Scarred Manticore

Scarred Manticore, also known as Storm-861, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This group has been implicated in high-level espionage activities targeting organizations across the Middle East and beyond. The group's operations have been traced back to at least 2022, when it targeted Albania, and continued through 2023-2024 with attacks on Israel. Scarred Manticore employs sophisticated .NET payloads and web shells, such as the LIONTAIL shellcode loader, which are obfuscated in a manner consistent with their previous operations. Their main objectives appear to be email exfiltration and the deployment of PE implants. The group's modus operandi typically involves an initial access exploit (CVE-2019-0604), followed by a persistent presence on the victim's network for over a year. Notable tools used include Foxshell and Liontail. In one case, Scarred Manticore was found interacting with an infected machine at the exact moment a new web shell was dropped to disk. This suggests a high level of sophistication and constant monitoring of their targets. The group's operations often precede those of another Iranian threat actor, Void Manticore, suggesting a significant overlap in targets and possibly a coordinated effort between these groups. The evolution of Scarred Manticore’s tools and capabilities demonstrates a significant advancement in the techniques employed by Iranian threat actors. The recent campaigns associated with this group are far more sophisticated than previous ones tied to Iran, indicating a substantial progression in their cyber warfare skills. It's worth noting that while Scarred Manticore's operations are incisive and subtle, Void Manticore's actions tend to be more overt and destructive, hinting at a two-pronged approach to their cyber operations: espionage followed by disruptive actions.