Storm-0861

Storm-0861 is a Microsoft-tracked Iranian threat cluster assessed as linked to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft uses the temporary "Storm" designation for emerging or developing clusters; the content explicitly describes Storm-0861 as MOIS-linked and references it in the context of Iranian operations. Microsoft reported a recurring operational pattern in which Storm-0861 gains access to victim environments months in advance, after which another MOIS-linked cluster, Storm-0842, later deploys wiper malware. Microsoft stated this handoff pattern was observed in Albania in 2022, again in Israel in late October 2023, and later in additional attacks on Albania. Mandiant reported that UNC1860’s tradecraft and targeting parallel Storm-0861, as well as Shrouded Snooper and Scarred Manticore. UNC1860 is described by Mandiant as a likely MOIS-affiliated Iranian state-sponsored actor targeting government and telecommunications networks in the Middle East, acting as a probable initial access provider, exploiting vulnerable internet-facing systems, deploying web shells and droppers, and installing passive backdoors to maintain stealthy persistence; however, Mandiant did not independently confirm that UNC1860 itself provided access for the BABYWIPER or ROADSWEEP destructive operations. Based on the provided content, Storm-0861 is associated with Iranian state-linked intrusion activity focused on pre-positioning and initial access that can enable later destructive operations.