SASHEYAWAY
SASHEYAWAY is a dropper associated with the Iranian state-sponsored threat actor UNC1860, which Mandiant assesses is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It is used after initial access is obtained, typically alongside the STAYSHANTE web shell, in intrusion chains targeting high-priority networks in the Middle East, especially government and telecommunications organizations. Reporting also links SASHEYAWAY-related activity to Israeli incidents involving wiper operations, where listed indicators included STAYSHANTE and SASHEYAWAY, although Mandiant states UNC1860 is attributed to the access-enabling tooling rather than the destructive actions themselves. SASHEYAWAY is described as having a low detection rate and as leading to execution of embedded implants, including TEMPLEDOOR, FACEFACE, and SPARKLOAD. It is part of UNC1860’s broader tradecraft of exploiting vulnerable internet-facing systems, deploying web shells and droppers, and then installing stealthier passive implants to maintain access and facilitate follow-on operations by other MOIS-associated actors. High-confidence aliases in the provided content only identify this malware as SASHEYAWAY.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved.
ShroudedSnooper built a sprawling toolkit of passive backdoors and web shells — including the LionTail framework, TEMPLEDOOR, SASHEYAWAY, and a repurposed Windows kernel driver derived from Iranian antivirus software — designed to sustain long-term, low-visibility access.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Persistence
1 technique
Persistence
Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ShroudedSnooper tool used to maintain stealthy persistent access in telecom and government networks.
A dropper/loader used by UNC1860 to deploy additional backdoors after initial access is obtained.
Dropper used to execute embedded implants (TEMPLEDOOR, FACEFACE, SPARKLOAD).
A web shell used post-compromise for persistence and staging of additional passive backdoors.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.