An Iranian state-sponsored threat group likely linked to the country’s intelligence agency is operating as an initial access broker for hackers in Iran that are targeting governments and telecommunications organizations in the Middle East.

Researchers with Google-owned Mandiant describe UNC1860 as an advanced persistent threat (APT) group likely associated with Iran’s Ministry of Intelligence and Security (MOIS) that has pulled together a collection of specialized tooling and passive backdoors that other Iranian hacking groups can use to gain footholds in what they called “high-priority networks” in the region and established persistent and long-term access.

Among the main-stage backdoors is a Windows kernel mode driver that’s been repurposed from a legitimate Iranian antivirus software filter driver, according to Mandiant researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik. It illustrates UNC1860’s skills at reverse engineering components and detection-evasion capabilities within the Windows kernel.

“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations,” they wrote in a report. “As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”

Iran a High-Level Security Threat

Iran – like China, Russia, and North Korea – has become a key cyberthreat player around the world, with CISA, the FBI, and other U.S. agencies noting in an alert last month that hackers linked to the country continue to target organizations in the United States and elsewhere in such sectors as education, finance, healthcare, defense, and local government.

“The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the alert states, adding that these hackers are associated with Iran’s government and apart from ransomware “conduct computer network exploitation activity in support of the [the government] (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).”

Mandiant said UNC1860’s activities mirror those of other Iranian-based threat groups – Shrouded Snooper, Scarred Manticore, and Storm-0861 – that were reported on by Cisco’s Talos group, Check Point, and Microsoft, respectively, over the past couple of years. Those groups also provided initial access for attacks that targeted Albania in 2022 with malware called ROADSWEEP and Israel in October 2023 with BABYWIPER.

Handing Off Operations to Others

The researchers couldn’t say that UNC1860 was provided initial access for those operations, but did identify specialized tooling from the group that included GUI-operated malware controllers that are likely created to hand off operations to other groups, which further supports the group’s initial access role. Mandiant tracks the controllers as TEMPLEPLAY and VIROGREEN used by others – including other MOIS-affiliated groups like APT34 – to gain remote access to victim networks and to show them how to deploy custom payloads and run operations like internal scanning and exploitation.

Mandiant’s research into UNC1860 dates back several years, when it saw the threat group used a victim’s network as a staging area to run additional scanning and exploitation operations against other targets. The group in 2020 was “scanning IP addresses predominantly located in Saudi Arabia in an attempt to identify exposed vulnerabilities. UNC1860 also used a command-line tool to validate credentials of accounts and email addresses across multiple domains belonging to Qatari and Saudi Arabian entities, and later targeted VPN servers of entities in the region.”

In addition, there were several instances in 2019 and 2020 in which another group, ATP34, attacked organizations that already had been compromised by UNC1860. In addition, there were other targets already compromised by APT34 that UNC1860 later targeted, indicated that the latter also may be helping groups with lateral movement in compromised networks.

“Mandiant additionally identified recent indications of operational pivoting to Iraq-based targets by both APT34-related clusters and UNC1860,” the researchers wrote.

Web Shells and Droppers

In addition, UNC1860 uses web shells and droppers, including STAYSHANTE and SASHEYAWAY, on servers it’s compromised that can be handed off to other threat groups for their operations. The group gains initial access into targeted IT environments through exploiting vulnerable internet-facing servers and deploying web shells.

“After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors,” they wrote. “These provide a higher degree of operational security by removing the dependency for classic C2 [command-and-control] infrastructure, making detection more difficult for network defenders.”

They added that UNC1860 implements its own Base64 encoding and decoding and XOR encryption and decryption in .NET code, even though such capabilities already are available via .NET code. Why the group develops its own capabilities isn’t clear, though the researchers noted that using such custom libraries allows it to evade detection by endpoint detection and response (EDR) and other security tools.

“Additionally, using these custom libraries may allow better compatibility if any of the built-in functions change in a specific version of a .NET control to ensure the group’s tooling is always compatible with its encryption and encoding schemes and/or to better help evade detection,” the researchers wrote.