This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): UNC1860
- Tool type(s): Passive backdoor / driver-abuse implant
- Confidence level(s): High
- Source ID(s):
SRC-MANDIANT-UNC1860
Behavior
| Actor | Behavior Summary |
|---|
| UNC1860 | Mandiant reports TEMPLEDROP repurposed a legitimate Iranian AV file-system filter driver for protecting deployed files and its own file from modification. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| UNC1860 | Mandiant reports related Sheed AV MD5 0c93cac9854831da5f761ee98bb40c37 and WINTAPIX/TOFUDRV MD5s 286bd9c2670215d3cb4790aac4552f22 and b4b1e285b9f666ae7304a456da01545e in the same report; VT enrichment found the Sheed AV reference as signed and not malicious by public verdicts. | SRC-MANDIANT-UNC1860 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| UNC1860 | Hunt unexpected filter drivers, driver load events, protected file behavior, WINTAPIX/TOFUDRV artifacts, and kernel-mode tampering on edge or telecom servers. |
Handling Notes
| Actor | Handling Notes |
|---|
| UNC1860 | Driver verdicts require source context; benign-looking signed driver metadata can still be relevant when repurposed. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
| Actor | Technique | Tactic | Mapping Quality | Source |
|---|
| UNC1860 | T1190 Exploit Public-Facing Application | Initial Access | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1505.003 Web Shell | Persistence | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1105 Ingress Tool Transfer | Command and Control | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1021.001 Remote Services: RDP | Lateral Movement | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1078 Valid Accounts | Defense Evasion | M2 | SRC-MANDIANT-UNC1860 |
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|
SRC-MANDIANT-UNC1860 | Google Cloud / Mandiant | 2024-09-19 | A | Vendor CTI | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.