Mango Sandstorm

Threat Actor updated 4 months ago (2024-05-04T20:58:32.957Z)
Download STIX
Preview STIX
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targeted infrastructures. In one notable incident, Mango Sandstorm accessed several privileged on-prem accounts, which then facilitated lateral movement within the compromised systems. This highlights the security challenges posed by hybrid IT environments, an issue that is increasingly coming under scrutiny. The cybersecurity industry has observed the activities of Mango Sandstorm alongside another Iranian state-sponsored threat actor group, Mint Sandstorm (also known as Phosphorus or APT35), believed to be associated with the Islamic Revolutionary Guard Corps (IRGC). Both groups have been seen exploiting the vulnerability CVE-2023-27350. In a recent attack, Mango Sandstorm used privileged account credentials to target a system hosting the Azure AD Connect agent, underscoring their ability to exploit weaknesses in complex IT systems. Several cybersecurity entities, including Microsoft and Symantec Threat Hunter Team, part of Broadcom, are actively tracking the activities of these groups. The latter organization is monitoring Mango Sandstorm's activity under various names, including Seedworm, Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Static Kitten, TEMP.Zagros, and Yellow Nix. Given the sophisticated tactics employed by these groups and their links to national security entities, they represent significant threats to global cybersecurity.
Description last updated: 2024-05-04T16:03:22.277Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
MuddyWater
2
MuddyWater is a notable threat actor group that has been associated with various cyber-attacks, primarily targeting organizations in the Middle East, particularly Israeli entities, but also extending its activities to other nations including India, Jordan, Portugal, Turkey, and Azerbaijan. The group
MERCURY
2
Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
Phosphorus
2
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Vulnerability
Papercut
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT35Unspecified
2
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Mint SandstormUnspecified
2
Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cyber threat actor. This group is known for its highly skilled operators and sophisticated social engineering techniques, often lacking the typica
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
Source Document References
Information about the Mango Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
Hybrid IT opens new avenues for cybercriminals
CERT-EU
9 months ago
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Microsoft reports two Iranian hacking groups exploiting PaperCut flaw | IT Security News
CERT-EU
a year ago
Microsoft says Iranian hackers combine influence ops with hacking for maximum impact
CERT-EU
a year ago
Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU
a year ago
Microsoft reports two Iranian hacking groups exploiting PaperCut flaw
CERT-EU
a year ago
Cyber security week in review: May 12, 2023
CERT-EU
a year ago
Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability
CERT-EU
a year ago
Vulnerable PaperCut servers targeted by Iranian hackers
Securityaffairs
a year ago
Iran-linked APT groups started exploiting Papercut flaw
CERT-EU
10 months ago
Cyberattack hits Ace Hardware
CERT-EU
10 months ago
Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
CERT-EU
10 months ago
Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
CERT-EU
10 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign