UNC1860

Repository Navigation

• Actor workbench: UNC1860
• TTP-to-detection matrix: all mapped techniques
• Surface and capability routes: OT, PLC, HMI, And Exposed Engineering Interfaces; Internet-Facing Servers, Webshells, And Passive Access
• Detection status: dashboard
• Hunt workflow: hunt workflow
• ATT&CK mappings: T1190 Exploit Public-Facing Application (M2); T1505.003 Web Shell (M2); T1105 Ingress Tool Transfer (M2); T1021.001 Remote Services: RDP (M2); T1078 Valid Accounts (M2)
• Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
• Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
• IOC reference sources: SRC-MALPEDIA-UNC1860 Associated malware families; references; taxonomy; SRC-MANDIANT-UNC1860 Tooling; passive backdoors; webshells; access-enablement references
• Tool detail pages: TEMPLEDOOR; TEMPLEPLAY; CRYPTOSLAY; PipeSnoop; STAYSHANTE; SASHEYAWAY; VIROGREEN; TEMPLEDROP; TEMPLELOCK
• Tool matrix: all actor-linked tools (9 mapped tool row(s))
• Evidence records: EVD-001 / CLM-UNC1860-001; EVD-008 / CLM-UNC1860-002
• Imported research intakes: None currently mapped.
• Intel update candidates: None in current feed pull.
• Source IDs in structured data: SRC-MALPEDIA-UNC1860, SRC-MANDIANT-UNC1860

UNC1860

Aliases: None confirmed by any vendor. "Temple of Oats" is the title of the Mandiant September 2024 report ("UNC1860 and the Temple of Oats"), not an actor alias — do not record it as one. TEMPLEDOOR, TEMPLEPLAY, and TEMPLEDROP are malware/tool family names associated with this cluster, not actor designations.

Assessed sponsor: Iran state-sponsored, likely MOIS-affiliated in Malpedia and Mandiant-linked reporting.

Relevance

UNC1860 is high priority for Israeli government and public-sector defenders because Malpedia describes it as a persistent and opportunistic Iranian state-sponsored actor likely affiliated with MOIS. The profile highlights specialized tooling and passive backdoors that support persistent access to high-priority Middle Eastern networks, including government and telecommunications.

Mandiant reporting frames UNC1860 as a probable initial access provider with tooling that can enable persistent footholds and handoff-style operations. For Israeli and regional defenders, this means UNC1860 should be treated as an access-enablement and persistence risk even when another persona later conducts espionage, leakage, or destructive activity.

Defensive Focus

• Public-facing edge systems.
• IIS, SharePoint, Exchange, and externally reachable web applications.
• Passive backdoors and webshell-like persistence.
• Government and telecommunications networks.
• Long-lived access that may be handed off to destructive or influence-operation teams.

Associated Families And Tools

Use the generated UNC1860 tool matrix and individual tool pages for behavior, hash/IOC status, sources, and defensive hunting notes:

• TEMPLEDOOR
• TEMPLEPLAY
• CRYPTOSLAY
• PipeSnoop
• STAYSHANTE
• SASHEYAWAY
• VIROGREEN
• TEMPLEDROP
• TEMPLELOCK

Detection Ideas

• New or modified files under web roots, SharePoint paths, IIS modules, and application upload directories.
• Web server worker processes spawning shells, scripting engines, or archive tools.
• Long-lived low-volume callbacks from edge servers.
• New local or domain accounts created after public-facing application anomalies.
• RDP, SMB, or WMI activity originating from web servers or DMZ hosts.
• File integrity deviations on internet-facing systems outside approved deployment windows.

Analytic Caution

UNC1860 should not be used as a default attribution label for every Iran-linked webshell. Analysts SHOULD require multiple evidence lines: victimology, specialized tooling, infrastructure, passive backdoor behavior, and source-backed malware-family linkage.

Sources: SRC-MALPEDIA-UNC1860, SRC-MANDIANT-UNC1860.