Scarred Manticore

Scarred Manticore is a threat actor known for its malicious cyber activities, which have been observed in Albania in 2022 and Israel from 2023 to 2024. The group uses sophisticated techniques including a web shell-based version of the LIONTAIL shellcode loader and .NET payloads obfuscated similarly to previous Scarred Manticore operations. Furthermore, the group utilizes a previously undocumented malware framework called LIONTAIL, as revealed in a technical report titled "From Albania to the Middle East: The Scarred Manticore is Listening." This threat actor targets high-profile organizations, with a particular focus on telecommunication, military, and government entities, along with financial institutions, IT service providers, and NGOs. The evolution of Scarred Manticore’s tools and capabilities demonstrates the progress Iranian threat actors have undergone within the past few years. Techniques used in recent campaigns are far more sophisticated than those seen in previous ones tied to Iran, although there is currently insufficient evidence to link Scarred Manticore directly with the OilRig or OilRig-affiliated clusters. Multiple observed variants of LIONTAIL-associated malware suggest that Scarred Manticore tailors an implant for each compromised server, allowing the malicious activities to blend into and be undiscernible from legitimate network traffic. In one notable incident, Scarred Manticore was discovered interacting with an infected machine at the exact moment a new web shell was dropped to disk, after residing on the targeted network for over a year. Despite the sophistication of their arsenal, some newly deployed web shells and subsequent tools were significantly less advanced than others in Scarred Manticore’s repertoire. The group's primary objectives appear to be email exfiltration and the deployment of wiper and ransomware attacks, as evidenced by their use of tools such as Foxshell and Liontail.