This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): UNC1860
- Tool type(s): Passive backdoor family
- Confidence level(s): High
- Source ID(s):
SRC-MANDIANT-UNC1860
Behavior
| Actor | Behavior Summary |
|---|
| UNC1860 | Mandiant describes TEMPLEDOOR as a passive backdoor controlled by TEMPLEPLAY; behavior includes command execution, file transfer, endpoint URI selection, echo/ping checks, and HTTP proxying for middlebox-style RDP reachability. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| UNC1860 | Representative Mandiant MD5s include c57e59314aee7422e626520e495effe0 and b219672bcd60ce9a81b900217b3b5864. VT enrichment found b219672bcd60ce9a81b900217b3b5864 as Win32 EXE/System.dll with 47 malicious public detections; c57e59314aee7422e626520e495effe0 returned VT not_found. | SRC-MANDIANT-UNC1860 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| UNC1860 | Hunt passive/listener implants on edge servers, unusual inbound-controlled HTTPS endpoints, magic-URI echo/ping testing, proxy behavior from compromised servers, and RDP routed through DMZ hosts. |
Handling Notes
| Actor | Handling Notes |
|---|
| UNC1860 | Hash-only matches are insufficient for attribution; Mandiant source context remains authoritative. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
| Actor | Technique | Tactic | Mapping Quality | Source |
|---|
| UNC1860 | T1190 Exploit Public-Facing Application | Initial Access | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1505.003 Web Shell | Persistence | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1105 Ingress Tool Transfer | Command and Control | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1021.001 Remote Services: RDP | Lateral Movement | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1078 Valid Accounts | Defense Evasion | M2 | SRC-MANDIANT-UNC1860 |
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|
SRC-MANDIANT-UNC1860 | Google Cloud / Mandiant | 2024-09-19 | A | Vendor CTI | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.