{
	"id": "b50e1d75-0c55-4b05-b5df-3ff59dc2be10",
	"created_at": "2026-04-06T00:12:05.692302Z",
	"updated_at": "2026-04-10T03:36:00.856104Z",
	"deleted_at": null,
	"sha1_hash": "48307b659222df1b0d2eb0686a0c8e34794ae761",
	"title": "Check Point Research uncovers rare techniques used by Iranian-affiliated threat actor, targeting Israeli entities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58128,
	"plain_text": "Check Point Research uncovers rare techniques used by Iranian-affiliated threat actor, targeting Israeli entities\r\nBy etal\r\nPublished: 2023-04-25 · Archived: 2026-04-05 16:55:08 UTC\r\nHighlights:\r\nCheck Point Research reveals new findings related to Phosphorus APT group, an Iranian APT group\r\noperating in the Middle East and North America.  CPR dubbed this activity cluster Educated Manticore\r\nEducated Manticore has substantially enhanced its toolkit by incorporating new techniques, embracing\r\ncurrent attack trends, and employing ISO images and other archive files to initiate infection chains. \r\nThe research puts a spotlight on the lures of the attack, which used Hebrew and Arabic languages,\r\nsuggesting targets were entities in Israel.\r\nMain findings .\r\nToday, Check Point Research (CPR) reveals new findings of a group closely related to Phosphorus. This research\r\npresents a new and improved infection chain used by the attackers. By following the attack’s trail, CPR was able\r\nto establish links to Phosphorus, an Iran-based threat group operating in both North America and the Middle East.\r\nPhosphorus has previously been associated with a broad spectrum of activity, ranging from ransomware to spear-phishing of high-profile individuals.\r\nIn the attacks detailed in this report, we reveal the threat actor has significantly improved its mechanisms and\r\nadopted rarely seen in the wild techniques, such as using .NET binary files created in mixed mode with assembly\r\ncode. The newly discovered version is likely intended for phishing attacks focused around Iraq, using an ISO file\r\nto initiate the infection chain. Other documents inside the ISO file were in Hebrew and Arabic languages,\r\nsuggesting the lures were aimed at Israeli targets. CPR decided to track this activity cluster as Educated\r\nManticore.\r\nSince 2021, a new cluster of activity with clear ties to Iran has caught the attention of the Threat Intelligence\r\ncommunity. The aggressive nature of the new threat, in combination with their ties to ransomware deployments,\r\nled to a thorough analysis of its activities.\r\nAs the activity evolved, the ties between the different clusters became harder to untangle. While the two ends on\r\nthe spectrum of those activities differ significantly, not once has the threat intelligence community stumbled upon\r\nan activity that does not easily fit the known clusters. CPR’s previous report described one of those samples and\r\nthe overlaps between the Log4J exploitation activity to an Android app previously tied to APT35.\r\nThe variant described in this report was delivered using ISO files, indicating it is likely meant to be the initial\r\ninfection vector. Because it is an updated version of previously reported malware, this variant (PowerLess),\r\nhttps://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities/\r\nPage 1 of 3\n\nassociated with some of Phosphorus’ Ransomware operations, may only represent the early stages of infection,\r\nwith significant fractions of post-infection activity yet to be seen in the wild.\r\nGiven these new infections are never before seen in the wild techniques, Check Point Software can provide certain\r\ndefense tips to protect against such attacks :\r\nUp-to-Date Patches : WannaCry, one of the most famous ransomware variants in existence, is an example\r\nof a ransomware worm. At the time of the famous WannaCry attack in May 2017, a patch existed for the\r\nEternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and\r\nlabeled as “critical” due to its high potential for exploitation. However, many organizations and individuals\r\ndid not apply the patch in time, resulting in a ransomware outbreak that infected 200,000 computers within\r\nthree days. Keeping computers up-to-date and applying security patches, especially those labeled as\r\ncritical, can help to limit an organization’s vulnerability to attacks as such patches are usually overlooked\r\nor delayed too long to offer the required protection.\r\nCyber Awareness Training: Phishing emails are one of the most popular ways to spread malware. By\r\ntricking a user into clicking on a link or opening a malicious attachment, cybercriminals can gain access to\r\nthe employee’s computer .With the global gap in cybersecurity talent impacting organisations around the\r\nworld, frequent cybersecurity awareness training is crucial to protecting the organization against\r\ncyberattacks, leveraging their own staff as the first line of defence in ensuring a protected environment.\r\nThis training should instruct employees to do the following:\r\nNot to click on malicious links\r\nNever open unexpected or untrusted attachments\r\nAvoid revealing personal or sensitive data to phishers\r\nVerify software legitimacy before downloading it\r\nNever plug an unknown USB into their computer\r\nUse a VPN when connecting via untrusted or public Wi-Fi\r\nUtilize better threat prevention: Most attacks can be detected and resolved before it is too late. You need\r\nto have automated threat detection and prevention in place in your organization to maximize your chances\r\nof protection.\r\nScan and monitor emails. Emails are a common choice of cybercriminals executing phishing\r\nschemes, so take the time to scan and monitor emails on an ongoing basis and consider deploying an\r\nautomated email security solution to block malicious emails from ever reaching users.\r\nScan and monitor file activity. It is also a good idea to scan and monitor file activity. You should\r\nbe notified whenever there is a suspicious file in play—before it becomes a threat.\r\nThreat intelligence provides the information required to effectively detect zero-day attacks. Protecting\r\nagainst them requires solutions that can translate this intelligence into actions that prevent the attack from\r\nsucceeding. Check Point has developed over sixty threat prevention engines that leverage ThreatCloud AI\r\nthreat intelligence for zero-day prevention.\r\nSecurity Consolidation works: Many organizations are reliant upon a wide array of standalone and\r\ndisconnected security solutions. While these solutions may be effective at protecting against a particular\r\nthreat, they decrease the effectiveness of an organization’s security team by overwhelming them with data\r\nand forcing them to configure, monitor, and manage many different solutions. As a result, overworked\r\nsecurity personnel overlook critical alerts.\r\nhttps://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities/\r\nPage 2 of 3\n\nA unified security platform is essential to preventing zero-day attacks. A single solution with visibility and control\r\nacross an organization’s entire IT ecosystem has the context and insight required to identify a distributed\r\ncyberattack. Additionally, the ability to perform coordinated, automated responses across an organization’s entire\r\ninfrastructure is essential to preventing fast-paced zero-day attack campaigns.\r\nFor the full deep dive on Educated Manticore, visit the CPR blog.\r\nSource: https://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-is\r\nraeli-entities/\r\nhttps://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities/"
	],
	"report_names": [
		"check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities"
	],
	"threat_actors": [
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7",
			"created_at": "2025-08-07T02:03:24.764883Z",
			"updated_at": "2026-04-10T02:00:03.611225Z",
			"deleted_at": null,
			"main_name": "COBALT MIRAGE",
			"aliases": [
				"DEV-0270 ",
				"Nemesis Kitten ",
				"PHOSPHORUS ",
				"TunnelVision ",
				"UNC2448 "
			],
			"source_name": "Secureworks:COBALT MIRAGE",
			"tools": [
				"BitLocker",
				"Custom powershell scripts",
				"DiskCryptor",
				"Drokbk",
				"FRPC",
				"Fast Reverse Proxy (FRP)",
				"Impacket wmiexec",
				"Ngrok",
				"Plink",
				"PowerLessCLR",
				"TunnelFish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1efe328c-7bda-49d8-82bf-852d220110ae",
			"created_at": "2026-01-22T02:00:03.661882Z",
			"updated_at": "2026-04-10T02:00:03.917703Z",
			"deleted_at": null,
			"main_name": "Educated Manticore",
			"aliases": [],
			"source_name": "MISPGALAXY:Educated Manticore",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48307b659222df1b0d2eb0686a0c8e34794ae761.pdf",
		"text": "https://archive.orkl.eu/48307b659222df1b0d2eb0686a0c8e34794ae761.txt",
		"img": "https://archive.orkl.eu/48307b659222df1b0d2eb0686a0c8e34794ae761.jpg"
	}
}