From aa21df1b3fe244dca89bcb71b8f724df3feba242 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH] [threat-actors] Add UNC1860

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8c4ba11..498caf6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16907,6 +16907,17 @@
       },
       "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345",
       "value": "CosmicBeetle"
+    },
+    {
+      "description": "UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks"
+        ]
+      },
+      "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928",
+      "value": "UNC1860"
     }
   ],
   "version": 315