Scarred Manticore

Threat Actor updated a month ago (2024-11-29T14:07:26.302Z)
Download STIX
Preview STIX
Scarred Manticore, also known as Storm-861, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This group has been implicated in high-level espionage activities targeting organizations across the Middle East and beyond. The group's operations have been traced back to at least 2022, when it targeted Albania, and continued through 2023-2024 with attacks on Israel. Scarred Manticore employs sophisticated .NET payloads and web shells, such as the LIONTAIL shellcode loader, which are obfuscated in a manner consistent with their previous operations. Their main objectives appear to be email exfiltration and the deployment of PE implants. The group's modus operandi typically involves an initial access exploit (CVE-2019-0604), followed by a persistent presence on the victim's network for over a year. Notable tools used include Foxshell and Liontail. In one case, Scarred Manticore was found interacting with an infected machine at the exact moment a new web shell was dropped to disk. This suggests a high level of sophistication and constant monitoring of their targets. The group's operations often precede those of another Iranian threat actor, Void Manticore, suggesting a significant overlap in targets and possibly a coordinated effort between these groups. The evolution of Scarred Manticore’s tools and capabilities demonstrates a significant advancement in the techniques employed by Iranian threat actors. The recent campaigns associated with this group are far more sophisticated than previous ones tied to Iran, indicating a substantial progression in their cyber warfare skills. It's worth noting that while Scarred Manticore's operations are incisive and subtle, Void Manticore's actions tend to be more overt and destructive, hinting at a two-pronged approach to their cyber operations: espionage followed by disruptive actions.
Description last updated: 2024-09-24T09:15:45.770Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Malware
Iran
Backdoor
Web Shell
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Liontail is associated with Scarred Manticore. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The OilRig Threat Actor is associated with Scarred Manticore. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of Unspecified
5
Source Document References
Information about the Scarred Manticore Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more