Cyber Threat Actor: Mango Sandstorm
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
1 incident |
|---|
Profile
Mango Sandstorm, also tracked as MERCURY, is an Iranian state‑sponsored threat actor whose aliases include Mango Sandstorm and MERCURY. Public reporting links the group to Iranian intelligence and military entities, establishing a clear state nexus. The actor’s geographic origin is identified as Iran, though no further operational base details are disclosed in the available sources.
The group’s activities have been observed targeting organizations worldwide across multiple sectors, including large enterprises, government agencies, and educational institutions. By exploiting a pre‑authentication remote code execution vulnerability in print management servers, Mango Sandstorm gains initial network access that subsequently enables follow‑on operations such as ransomware deployment by other threat clusters like Lace Tempest and LockBit. This pattern indicates that the actor’s primary objective is to establish footholds in victim networks rather than to conduct the final impact themselves.
In terms of tactics, the actor’s demonstrated approach centers on the exploitation of CVE‑2023‑27350, a critical vulnerability affecting unpatched print management software. The attacks are described as opportunistic, with the group adapting its exploitation techniques to evade existing detections over time. No specific malware families, custom tooling, or post‑exploitation frameworks are referenced in the supplied material, so the known TTPs are limited to the initial access vector and the associated evasion adaptations. Attribution to Iran is reinforced by the explicit connection to Iranian intelligence and military entities cited in the reporting. No affiliations with criminal consortia, hack‑for‑hire groups, or other non‑state actors are mentioned in the available sources. The state sponsorship therefore frames the activity within the context of national‑level objectives rather than financially motivated cybercrime.
A representative campaign occurred in early March 2023 when Mango Sandstorm leveraged the PaperCut vulnerability to compromise print management servers globally, leading to widespread initial access that facilitated subsequent ransomware events. The activity persisted after public disclosure, continuing despite proof‑of‑concept exploit releases and federal remediation mandates, highlighting the actor’s sustained focus on exploiting this particular software flaw. This episode exemplifies the group’s role in enabling broader disruptive campaigns while maintaining a low‑profile, access‑centric operational stance.
