From Albania to the Middle East: The Scarred Manticore is Listening

Key Findings

• Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). 


• The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads.


• As part of mutual efforts with Sygnia‘s Incident Response team, multiple forensics tools and techniques were leveraged to …

actor advanced albania attacks campaign check check point espionage findings framework implants intelligence iranian key listening malware malware analysis manticore middle east ministry of intelligence and security mois monitoring point research security servers stealth windows