State-Sponsored Threat Actors Exploiting PaperCut Vulnerabilities

Last week this publication covered how ransomware operations were exploiting recently disclosed and patched PaperCut server vulnerabilities. According to PaperCut, the vulnerabilities, if exploited, can allow for remote code execution.

State-Sponsored Threat Actors Exploiting PaperCut Vulnerabilities

The company provided more information regarding the severity of the vulnerabilities stating,

  • CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: Unauthenticated remote code execution flaw impacting all PaperCut MF or NG versions 8.0 or later on all OS platforms for both application and site servers. (CVSS v3.1 score: 9.8 – critical)
  • CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: Unauthenticated information disclosure flaw impacting all PaperCut MF or NG versions 15.0 or later on all OS platforms for application servers. (CVSS v3.1 score: 8.2 – high)

Microsoft, who discovered how Clop ransomware operatives were exploiting the vulnerabilities, now discovered how Iranian state-sponsored groups are attempting to exploit the vulnerabilities.

In a Twitter post, the Redmond-based tech giant said,

More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350…After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm's continued ability to rapidly incorporate POC exploits into their operations.

The two groups mentioned by Microsoft, tracked as Mango Sandstorm and Mint Sandstorm, are tracked under several other names.

Mango Sandstorm is also tracked as Mercury or Muddywater and has been linked to Iran's Ministry of Intelligence and Security. Mint Sandstorm, also tracked as Phosphorus or APT35, has been linked to Iran's Islamic Revolutionary Guard Corps.

Due to the spike in activity from both financially motivated and state-sponsored threat actors, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-27350, and two other vulnerabilities to the Known Exploited Vulnerabilities Catalog.

The agency noted that these vulnerabilities were being added as they pose significant risks to both state and federal organizations.

As large companies, state organizations, and education institutes worldwide are using PaperCut servers as enterprise printing management software, with PaperCut's developer claiming more than 100 million users from over 70,000 companies, placing the vulnerability in the above-mentioned catalog is a wise move.

Further, those tasked with defending network infrastructure are strongly advised to immediately upgrade their PaperCut MF and PaperCut NG software to versions 20.1.7, 21.2.11, and 22.0.9 and later, which address this RCE bug and remove the possible attack vector.

Mint Sandstorm and Their Tactics

Mint Sandstorm, as tracked by Microsoft, or Phosphorous to others, is well known for exploiting vulnerabilities to fulfill their state-sponsored mandate. As mentioned above, they have been linked to Iranian government institutions, namely Iran's Islamic Revolutionary Guard Corps.

Microsoft provides more information about the threat group stating,

Mint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East. Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.


Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational structure. Microsoft assesses that Mint Sandstorm is associated with an intelligence arm of Iran's military, the Islamic Revolutionary Guard Corps (IRGC), an assessment that has been corroborated by multiple credible sources including Mandiant, Proofpoint, and SecureWorks. In 2022, the US Department of Treasury sanctioned elements of Mint Sandstorm for past cyberattacks citing sponsorship from the IRGC.

It would appear the group's main goal is the stealing of sensitive information from high-value targets, as deemed by the Islamic Revolutionary Guards. Microsoft argues that the group is skilled and experienced as they can quickly develop code to exploit known vulnerabilities.

The group further has a bespoke toolset which it uses to great effect when compromising target infrastructure. This is done not only with skilled focus but done in line with Iran's current geopolitical ambitions.

It is this rapid exploitation of publicly disclosed vulnerabilities that is Mind Sandstorm's defining tactic. This was not always the case as prior to this year it seemed that the group would take several weeks to develop exploitation code, even if publicly available proof-of-concept code successfully exploited a vulnerability in the wild.

However, this year has seen a significant decrease in the time needed to develop exploit code; in some cases, like in vulnerabilities impacting Aspera Faspex, the group took five days to develop an exploit once proof-of-concept code was released.

Once initial access is secured through the use of a publicly disclosed vulnerability, a custom PowerShell script designed for discovery is deployed.

In some cases, the threat group does not act on the information they collect, possibly because they assess that a victim does not meet any targeting requirements or because the subgroup wishes to wait and focus on more valuable targets or more valuable information.

To further show the group's skill and experience, custom tools will be deployed to evade detection, including a .NET backdoor. Companies and organizations deemed as critical infrastructure should note these tactics and take measures to harden against a Mint Sandstorm attack.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal