G1029: UNC788
Analyst context for executives and security teams
UNC788 is a mobile ATT&CK group entry tied by MITRE to hackers from Iran targeting people in the Middle East. The decision value is not broad attribution; it is that the available relationship data points to mobile-device compromise risk through phishing and an Android remote-access malware, HilalRAT, capable of collecting sensitive device data and activating camera or microphone functions. For leaders, this makes the behavior relevant where executives, travelers, regional staff, journalists, partners, or other high-risk personnel rely on mobile devices for communications and identity access.
Executive priority
Treat this as a targeted mobile-risk planning case rather than a general enterprise endpoint problem. Security leaders should ask whether the organization can protect and investigate mobile phishing against high-risk users, whether mobile devices are included in incident response playbooks, and whether evidence exists for compliance and executive-protection reviews. Priority should be higher for organizations with people or operations connected to the Middle East, or where mobile devices are used for privileged communications, MFA, sensitive messaging, or field operations.
Technical view
MITRE provides no group-level platforms, tactics, or detection text for UNC788, so validation should be relationship-driven. The supplied relationships show use of HilalRAT, an Android remote access-capable malware, and use of mobile phishing affecting Android and iOS. SOC and IR teams should verify whether they can collect and preserve mobile security events, phishing reports, mobile application inventory, suspicious installation evidence, device permission changes, and network indicators from managed Android devices. For iOS, focus on phishing delivery, user reporting, identity session anomalies, and mobile-device-management visibility rather than assuming malware telemetry is available from this object.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance state
- Mobile phishing reports, email/SMS/messaging security logs, and user-submitted suspicious messages
- Android application installation history, package inventory, sideloading or unknown-source indicators where available
- Mobile app permission changes, especially camera, microphone, location, contacts, and call-log access on Android
- Mobile network/DNS/proxy telemetry from managed devices or secure web gateways where deployed
Detection direction
- Do not assume coverage from standard endpoint detection; confirm whether mobile devices are actually monitored and whether Android and iOS visibility differs.
- Tune phishing detection and user-reporting workflows for targeted social engineering against mobile users, especially high-risk personnel and regional users relevant to the Middle East context in the source description.
- For Android, validate alerts or review procedures for suspicious app installation, excessive sensitive permissions, and remote-access-like behavior consistent with the HilalRAT relationship.
- Correlate mobile phishing events with identity telemetry, because mobile compromise may surface as unusual authentication, MFA fatigue, new device enrollment, or suspicious session activity rather than a clear malware alert.
- Document false-positive handling for legitimate apps requesting camera, microphone, location, or call-log access; detections should consider app reputation, install source, user role, timing, and associated phishing activity.
Mitigation priorities
- Identify high-risk mobile user groups and confirm they are covered by mobile security policy, reporting paths, and incident response procedures.
- Strengthen mobile phishing resilience through user reporting, rapid triage, and controls for malicious links and messages where available.
- For managed Android devices, restrict untrusted app installation, review app permissions, and maintain application inventory and compliance enforcement.
- Ensure identity controls account for mobile compromise risk, including review of mobile session activity, MFA events, and device enrollment practices.
- Prepare mobile IR procedures for evidence preservation, privacy approval, device isolation, and replacement workflows.
Analyst notes and limits
The strongest supported context is mobile threat activity, phishing, and the relationship to HilalRAT on Android. The official group description is brief and cites Meta’s 2022 Adversarial Threat Report. The group object itself does not list tactics or platforms, so platform-specific guidance is derived only from the related software and technique objects supplied in the prompt.
Official detection is not provided, and the group entry has sparse fields. This take cannot establish current activity, victim exposure, specific infrastructure, guaranteed detection methods, or attribution beyond the supplied MITRE description. Local device-management, identity, messaging, and incident evidence are required to assess real coverage and risk.
UNC788
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 587eef5dede8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Meta Adversarial Threat Report 2022
Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.
Open source URL -
[2]
mitre-attack G1029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.