An ongoing Iranian espionage campaign led by Scarred Manticore [3], associated with the Ministry of Intelligence and Security (MOIS) [3], has targeted high-profile organizations in the Middle East [3]. This campaign has affected government, military [3], and telecommunications sectors [1] [3], as well as IT service providers, financial organizations [3], and NGOs [3]. Scarred Manticore has a history of targeting high-value organizations and employs various backdoors to infiltrate Windows servers [3]. In their latest campaign [1] [3], they utilized the unique LIONTAIL framework [1], which extracts payloads from incoming HTTP traffic using the HTTPsys driver.


The Scarred Manticore espionage campaign [2], linked to the Iranian actor DEV-0861 and the OilRig APT Group [2], has been uncovered through a collaborative effort between Check Point Research (CPR) and Sygnia’s Incident Response Team. Scarred Manticore has a history of breaching organizations for espionage purposes and has recently utilized the LIONTAIL framework as their latest tool [2]. LIONTAIL employs custom loaders and memory-resident shellcode payloads [1] [2], exploiting the HTTPsys driver’s undocumented functionalities to blend malicious activities with legitimate network traffic [2]. This represents a significant leap in Scarred Manticore’s sophistication. While their main goal is espionage [2], certain tools have been associated with MOIS-sponsored destructive attacks against the Albanian government infrastructure [2]. Check Point customers are protected against these attacks [2]. The operations of Scarred Manticore are likely to persist [2], with potential expansion into other regions and targets aligning with Iranian long-term interests [2]. The stealthiness of the LIONTAIL framework poses a challenge for detection [2]. The evolving landscape of state-sponsored cyber threats highlights the need for vigilant cybersecurity measures to safeguard organizations against advancing tactics of threat actors [2].


The ongoing Iranian espionage campaign led by Scarred Manticore has had significant impacts on high-profile organizations in the Middle East. The utilization of the LIONTAIL framework demonstrates the progress of Iranian threat actors in recent years. The campaign is expected to persist and may spread to other regions [3]. The attack on Albanian government networks serves as a reminder that nation-state actors may collaborate and share access with intelligence agencies [3]. To mitigate the risks posed by such campaigns, organizations must prioritize vigilant cybersecurity measures to protect against evolving tactics of threat actors.