\r\nthe Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a\r\nvaluable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift. \r\nTeamwork Makes the Dream Work: UNC1860’s Role as an Initial Access Provider \r\nMandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN\r\nthat we assess were used to provide a team outside of UNC1860 remote access to victim networks. This tooling,\r\ncoupled with public reporting and evidence suggesting that the group collaborates with MOIS-affiliated groups\r\nsuch as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.\r\nUsing Sustained Access to Support Initial Access Operations\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 1 of 25\n\nIn 2020, Mandiant responded to an engagement in which UNC1860 used the victim’s network as a staging area to\r\nconduct additional scanning and exploitation operations against unrelated entities. The actor was observed\r\nscanning IP addresses predominantly located in Saudi Arabia in an attempt to identify exposed vulnerabilities.\r\nUNC1860 also used a command-line tool to validate credentials of accounts and email addresses across multiple\r\ndomains belonging to Qatari and Saudi Arabian entities, and later targeted VPN servers of entities in the region. \r\nUNC1860 Overlaps with APT34 \r\nMandiant responded to several engagements in 2019 and 2020 in which organizations compromised by suspected\r\nAPT34 actors were previously compromised by UNC1860. Similarly, organizations previously compromised by\r\nsuspected APT34 actors were later compromised by UNC1860, suggesting the group may play a role in assisting\r\nwith lateral movement. Mandiant additionally identified recent indications of operational pivoting to Iraq-based\r\ntargets by both APT34-related clusters and UNC1860. \r\nWeb Shell and Droppers \r\nUNC1860 web shells and droppers, such as STAYSHANTE and SASHEYAWAY, deployed and placed on\r\ncompromised servers by the group after gaining initial access have the potential to be used in hand-off operations\r\nbased on their functionality. In March 2024, the Israeli National Cyber Directorate was alerted to wiper activity\r\ntargeting Israeli entities across various sectors in Israel, including managed service providers, local governments,\r\nand academia; technical indicators included the unique STAYSHANTE web shell and the SASHEYAWAY\r\ndropper we attribute to UNC1860.\r\nSTAYSHANTE is typically installed using names masquerading as Windows server file names or\r\ndependencies, and is controlled by the VIROGREEN custom framework described as follows.\r\nSASHEYAWAY has a low detection rate that allows for the smooth execution of full passive backdoors,\r\nsuch as TEMPLEDOOR, FACEFACE, and SPARKLOAD, embedded within it. \r\nCustom, GUI-Operated Malware Controllers\r\nUNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors\r\nwho have no previous knowledge of the target environment the ability to remotely access infected networks via\r\nRDP and to control previously installed malware on victim networks with ease. These controllers additionally\r\ncould provide third-party operators an interface that walks operators through how to deploy custom payloads and\r\nperform other operations such as conducting internal scanning and exploitation within the target network.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 2 of 25\n\nFigure 1: Illustration of collaborator actor's command and control (C2 or C\u0026C) used to utilize existing UNC1860\r\nimplant infrastructure in compromised network\r\nTEMPLEPLAY Controller\r\nTEMPLEPLAY (MD5: c517519097bff386dc1784d98ad93f9d ) is a .NET-based controller for the TEMPLEDOOR\r\npassive backdoor. It is internally named Client Http and consists of several tabs, each one facilitating control of a\r\nseparate backdoor command.\r\nThe Command Prompt Tab (Figure 2) sends a command line to execute on the target host. The default command is\r\ncmd /c 2 \u003e \u00261 with parameter whoami.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 3 of 25\n\nFigure 2: TEMPLEPLAY GUI, Command Prompt Tab\r\nThe Upload File Tab (Figure 3) sends a file from a local path to a target path on the remote machine using a POST\r\nrequest. The default target path is C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server\r\nExtensions\\15\\TEMPLATE\\LAYOUTS .\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 4 of 25\n\nFigure 3: Upload File Tab\r\nThe Download File Tab (Figure 4) is used to obtain a file from a given path on the infected machine. The default\r\npath on the infected machine is C:\\Programdata\\1.txt.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 5 of 25\n\nFigure 4: Download File Tab\r\nThe Http Proxy Tab (Figure 5) allows a remote machine infected with TEMPLEDOOR to be used as a middlebox\r\nthat forwards data to a chosen target server. It appears that it is primarily intended to facilitate an RDP connection\r\nwith the target server, most likely in cases where the latter is not accessible directly over the internet due to\r\nnetwork boundaries (such as a NAT or a firewall), but may be accessible via the TEMPLEDOOR infected\r\nmachine.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 6 of 25\n\nThe URLs Tab (Figure 6) includes URL endpoints that are used when connecting to the infected machine. An\r\nendpoint string is chosen at random from the lists defined in this tab. These endpoints correspond to the ones that\r\nare defined in the TEMPLEDOOR sample ( MD5: c57e59314aee7422e626520e495effe0 ).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 7 of 25\n\nThe TEMPLEPLAY GUI also includes a Test Backdoor link, which creates a GET request with the string\r\nwOxhuoSBgpGcnLQZxipa as the relative URI and checks for the string UsEPTIkCRUwarKZfRnyjcG13DFA in the\r\nresponse. This corresponds to an echo \\ ping mechanism that was seen in use in the TEMPLEDOOR samples\r\n( MD5:b219672bcd60ce9a81b900217b3b5864 )and MD5:c57e59314aee7422e626520e495effe0 ).\r\nAdditional links include the Explore link that opens a new Explorer window in the host where the controller runs,\r\nand the Http Setting link points to a set of configuration parameters that pertain to the HTTP requests sent between\r\nthe controller and the TEMPLEDOOR passive backdoor.\r\nVIROGREEN Controller\r\nVIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604 (Figure\r\n7). The framework provides post-exploitation capabilities including scanning for and exploiting CVE-2019-0604;\r\ncontrolling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK\r\nbackdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and\r\nexecuting commands and uploading/downloading files.\r\nAdditional details on TEMPLEPLAY and VIROGREEN can be found in the Technical Annex.\r\nUNC1860 Malware: Gaining Persistent Access \r\nUNC1860 gains initial access to victim environments in an opportunistic manner via the exploitation of vulnerable\r\ninternet-facing servers leading to web shell deployment. After obtaining an initial foothold, the group typically\r\ndeploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common\r\nbackdoors. These provide a higher degree of operational security by removing the dependency for classic C2\r\ninfrastructure, making detection more difficult for network defenders. Cisco and Check Point have provided\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 8 of 25\n\nextensive analysis on UNC1860’s passive implants that correspond to OATBOAT, a loader that loads and executes\r\nshellcode payloads; Fortinet additionally provided analysis regarding the Windows kernel driver, WINTAPIX,\r\nwhich has similar code to a malicious driver we track as TOFUDRV (Figure 8 and Figure 9). \r\nA key feature of UNC1860 includes its maintenance of this diverse collection of passive/listener-based utilities\r\nthat support the group’s initial access and lateral movement goals. We believe the group additionally maintains a\r\nsmaller collection of “main-stage” backdoors that have greater capabilities than the usual web shells and small\r\n.NET utilities that may be deployed for select high-priority victims in the telecommunications sector. These\r\nimplants demonstrate the group’s keen understanding of the Windows operating system (OS) and network\r\ndetection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion\r\ncapabilities. \r\nPassive implants do not initiate outbound traffic from the victim network to a C2 server. Further, the\r\ninbound traffic containing commands or payloads can arrive from any volatile source (e.g., VPN nodes\r\nwithin the target country, from another victim, or even internally from another part of the victim network).\r\nThis makes network monitoring more difficult. Web shells and passive implants leverage HTTPS-encrypted traffic so commands/payloads cannot be extracted from captured network traffic.\r\nBoth passive implants TOFUDRV and TOFULOAD leverage undocumented Input/Output Control\r\ncommands for communication, which requires knowledge of the OS and can lower the chances of this\r\ntraffic being detected by endpoint detection and response (EDR) solutions.\r\nLoading drivers is a \"high risk / high reward\" situation as loading them without creating a critical error\r\nscreen requires extensive knowledge both of the OS internals and victim environments; however, using\r\nthem promises lower detection rates and possibilities akin to filtering drivers, which act as middlemen\r\nallowing for the inspection, modification, or blocking of network traffic before it reaches the device or\r\napplication, as well as assets like file system objects and registry entries. \r\nThe passive backdoor TEMPLEDROP repurposed an Iranian AV software Windows file system filter\r\ndriver named Sheed AV (MD5: 0c93cac9854831da5f761ee98bb40c37) for the purpose of protecting some\r\nof the files it deploys as well as its own file from modification.\r\nA .NET-based utility for defense evasion tracked as TEMPLELOCK was observed being implemented in\r\nboth foothold utilities such as ROTPIPE and more complex passive implants such as TEMPLEDROP.\r\nTEMPLELOCK is capable of terminating threats associated with the Windows Event Log service and\r\nrestarting the service’s operation on demand.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 9 of 25\n\nFigure 8: Driver file protection logic in WINTAPIX (MD5: 286bd9c2670215d3cb4790aac4552f22)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 10 of 25\n\nFigure 9: Driver file protection logic in TOFUDRV (MD5: b4b1e285b9f666ae7304a456da01545e)\r\nUNC1860 Unique Artifacts Suggest Consistent Development Support\r\nIn addition to the previous observations, we identified the following recurring artifacts related to the group’s\r\nindependent implementation of Base64 encoding/decoding and XOR encryption/decryption in .NET code, despite\r\nthese functions being available in build-in .NET code. \r\nThe intent of the independent implementation of these functions is not entirely clear. Nevertheless, it is highly\r\nlikely that using such custom libraries bypasses common detections by EDRs and other security tools—detections\r\ndesigned to identify usage combinations of functions commonly seen in malware. Additionally, using these\r\ncustom libraries may allow better compatibility if any of the built-in functions change in a specific version of a\r\n.NET control to ensure the group’s tooling is always compatible with its encryption and encoding schemes and/or\r\nto better help evade detection.\r\nWe observed the same encoding method using the Base64 algorithm to encode and decode data sent\r\nbetween controllers and proxy servers. In several cases, we identified the reuse of a seemingly misspelled\r\nBase64 DLL using the name “bsae64” in both foothold utilities deployed via SASHEYAWAY and passive\r\nimplants including TEMPLEDOOR. \r\nWe observed the same rolling encryption module, XORO (MD5:\r\n57cd8e220465aa8030755d4009d0117c), dropped by the TANKSHELL utility; TUNNELBOI network\r\ntunneller capable of establishing a connection with a remote host, managing web shells on the network, and\r\ncreating RDP connections; and the TEMPLEPLAY controller. \r\nFoothold Utilities and Backdoors and Malware Use for Longer Term Persistence\r\nMandiant is tracking multiple foothold utilities and backdoors used in UNC1860 initial access operations. These\r\ngenerally use custom obfuscation methods that can lower detection rates and make analysis more difficult by\r\nrenaming strings and function names.  Additionally, we are tracking numerous code families that we consider to\r\nbe UNC1860 “main-stage” implants that further increase the group’s persistence in victim environments. \r\nPlease see the Technical Annex for more information. \r\nAdditional Protection Information for Google Cloud Customers\r\nFor Google SecOps Enterprise+ customers, SecOps rules have been released to the Emerging Threats rule pack,\r\nand IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.\r\nIndicators of Compromise (IOCs)\r\nA Google Threat Intelligence Collection featuring IOCs related to the activity described in this post is now\r\navailable for registered users.\r\nMD5 Hashes\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 11 of 25\n\n1176381da7dea356f3377a59a6f0e799 41f4732ed369f2224a422752860b0bc5\r\n4029bc4a06638bb9ac4b8528523b72f6 126bc1c30fba27f8bf67dce4892b1e8c\r\n0c9ff0db00f04fd4c6a9160bffd85a1d a7693e399602eb79db537c5022dd1e01\r\nd9719f6738dbfaa21be7f184512fe074 17b27e6aa0ab6501f11bb4d2e0f829ff\r\n4dd6250eb2d368f500949952eb013964 69fd67c115349abb4a313230a1692642\r\n7f5f5f290910d256e6b012f898c88bf3 c90ec587e3333dabb647ebc182673460\r\nefe8043e1b4214640c5f7b5ddf737653 a90236e4962620949b720f647a91f101\r\nb26d54b7da7b2bf600104f69da4ea00f d87ca3f830b8b53fde358bb64900f6af\r\nc50ae2c4b76f0d5724ec240568c78c4f 57cd8e220465aa8030755d4009d0117c\r\n4b2c78bb2c439998cff0cc097a14b942 4abcf21b63781a53bbc1aa17bd8d2cbc\r\na3ea0d13848a104c28d035a9d518acc2 bd6464f12bb6f7f02b6ffebb363d8e5f\r\nf89be788e4adf665acf1a8ef8fcaa133 f292e61774c267c3787fdfcace50ea7b\r\nc11a4e4a2d484513f79bd127a0387b0c 14e54ff4805840e656efb8cd38de4751\r\n3d5d05f230ae702c04098de512d93d48 a038975255d3dda636d86ccd307f7838\r\n31f2369d2e38c78f5b3f2035dba07c08 c21eefc65cda49f17ddd1d243a7bffb5\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 12 of 25\n\nc8fa0ce3ae6a13af640607ea606c55f9 2cece71e107d12ffd74b2fb24bf339a6\r\nfa1c6f7a5e02374b9d33de2578cb3399 1e896f026246872b2feb4f8e3e093815\r\n57c916da83cc634af22bde0ad44d0db3 07db3058e32fe5f36823dc7092cd7d5b\r\n3dd829fb27353622eff34be1eabb8f18 1e6679cd25d1bb127a0bec665adcf21e\r\n2e803d28809be2a0216f25126efde37b 2398a83f10329a107801d3d23d06f7cb\r\n73fb0fe5cd96a14a4f85639223aec6a8 85427a8a47c4162b48d8dfb37440665d\r\na500561c0b374816972094c2aa90da2a a65ee1a82975ee4c8d4e70219e1bfff5\r\nce537dd649a391e52c27a3f88a0a8912 e67687b4443f58d2b0a465e3af3caffe\r\nb34883fb1630db43e06a38cebfa0bce2 46804472541ed61cc904cd14be18fe1d\r\n4de802f7e61cb8c820a02e042b58b215 929b12bc9f9e5f8e854de1d46ebf40d9\r\nf0dfb7bf01c0412891da8fa2702f4c7b b219672bcd60ce9a81b900217b3b5864\r\nfc90907e70f18c7f6a6b9d9599b6f97c d1e45afbfd3424612b4a4218cc7357ef\r\nda0085a97c38ead734885e5cced1847f 490590bfdeeedf44b3ae306409bb0d03\r\ne86e885e6c96ac72482741d8696c17fb ca3f0d25f7da0e8cde8e1f367451c77a\r\n7b2fa099d51fa3885766f6d60d768748 6626dbe74acd15d06ff6900071ef240c\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 13 of 25\n\nYARA Rules\r\nrule M_Autopatt_DropperMemonly_WINTAPIX_1 {\r\n meta:\r\n author = Mandiant\r\n description = \"wintapix malware family\"\r\n created = \"06/26/2023\"\r\n modified = \"06/26/2023\"\r\n version = \"1.0\"\r\n strings:\r\n $p00_0 = {84ec5ff5f84863f6e9[4]66458b65??4981c5[4]4d0faccf}\r\n $p00_1 = {0f16c00f11014c03c14883c1??\r\n4883e1??4c2bc14d8bc849c1e9??74}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (660000..690000) and $p00_1 in (9700..20000))\r\n )\r\n}\r\nimport \"pe\"\r\nrule M_WINTAPIX_StringDecodingMethod_1 {\r\n meta:\r\n author = Mandiant\r\n hash1 = \"286bd9c2670215d3cb4790aac4552f22\"\r\n hash2 = \"4dd6250eb2d368f500949952eb013964\"\r\n desc = \"Detects the byte pattern of a string decoding\r\nmethod found in the WINTAPIX driver image\"\r\n strings:\r\n $a1 = { 48 89 54 24 10 48 89 4C 24 08 48 83 EC 18 C7\r\n04 24 00 00 00 00 48 63 04 24 48 8B 4C 24 ?? 0F BE 04 01\r\n48 8B 4C 24 ?? 0F B6 49 ?? 33 C1 48 63 0C 24 48 8B 54 24\r\n?? 88 04 0A 8B 04 24 FF C0 89 04 24 8B 04 24 FF C8 48 98\r\n48 8B 4C 24 ?? 0F B6 04 01 85 C0 75 }\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n filesize \u003c 1MB and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE and\r\n all of them\r\n}\r\nimport \"pe\"\r\nrule M_WINTAPIX_PaddedStrings_1 {\r\n meta:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 14 of 25\n\nauthor = Mandiant\r\n hash1 = \"286bd9c2670215d3cb4790aac4552f22\"\r\n hash2 = \"4dd6250eb2d368f500949952eb013964\"\r\n desc = \"Detects unique strings found in the WINTAPIX\r\ndriver image\"\r\n strings:\r\n $a1 = { CC CC CC CC CC CC CC 4E 74 44 65 6C 61 79\r\n45 78 65 63 75 74 69 6F 6E 00 }\r\n $a2 = { CC CC CC CC CC 5C 00 }\r\n $a3 = \"InitSafeBootMode\" ascii fullword\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE and\r\n filesize \u003c 1MB and\r\n (\r\n (\r\n all of them and\r\n #a2 == 2\r\n ) or\r\n pe.imphash() == \"8d070a93a45ed8ba6dba6bfbe0d084e7\"\r\n )\r\n}\r\nimport \"dotnet\"\r\nrule M_UNC1860_TEMPLEDOOR_Strings_1 {\r\n meta:\r\n author = Mandiant\r\n date = \"28/02/2024\"\r\n hash1 = \"caffdb648a0a68cd36694f0f0c7699d7\"\r\n desc = \"Detects the TEMPLEDOOR family based on\r\nunique strings\"\r\n comment = \"Triggers on TUNNELBOI sample\r\nc517519097bff386dc1784d98ad93f9d\"\r\n strings:\r\n $url = \"{0}://+:{1}/{2}/\" wide fullword\r\n $a1 = \"+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2\r\nPSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtb\r\nDsgY2hhcnNldD1pc28tODg1OS0xIi8\" wide\r\n $b1 = \"Jet\" wide fullword\r\n $b2 = \" Ver\" wide fullword\r\n $b3 = \"CmD\" wide fullword\r\n $c1 = \"Command\" wide fullword\r\n $c2 = \"Upload\" wide fullword\r\n $c3 = \"Download\" wide fullword\r\n $c4 = \"Load\" wide fullword\r\n $c5 = \"Rundll\" wide fullword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 15 of 25\n\n$c6 = \"ERROR\" wide fullword\r\n condition:\r\n int16(0) == 0x5a4d and\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n dotnet.is_dotnet and\r\n $url and\r\n (\r\n $a1 or\r\n 2 of ($b*) or\r\n 5 of ($c*)\r\n )\r\n}\r\nimport \"dotnet\"\r\nrule M_UNC1860_TEMPLEDOOR_BytePatterns_1 {\r\n meta:\r\n author = Mandiant\r\n date = \"28/02/2024\"\r\n hash1 = \"caffdb648a0a68cd36694f0f0c7699d7\"\r\n desc = \"Detects the TEMPLEDOOR family based\r\non unique byte patterns\"\r\n comment = \"Triggers on TUNNELBOI sample\r\nc517519097bff386dc1784d98ad93f9d and on WINPAY\r\nsample b219672bcd60ce9a81b900217b3b5864\"\r\n strings:\r\n $encode_msil = { 7E ?? ?? 00 04 1F 41 1F 61 6F ??\r\n?? 00 0A D2 0A 02 2C 07 02 8E 16 FE 03 2B 01 16 2C 69\r\n16 0B 2B 0F 02 07 02 07 91 06 61 19 58 D2 9C 07 17 58\r\n0B 07 02 8E 69 FE 04 2D E9 02 28 ?? ?? 00 0A } // Packet\r\nencoding method MSIL\r\n $encryption_key = { 54 62 2d 0c 03 45 49 15 2b 43\r\n59 4a 4e 0c 40 }\r\n condition:\r\n int16(0) == 0x5a4d and\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n dotnet.is_dotnet and\r\n any of them\r\n}\r\nrule M_OBFUSLAY_UNC1860_1 {\r\n meta:\r\n desc = \"Detects the UNC1860 OBFUSLAY malware by its\r\nstring decryption method\"\r\n rs1 = \"b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 16 of 25\n\ne4062cd1a01ad6b3e47651\"\r\n strings:\r\n $a1 = {\r\n FE 09 00 00\r\n 6F ?? 00 00 0A\r\n FE 0E 00 00\r\n FE 0C 00 00\r\n 20 02 00 00 00\r\n 5B\r\n 8D ?? 00 00 01\r\n FE 0E 01 00\r\n 20 00 00 00 00\r\n FE 0E 04 00\r\n 38 39 00 00 00\r\n FE 0C 01 00\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 5B\r\n FE 09 00 00\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 6F ?? 00 00 0A\r\n 20 10 00 00 00\r\n 28 ?? 00 00 0A\r\n 9C\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 58\r\n FE 0E 04 00\r\n FE 0C 04 00\r\n FE 0C 00 00\r\n 3F BA FF FF FF\r\n FE 0C 01 00\r\n }\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}\r\nrule M_APT_CRYPTOSLAY_UNC1860_1 {\r\n meta:\r\n desc = \"Detects the UNC1860 CRYPTOSLAY malware by its\r\nstring decryption method\"\r\n rs1 = \"3F2FD2DFD27BF3CAFCBF0946E308832E11A1D9C1\r\nD98FB04AC848E023E6720F53\"\r\n rs2 = \"5c1a42e9baaec115df337d2f4a9dcce8d73f29375921\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 17 of 25\n\n827e367fcba8499cdfa2\"\r\n strings:\r\n $a1 = {\r\n FE 09 00 00\r\n 6F ?? 00 00 0A\r\n FE 0E 00 00\r\n FE 0C 00 00\r\n 20 02 00 00 00\r\n 5B\r\n 8D ?? 00 00 01\r\n FE 0E 01 00\r\n 20 00 00 00 00\r\n FE 0E 04 00\r\n 38 39 00 00 00\r\n FE 0C 01 00\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 5B\r\n FE 09 00 00\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 6F ?? 00 00 0A\r\n 20 10 00 00 00\r\n 28 ?? 00 00 0A\r\n 9C\r\n FE 0C 04 00\r\n 20 02 00 00 00\r\n 58\r\n FE 0E 04 00\r\n FE 0C 04 00\r\n FE 0C 00 00\r\n 3F BA FF FF FF\r\n 28 ?? 00 00 0A\r\n }\r\n $a2 = {\r\n FE 09 00 00\r\n 6F ?? 00 00 0A\r\n FE 0E 00 00\r\n FE 0C 00 00\r\n 20 02 00 00 00\r\n 5B\r\n 8D ?? 00 00 01\r\n FE 0E 01 00\r\n 20 00 00 00 00\r\n FE 0E 06 00\r\n 38 39 00 00 00\r\n FE 0C 01 00\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 18 of 25\n\nFE 0C 06 00\r\n 20 02 00 00 00\r\n 5B\r\n FE 09 00 00\r\n FE 0C 06 00\r\n 20 02 00 00 00\r\n 6F ?? 00 00 0A\r\n 20 10 00 00 00\r\n 28 ?? 00 00 0A\r\n 9C\r\n FE 0C 06 00\r\n 20 02 00 00 00\r\n 58\r\n FE 0E 06 00\r\n FE 0C 06 00\r\n FE 0C 00 00\r\n FE 04\r\n FE 0E 07 00\r\n FE 0C 07 00\r\n 3A B0 FF FF FF\r\n }\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n any of them\r\n}\r\nrule M_Autopatt_DropperMemonly_OATBOAT_1 {\r\n meta:\r\n author = \"autopatt\"\r\n description = \"oatboat malware family\"\r\n created = \"02/09/2024\"\r\n modified = \"02/09/2024\"\r\n version = \"1.0\"\r\n strings:\r\n $p00_0 = {48897c24??55488bec4883ec??488bf9c745[5]33d\r\nbc745[5]488d4d}\r\n $p00_1 = {443ac975??48ffc64883c3??493bf372??498b42??4885c075}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (250..6500) and $p00_1 in (0..6000))\r\n )\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 19 of 25\n\nrule SASHEYAWAY_Strings_1 {\r\n meta:\r\n desc = \"Strings observed in the webshell loader\"\r\n rs1 = \"2538767f13218503bccf31fccb74e753199\r\n4b69a36a3780b53ba5020d938af20\"\r\n strings:\r\n $ = \"FromBase64String\"\r\n $ = \"Page Language=\\\"C#\\\"\"\r\n $ = \"private static System.Reflection.Assembly\"\r\n $ = \"Page_Load\"\r\n $ = \"System.Reflection.MethodInfo\"\r\n $ = \"Activator.CreateInstance\"\r\n $ = \"Invoke\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Hunting_Backdoor_TOFULOAD_1 {\r\n meta:\r\n author = Mandiant\r\n date_created = \"2023-08-15\"\r\n date_modified = \"2023-08-15\"\r\n description = \"This is a hunting rule to look for TOFULOAD\r\nbackdoor used by UNC1860\"\r\n md5 = \"d1ce3117060e85247145c82005dda985\"\r\n strings:\r\n $s1 = {66 77 88 99 48 8D [2] C7 [2] 52 74 6C 52}\r\n // 0x99887766; LEA ??, ??; MOV ??, 'RltR';\r\n $s2 = {B8 E1 83 0F 3E F7 [1] C1 [1] 03 0F [2] 6B [1] 21}\r\n // MOV ??, 0x3E0F83E1; MUL ??, ??; SHR ??, 03; MOVZX ??, ??;\r\nIMUL ??, ??, 21;\r\n $s3 = {FF [1] 40 [2] 43 32 [2] 41 88 [3] 44 8B [1] 4D [2] 7C} //\r\nINC ??; MOV ??, ??; XOR ??, ??; MOV ??, ??; MOV ??, ??; CMP ??, ??; JL\r\n condition:\r\n filesize \u003c 50KB and\r\n any of them\r\n}\r\nimport \"dotnet\"\r\nrule M_UNC1860_TEMPLEDROP_Strings_2 {\r\n meta:\r\n author = Mandiant\r\n date = \"28/02/2024\"\r\n hash1 = \"6d3041b89484c273376e5189e190d235\"\r\n desc = \"Detects the TEMPELDROP family based on unique strings\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 20 of 25\n\ncomment = \"Triggers on TEMPLEDOOR controller sample c517519\r\n097bff386dc1784d98ad93f9d\"\r\n strings:\r\n $a1 = \"Nothing changed :D\" wide fullword\r\n $a2 = \"Access: KO\" wide fullword\r\n $a3 = \"Eventlog stoped.\" wide fullword\r\n $b1 = \"The Microsoft Exchange Self Protection Driver.\" wide fullword\r\n $b2 = \"The Microsoft Exchange Filter Driver.\" wide fullword\r\n $c1 = \"Create RegKey: \" wide\r\n $c2 = \"Create Service: \" wide\r\n $c3 = \"Test Event lock: \" wide\r\n $c4 = \"Test http listner: \" wide\r\n $c5 = \"Test IO Changes: \" wide\r\n $c6 = \"Test 'Event lock': \" wide\r\n $d1 = \"no active http port to listen.\" wide\r\n $d2 = \"Prefixes.Add Error , \" wide\r\n $d3 = \"' driver service created and started.\" wide\r\n $d4 = \"' service started.\" wide\r\n $d5 = \"Unhandled exception on create reg key \" wide\r\n $d6 = \"Failed to change file 'CreationTime'.\" wide\r\n condition:\r\n int16(0) == 0x5a4d and\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n dotnet.is_dotnet and\r\n (\r\n 1 of ($a*) or\r\n 1 of ($b*) or\r\n 2 of ($c*) or\r\n 2 of ($d*)\r\n )\r\n}\r\nrule M_Autopatt_Backdoor_TOFUDRV_1 {\r\n meta:\r\n author = Mandiant\r\n description = \"tofudrv malware family\"\r\n created = \"11/29/2023\"\r\n modified = \"11/29/2023\"\r\n version = \"1.0\"\r\n strings:\r\n $p00_0 = {eb??33c083f8??0f85[4]488b4c24??e8[4]eb??c74424[5]eb}\r\n $p00_1 =\r\n{f3aa41b8[4]33d2488d4c24??e8[4]488b8424[4]48898424[4]48638424[4]48898424}\r\n condition:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 21 of 25\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (34000..45000) and $p00_1 in (28000..39000))\r\n )\r\n}\r\nimport \"pe\"\r\nrule M_TOFUDRV_Strings_1 {\r\n meta:\r\n author = Mandiant\r\n hash = \"b4b1e285b9f666ae7304a456da01545e\"\r\n desc = \"Detects cleartext strings that appear in the TOFUDRV image\"\r\n strings:\r\n $a1 = \"\\\\systemroot\\\\system32\\\\drivers\" ascii fullword\r\n $a2 = \"\\\\SafeBoot\\\\Minimal\\\\\" ascii fullword\r\n $a3 = \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\"\r\nascii fullword\r\n $a4 = \"\\\\SafeBoot\\\\Network\\\\\" ascii fullword\r\n $a5 =\r\n\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\nascii fullword\r\n $a6 = \"Found\" ascii fullword\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n filesize \u003c 500KB and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE and\r\n (\r\n 3 of them or\r\n pe.imphash() == \"ff6f16b00c9f36b32cd60fecd4dfc8e9\"\r\n )\r\n}\r\nimport \"pe\"\r\nrule M_TOFUDRV_RtlSubtreeStackStrings_1 {\r\n meta:\r\n author = Mandiant\r\n hash = \"b4b1e285b9f666ae7304a456da01545e\"\r\n desc = \"Detects a stack string byte pattern in a function intended\r\nto resolve the memory image base of ntoskrnl.exe in TOFUDRV\"\r\n strings:\r\n // \"RtlSubtreePredecessor\"\r\n $a1 = { C6 44 24 ?? 52 C6 44 24 ?? 74 C6 44 24 ?? 6C C6 44 24 ??\r\n53 C6 44 24 ?? 75 C6 44 24 ?? 62 C6 44 24 ?? 74 C6 44 24 ?? 72 C6 44\r\n24 ?? 65 C6 44 24 ?? 65 C6 44 24 ?? 50 C6 44 24 ?? 72 C6 44 24 ?? 65\r\nC6 44 24 ?? 64 C6 44 24 ?? 65 }\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 22 of 25\n\n// \"RtlSubtreeSuccessor\"\r\n $a2 = { C6 84 24 ?? 00 00 00 6C C6 84 24 ?? 00 00 00 53 C6 84 24\r\n?? 00 00 00 75 C6 84 24 ?? 00 00 00 62 C6 84 24 ?? 00 00 00 74 C6 84\r\n24 ?? 00 00 00 72 C6 84 24 ?? 00 00 00 65 C6 84 24 ?? 00 00 00 65 C6\r\n84 24 ?? 00 00 00 53 C6 84 24 ?? 00 00 00 75 }\r\n $KeGetPcr = { 65 48 8B 04 25 18 00 00 00 48 89 44 24 }\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n filesize \u003c 500KB and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE and\r\n $KeGetPcr and\r\n any of ($a*)\r\n}\r\nrule M_Dropper_MSIL_TEMPLESHOT_1 {\r\n meta:\r\n author = Mandiant\r\n date_created = \"2020-05-22\"\r\n date_modified = \"2020-05-22\"\r\n md5 = \"6d3041b89484c273376e5189e190d235\"\r\n rev = 2\r\n strings:\r\n $ss1 = \"--install\" fullword wide\r\n $ss2 = \"' directory created.\" fullword wide\r\n $ss3 = \"' file created.\" fullword wide\r\n $ss4 = \"' service created.\" fullword wide\r\n $ss5 = \"Nothing changed :D\" fullword wide\r\n $ss6 = \"\\x00ProtectDriver\\x00\"\r\n $ss7 = \"\\x00WriteAllBytes\\x00\"\r\n $ss8 = \"\\x00CopyTime\\x00\"\r\n $ss9 = \"T\\x00V\\x00q\\x00Q\\x00\"\r\n condition:\r\n (\r\n uint16(0) == 0x5A4D and\r\n uint32(uint32(0x3C)) == 0x00004550\r\n ) and\r\n all of them\r\n}\r\nrule M_Backdoor_MSIL_TEMPLESHOT_2 {\r\n meta:\r\n author = Mandiant\r\n date_created = \"2020-05-22\"\r\n date_modified = \"2020-05-22\"\r\n md5 = \"a991bdbf1e36d7818d7a340a35a4ea26\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 23 of 25\n\nrev = 2\r\n strings:\r\n $sb1 = { 02 7B [2] 00 04 [0-8] FE 03 [0-8] 39 [4-8] 02 7B [2] 00 04\r\n[5] 0? 02 7B [2] 00 04 [5-12] 0C }\r\n $sb2 = { 7B [2] 00 04 [0-16] 13 ?? 11 [1-8] 17 59 45 04 00 00 00 02\r\n[4-64] 2B ?? 02 [1-2] 7B [2] 00 04 73 [2] 00 06 28 [2] 00 06 0A 2B ?? 02\r\n[1-2] 7B [2] 00 04 73 [2] 00 06 28 [2] 00 06 [0-4] 0A 2B }\r\n $ss1 = \"\\x00set_UseShellExecute\\x00\"\r\n $ss2 = \"\\x00HttpListenerRequest\\x00\"\r\n $ss3 = \"\\x00HttpListenerResponse\\x00\"\r\n $ss4 = \"\\x00HttpListener\\x00\"\r\n condition:\r\n (\r\n uint16(0) == 0x5A4D and\r\n uint32(uint32(0x3C)) == 0x00004550\r\n ) and\r\n all of them\r\n}\r\nrule M_Backdoor_MSIL_TEMPLESHOT_1 {\r\n meta:\r\n author = Mandiant\r\n date_created = \"2020-05-22\"\r\n date_modified = \"2020-05-22\"\r\n md5 = \"952482949f495fb66e493e441229ae4b\"\r\n rev = 2\r\n strings:\r\n $sb1 = { 06 17 7D [4] 06 20 36 01 00 C0 7D [4] DE 00 07\r\n15 3B [4] 07 28 [4-12] 0D [8-64] 11 06 [4-12] 13 07 11 07 39 [4-32]\r\n20 FF FF 1F 00 12 09 [0-12] 11 09 12 0A [4-12] 12 0A 11 07 }\r\n $ss1 = \"\\x00GetProcessById\\x00\"\r\n $ss2 = \"\\x00NtOpenThread\\x00\"\r\n $ss3 = \"\\x00NtQueryInformationThread\\x00\"\r\n $ss4 = \"\\x00ReadProcessMemory\\x00\"\r\n $ss5 = \"\\x00NtTerminateProcess\\x00\"\r\n $ss6 = \"\\x00set_UseShellExecute\\x00\"\r\n $ss7 = \"\\x00DESCryptoServiceProvider\\x00\"\r\n $ss8 = \"\\x00GetExecutingAssembly\\x00\"\r\n condition:\r\n (\r\n uint16(0) == 0x5A4D and\r\n uint32(uint32(0x3C)) == 0x00004550\r\n ) and\r\n all of them\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 24 of 25\n\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks?hl=en" ], "report_names": [ "unc1860-iran-middle-eastern-networks?hl=en" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-10T02:00:03.382078Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "107d5019-7454-46cf-9e39-c72d76a14633", "created_at": "2024-10-04T02:00:04.774831Z", "updated_at": "2026-04-10T02:00:03.719006Z", "deleted_at": null, "main_name": "UNC1860", "aliases": [], "source_name": "MISPGALAXY:UNC1860", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434003, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/312b920fd532d17e43869e8839f7a70f88117179.pdf", "text": "https://archive.orkl.eu/312b920fd532d17e43869e8839f7a70f88117179.txt", "img": "https://archive.orkl.eu/312b920fd532d17e43869e8839f7a70f88117179.jpg" } }