Scarred Manticore Unleashes the Most Advanced Iranian Cyber Espionage Yet

The government-backed APTs new malware framework represents a step up in Irans cyber sophistication.

An Iranian state-sponsored threat actor has been spying on high-value organizations across the Middle East for at least a year, using a stealthy, customizable malware framework.
In
a report published on Oct. 31
, researchers from Check Point and Sygnia characterized the campaign as notably more sophisticated compared to previous activities tied to Iran. Targets thus far have spanned the government, military, financial, IT, and telecommunications sectors in Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact nature of the data stolen thus far is not publicly known.
The group responsible — tracked as Scarred Manticore by Check Point, and Shrouded Snooper by Cisco Talos — is linked with Irans Ministry of Intelligence and Security. It overlaps with the famous
OilRig (a.k.a. APT34, MuddyWater, Crambus, Europium, Hazel Sandstorm)
, and some of its tools were observed in a dual ransomware and wiper
attacks against Albanian government systems
in 2021. But its newest weapon — the Liontail framework, which takes advantage of undocumented functionalities of the HTTP.sys driver to extract payloads from incoming traffic — is all its own.
Its not just separate Web shells, proxies or standard malware, explains Sergey Shykevich, threat intelligence group manager at Check Point. Its a full-scale framework, very specific to its targets.
Scarred Manticore has been attacking Internet-facing Windows servers at high-value Middle East organizations since at least 2019.
In its earlier days, it used a modified version of
the open source Web shell Tunna
. Forked 298 times on GitHub, Tunna is marketed as a set of tools which tunnel TCP communications via HTTP, bypassing network restrictions and firewalls along the way.
Over time, the group made enough changes to Tunna that researchers tracked it under the new name Foxshell. It also made use of other tools, like a .NET-based backdoor designed for Internet Information Services (IIS) servers,
first uncovered but unattributed in February 2022
.
After Foxshell came the groups latest, greatest weapon: the Liontail framework. Liontail is a set of custom shellcode loaders and shellcode payloads that are memory-resident, meaning theyre fileless, written into memory, and therefore leave little discernible trace behind.
Its highly stealthy, because theres no big malware thats easy to identify and prevent, explains Shykevich. Instead, its mostly PowerShell, reverse proxies, reverse shells, and very customized to targets.
Liontails stealthiest feature, though, is how it evokes payloads with direct calls to the Windows HTTP stack driver HTTP.sys.
First described by Cisco Talos in September
, the malware essentially attaches itself to a Windows server, listening for, intercepting, and decoding messages matching specific URL patterns determined by the attacker.
In effect, says Yoav Mazor, incident response team leader with Sygnia, it behaves like a Web shell, but none of the traditional Web shell logs are actually written.
According to Mazor, the primary tools that helped reveal Scarred Manticore were Web application firewalls and network-level tapping. And Shykevich, for his part, emphasizes the importance of XDR for snuffing out such advanced operations.
If you have a proper endpoint protection, you can defend against it, he says. You can look for correlations between the network level and the endpoint level — you know, anomalies in traffic with Web shells and PowerShell in the endpoint devices. Thats the best way.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Scarred Manticore Unleashes the Most Advanced Iranian Cyber Espionage Yet