Mango Sandstorm

Threat Actor updated 23 days ago (2024-11-29T14:51:15.652Z)
Download STIX
Preview STIX
Mango Sandstorm, also known as MuddyWater or Mercury, is a threat actor group linked to Iran's Ministry of Intelligence and Security (MOIS) by the Israeli government. The group has been identified as being involved in several cyber-attacks, utilizing various tactics to gain initial access to targeted infrastructures. In one notable incident, Mango Sandstorm accessed several privileged on-prem accounts, which then facilitated lateral movement within the compromised systems. This highlights the security challenges posed by hybrid IT environments, an issue that is increasingly coming under scrutiny. The cybersecurity industry has observed the activities of Mango Sandstorm alongside another Iranian state-sponsored threat actor group, Mint Sandstorm (also known as Phosphorus or APT35), believed to be associated with the Islamic Revolutionary Guard Corps (IRGC). Both groups have been seen exploiting the vulnerability CVE-2023-27350. In a recent attack, Mango Sandstorm used privileged account credentials to target a system hosting the Azure AD Connect agent, underscoring their ability to exploit weaknesses in complex IT systems. Several cybersecurity entities, including Microsoft and Symantec Threat Hunter Team, part of Broadcom, are actively tracking the activities of these groups. The latter organization is monitoring Mango Sandstorm's activity under various names, including Seedworm, Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Static Kitten, TEMP.Zagros, and Yellow Nix. Given the sophisticated tactics employed by these groups and their links to national security entities, they represent significant threats to global cybersecurity.
Description last updated: 2024-05-04T16:03:22.277Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
MuddyWater is a possible alias for Mango Sandstorm. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and mal
2
MERCURY is a possible alias for Mango Sandstorm. Mercury, also known as MuddyWater and Static Kitten, is a threat actor group linked to global espionage activities, with suspected ties to the Iranian Ministry of Intelligence and Security. This group has been noted for its malicious activities, compromising multiple victims that another group, POLO
2
Phosphorus is a possible alias for Mango Sandstorm. Phosphorus, also known as APT35 or Charming Kitten, is a prominent threat actor linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group is notorious for its cyberespionage activities and has been actively targeting high-profile individuals involved in Middle Eastern affairs at univ
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Vulnerability
Papercut
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT35 Threat Actor is associated with Mango Sandstorm. APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage team. This threat actor conducts long-term, resource-intensive operations to collect strategic and tactical intelligence on behalf of the Islamic Revolutionary Guard CorpUnspecified
2
The Mint Sandstorm Threat Actor is associated with Mango Sandstorm. Mint Sandstorm, an Advanced Persistent Threat (APT) group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as a significant cybersecurity threat. The group has demonstrated its capability to rapidly weaponize N-day vulnerabilities in common enterprise applications and cUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-27350 Vulnerability is associated with Mango Sandstorm. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
2