Iranian Threat Group Scarred Manticore Snoops on Entities From Albania to the Middle East

Check Point Research (CPR) and Sygnia's Incident Response team have been monitoring an ongoing Iranian espionage campaign by a threat actor called Scarred Manticore. The campaign, which targets high-profile organizations in the Middle East, has been using the LIONTAIL malware framework installed on Windows servers. LIONTAIL implants use Windows HTTP stack driver HTTP.sys to load memory-resident payloads, making it difficult to detect. Scarred Manticore has been using a variety of IIS-based backdoors to attack Windows servers, including custom web shells and driver-based implants. The campaign, which peaked in mid-2023, is focused on government, military, and telecommunications sectors, as well as IT service providers, financial organizations, and NGOs. While Scarred Manticore's main motivation is espionage, some of the tools used in the campaign have also been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure. The report provides a technical analysis of Scarred Manticore's tools, including the LIONTAIL framework, and discusses the evolution of their activity over time.