Scarred Manticore

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly to previous Scarred Manticore operations. Furthermore, the group utilizes a previously undocumented malware framework called LIONTAIL, as revealed in a technical report titled "From Albania to the Middle East: The Scarred Manticore is Listening." This threat actor targets high-profile organizations, with a particular focus on telecommunication, military, and government entities, along with financial institutions, IT service providers, and NGOs. The evolution of Scarred Manticore’s tools and capabilities demonstrates the progress Iranian threat actors have undergone within the past few years. Techniques used in recent campaigns are far more sophisticated than those seen in previous ones tied to Iran, although there is currently insufficient evidence to link Scarred Manticore directly with the OilRig or OilRig-affiliated clusters. Multiple observed variants of LIONTAIL-associated malware suggest that Scarred Manticore tailors an implant for each compromised server, allowing the malicious activities to blend into and be undiscernible from legitimate network traffic. In one notable incident, Scarred Manticore was discovered interacting with an infected machine at the exact moment a new web shell was dropped to disk, after residing on the targeted network for over a year. Despite the sophistication of their arsenal, some newly deployed web shells and subsequent tools were significantly less advanced than others in Scarred Manticore’s repertoire. The group's primary objectives appear to be email exfiltration and the deployment of wiper and ransomware attacks, as evidenced by their use of tools such as Foxshell and Liontail.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT34
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Malware
Iran
Backdoor
Web Shell
Implant
Loader
Encryption
Wiper
State Sponso...
Payload
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bibi WiperUnspecified
1
The BiBi wiper is a malicious software (malware) utilized by the hacking group Void Manticore, with its name referencing the nickname of Israel's Prime Minister, Benjamin Netanyahu. The malware was first reported in late 2023 during attacks against Albania, where it was used to wipe data from comput
BibiUnspecified
1
BiBi is a potent malware that has been deployed by a Pro-Hamas hacktivist group against Israeli targets. It's particularly destructive as it's designed to wipe data from the systems it infiltrates, causing direct damage and disruption. The use of this custom BiBi wiper in their operations underscore
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
4
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
LyceumUnspecified
1
Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2019-0604Unspecified
1
None
Source Document References
Information about the Scarred Manticore Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania
InfoSecurity-magazine
2 months ago
Iran-Linked Void Manticore Intensifies Cyber-Attacks on Israel
Checkpoint
2 months ago
Bad Karma, No Justice: Void Manticore Destructive Activities in Israel - Check Point Research
CERT-EU
9 months ago
Iran's Scarred Manticore Targets Middle East with LIONTAIL Malware
CERT-EU
9 months ago
Cyber Security Week In Review: November 3, 2023
BankInfoSecurity
9 months ago
Breach Roundup: Canada Bans WeChat and Kaspersky Apps
CERT-EU
9 months ago
Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware
CERT-EU
9 months ago
Meeting the challenge of OT security
CERT-EU
9 months ago
Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East
CERT-EU
9 months ago
From Albania to the Middle East: The Scarred Manticore is listening - Cyber Security Review
CERT-EU
9 months ago
Iran's MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing
Checkpoint
9 months ago
From Albania to the Middle East: The Scarred Manticore is Listening - Check Point Research
DARKReading
9 months ago
'Scarred Manticore' Unleashes the Most Advanced Iranian Cyber Espionage Yet
CERT-EU
9 months ago
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
InfoSecurity-magazine
9 months ago
Scarred Manticore Targets Middle East With Advanced Malware