Iranian hackers caught spying on governments and military in Middle East

Jason Macuray
An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report.

An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report.

Tracked as Scarred Manticore, the group primarily targets government, military, and telecom sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.

In recent years, Scarred Manticore has been quietly conducting secret operations in Middle Eastern countries, infiltrating telecommunications and government entities to systematically exfiltrate data from their systems, according to researchers at Check Point, one of the companies that investigated this campaign.

Check Point believes that Scarred Manticore is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The location of the group’s victims aligns with Iranian interests and matches the typical victim profile that MOIS-affiliated clusters usually target in espionage operations, the researchers said.

Scarred Manticore has been active since at least 2019, and over the years its toolset has undergone significant changes.

The tools and capabilities used by the group in their ongoing campaign, which reached its peak in mid-2023 and had remained under the radar for at least a year, “demonstrate[s] the progress that Iranian actors have made over the past few years,” researchers said.

For example, in their latest attacks the group used advanced malware known as Liontail — a sophisticated backdoor that allows attackers to execute commands remotely through HTTP requests.

According to Check Point, the group is known for generating a unique implant for every compromised server, making their malicious activities indistinguishable from legitimate network traffic. These customization features allow Liontail operators to evade detection for an extended period, according to Check Point.

While Liontail appears to be unique and shows no clear code overlaps with any known malware family, other tools used by Scarred Manticore in this campaign do overlap with previously reported activities, particularly those associated with the Iranian hacker group OilRig or its affiliates.

“We do not have sufficient data to properly attribute the Scarred Manticore to OilRig, even though we do believe they’re likely related,” the researchers said.

Some of the tools used by the group have also been associated with the destructive attack against Albanian government infrastructure, allegedly sponsored by MOIS.

The researchers predict that Scarred Manticore operations will continue and could extend into other regions in line with Iranian long-term goals.

On Tuesday, FBI Director Christopher Wray called Iran “the world’s largest sponsor of terrorism” and noted that Hezbollah — Terhan’s “primary strategic partner” — has a history of spying in the U.S.

He also warned that digital attacks against the U.S. by Iran and non-state actors could worsen if the conflict between Israel and Hamas grows.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

NSO Group hires high-powered lobbyists to help navigate US market

Next Post

Russian security service detains two hackers allegedly working for Ukraine

Related Posts

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

Threat actors are attempting to actively exploit a critical security flaw in the WP‑Automatic plugin for WordPress that could allow site takeovers. The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to "This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as
Read More