FACEFACE
FACEFACE is a full passive backdoor associated with the Iranian state-sponsored threat actor UNC1860, which Mandiant assesses is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It has been observed in intrusion chains targeting high-priority Middle Eastern networks, particularly government and telecommunications organizations. Reporting states that UNC1860 commonly gains initial access by exploiting vulnerable internet-facing systems, then deploys web shells and droppers such as STAYSHANTE and SASHEYAWAY; SASHEYAWAY has been described as embedding or downloading implants including TEMPLEDOOR, FACEFACE, and SPARKLOAD. FACEFACE is described as a passive backdoor that can execute commands, transfer files, and interact with system services. It is part of UNC1860’s broader tradecraft of using stealthy passive implants to maintain persistence while minimizing detectable outbound command-and-control traffic. The provided content does not include specific standalone hashes or other direct IOCs uniquely attributed to FACEFACE.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Persistence
1 technique
Persistence
Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.
Command and Control
1 technique
Command and Control
UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A follow-on backdoor used by UNC1860 to deepen access/persistence beyond initial implants.
Implant executed from within the SASHEYAWAY dropper as part of the UNC1860 toolchain.
A full passive backdoor used for persistence, command execution, file transfer, and service interaction on compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.