Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
Iran

Mango Sandstorm

The provided content only contains the actor name “mango_sandstorm” and does not include any high-confidence, actor-specific details (e.g., attribution, aliases, targeting, TTPs, tooling, infrastructure, or campaigns) directly tied to this name. The content instead discusses multiple Iran-nexus threat groups (e.g., APT42/Charming Kitten, Pink Sandstorm, MuddyWater, APT34, etc.) and broader Iran-related cyber activity, but does not state that “mango_sandstorm” is an alias of, subgroup of, or otherwise associated with any of those entities. As a result, no detailed description can be produced for “mango_sandstorm” based solely on the supplied content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

MuddyWater is an Iranian APT group known for cyber-espionage and delivering custom malware such as UDPGangster.

Read more
security online infoNews
Nov 6, 2025
Next-Gen Threat: Google Exposes AI-Enabled Malware That Rewrites Its Own Code with Gemini LLM

TEMP.Zagros used Gemini LLM for malware development and data analysis, employing social engineering to bypass AI safeguards and obtain technical assistance for custom malware projects.

Read more
huntio blogNews
Oct 29, 2025
Signals Weekly: Active WSUS Exploits and Ransomware Shifts

MuddyWater is engaged in espionage campaigns, expanding its toolkit with the Phoenix v4 backdoor delivered via FakeUpdate, abusing remote management tools, deploying a custom Chromium credential stealer, and using NordVPN for phishing operations. They are also using COM-based persistence and maintaining live command and control infrastructure.

Read more
register securityNews
Oct 27, 2025
Breach at Iran’s cyberspy factory results in leak of student data

MuddyWater is an Iranian state-sponsored threat actor known for conducting espionage and disruptive cyber operations, primarily targeting government entities and critical infrastructure in the Middle East, North Africa, and occasionally Europe. The group is linked to Iran's Ministry of Intelligence and Security (MOIS) and has been responsible for high-profile attacks, including the disruption of Albanian government services.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.