{ "id": "ecae0b1e-ea11-4b28-9bef-5c1239eb1c13", "created_at": "2026-04-08T02:23:41.492023Z", "updated_at": "2026-04-10T13:12:13.271397Z", "deleted_at": null, "sha1_hash": "8867c6ca43e6cf941f6aebee38cee5846379c4a3", "title": "From Albania to the Middle East: The Scarred Manticore is Listening", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185798, "plain_text": "From Albania to the Middle East: The Scarred Manticore is\r\nListening\r\nBy etal\r\nPublished: 2023-10-31 · Archived: 2026-04-08 02:00:26 UTC\r\nKey Findings\r\nCheck Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred\r\nManticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). \r\nThe attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers.\r\nFor stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to\r\nload memory-residents payloads.\r\nAs part of mutual efforts with Sygnia‘s Incident Response team, multiple forensics tools and techniques\r\nwere leveraged to uncover additional stages of the intrusions and the LIONTAIL framework.\r\nThe current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets\r\nhigh-profile organizations in the Middle East with a focus on government, military, and\r\ntelecommunications sectors, in addition to IT service providers, financial organizations and NGOs.\r\nScarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based\r\nbackdoors to attack Windows servers. These include a variety of custom web shells, custom DLL\r\nbackdoors, and driver-based implants.\r\nWhile the main motivation behind Scarred Manticore’s operation is espionage, some of the tools described\r\nin this report have been associated with the MOIS-sponsored destructive attack against Albanian\r\ngovernment infrastructure (referred to as DEV-0861).\r\nIntroduction\r\nCheck Point Research, in collaboration with Sygnia’s Incident Response Team, has been tracking and responding\r\nto the activities of Scarred Manticore, an Iranian nation-state threat actor that primarily targets government and\r\ntelecommunication sectors in the Middle East. Scarred Manticore, linked to the prolific Iranian actor OilRig (a.k.a\r\nAPT34, EUROPIUM, Hazel Sandstorm), has persistently pursued high-profile organizations, leveraging access to\r\nsystematically exfiltrate data using tailor-made tools.\r\nIn the latest campaign, the threat actor leveraged the LIONTAIL framework, a sophisticated set of custom loaders\r\nand memory resident shellcode payloads. LIONSTAIL’s implants utilize undocumented functionalities of the\r\nHTTP.sys driver to extract payloads from incoming HTTP traffic. Multiple observed variants of LIONTAIL-associated malware suggest Scarred Manticore generates a tailor-made implant for each compromised server,\r\nallowing the malicious activities to blend into and be undiscernible from legitimate network traffic.\r\nWe currently track this activity as Scarred Manticore, an Iranian threat actor that is most closely aligned\r\nwith DEV-0861. Although the LIONTAIL framework itself appears to be unique and bears no clear code overlaps\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 1 of 25\n\nwith any known malware family, other tools used in those attacks overlap with previously reported activities. Most\r\nnotably, some of those were eventually linked back to historic OilRig or OilRig-affiliated clusters. However, we\r\ndo not have sufficient data to properly attribute the Scarred Manticore to OilRig, even though we do believe\r\nthey’re likely related.\r\nThe evolution in the tools and capabilities of Scarred Manticore demonstrates the progress the Iranian actors have\r\nundergone over the last few years. The techniques utilized in recent Scarred Manticore operations are notably\r\nmore sophisticated compared to previous activities CPR has tied to Iran.\r\nIn this article, we provide a technical analysis of the latest tools and the evolution of Scarred Manticore’s activity\r\nover time. This report details our understanding of Scarred Manticore, most notably its novel malware framework\r\nLIONTAIL, but also provides an overview of other toolsets we believe are used by the same actor, some of which\r\nwere publicly exposed in the past. This includes, but is not limited to, tools used in the intrusion into the Albanian\r\ngovernment infrastructure, web shells observed in high-profile attacks in the Middle East, and recently reported\r\nWINTAPIX driver-based implants.\r\nWhile we finalized this blog post, a technical analysis of part of this activity was published by fellow researchers\r\nfrom Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended\r\ninformation, in-depth insights, and a broader retrospective regarding the threat actor behind this operation.\r\nLIONTAIL Framework\r\nLIONTAIL is a malware framework that includes a set of custom shellcode loaders and memory resident\r\nshellcode payloads. One of its components is the LIONTAIL backdoor, written in C. It is a lightweight but rather\r\nsophisticated passive backdoor installed on Windows servers that enables attackers to execute commands remotely\r\nthrough HTTP requests. The backdoor sets up listeners for the list of URLs provided in its configuration and\r\nexecutes payloads from requests sent by attackers to those URLs.\r\nThe LIONTAIL backdoor components are the main implants utilized in the latest Scarred Manticore intrusions.\r\nUtilizing access from a publicly facing server, the threat actor chains a set of passive implants to access internal\r\nresources. The internal instances of the LIONTAIL backdoors we’ve seen so far either listen on HTTP(s), similar\r\nto the internet-facing instances, or in some cases use named pipes to facilitate remote code execution.\r\nFigure 1 – Overview of the LIONTAIL malware framework.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 2 of 25\n\nLIONTAIL Loaders\r\nInstallation\r\nWe observed 2 methods of backdoor installation on the compromised Windows servers: standalone executables,\r\nand DLLs loaded through search order hijacking by Windows services or legitimate processes.\r\nWhen installed as a DLL, the malware exploits the absence of some DLLs on Windows Server OS distributions:\r\nthe backdoor is dropped to the system folder  C:\\windows\\system32  as  wlanapi.dll  or  wlbsctrl.dll . By\r\ndefault, neither of these exist on Windows Server installations. Depending on the Windows Server version, the\r\nmalicious DLL is then loaded either directly by other processes, such as Explorer.exe, or the threat actors enable\r\nspecific services, disabled by default, that require those DLLs.\r\nIn the case of  wlbsctrl.dll , the DLL is loaded at the start of the IKE and AuthIP IPsec Keying\r\nModules service. For  wlanapi.dll , the actors enable Extensible Authentication Protocol:\r\nsc.exe config Eaphost start=auto\r\nsc.exe start Eaphost\r\nIn instances where LIONTAIL is deployed as an executable, a noteworthy characteristic observed in some is the\r\nattempt to disguise the executable as Cyvera Console, a component of Cortex XDR.\r\nConfiguration\r\nThe malware starts by performing a one-byte XOR decryption of a structure containing the malware\r\nconfiguration, which is represented with the following structure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nQWORD var_0\r\nQWORD var_8\r\nQWORD magic_number\r\nDWORD num_of_end_string\r\nDWORD num_of_listen_urls\r\nSTRING end_string\r\nSTRING[] listen_urls\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 3 of 25\n\nQWORD var_0 QWORD var_8 QWORD magic_number DWORD num_of_end_string DWORD\r\nnum_of_listen_urls STRING end_string STRING[] listen_urls\r\nQWORD var_0\r\nQWORD var_8\r\nQWORD magic_number\r\nDWORD num_of_end_string\r\nDWORD num_of_listen_urls\r\nSTRING end_string\r\nSTRING[] listen_urls\r\nThe field  listen_urls  defines particular URL prefixes to which the malware listens for incoming requests.\r\nAll of the samples’ URL lists include the  http://+:80/Temporary_Listen_Addresses/  URL prefix, a\r\ndefault WCF URL reservation that allows any user to receive messages from this URL. Other samples include\r\nmultiple URLs on ports 80, 443, and 444 (on Exchange servers) mimicking existing services, such as:\r\nhttps://+:443/autodiscover/autodiscovers/\r\nhttps://+:443/ews/exchanges/\r\nhttps://+:444/ews/ews/\r\nMany LIONTAIL samples contain tailor-made configurations, which add multiple other custom URLs that match\r\nexisting web folders on the compromised server. As the URLs for the existing folders are already taken by the\r\nactual IIS service, the generated payloads contain additional random dictionary words in the path. These ensure\r\nthe malware communication blends into legitimate traffic, helping to make it more inconspicuous.\r\nThe host element of all prefixes in the configuration consists of a single plus sign (+), a “strong wildcard” that\r\nmatches all possible host names. A strong wildcard is useful when an application needs to serve requests\r\naddressed to one or more relative URLs, regardless of how those requests arrive on the machine or what site (host\r\nor IP address) they specify in their Host headers.\r\nTo understand how the malware configures listeners on those prefixes and how the approach changes with time,\r\nwe pause for a short introduction to the Windows HTTP stack.\r\nWindows HTTP Stack components\r\nA port-sharing mechanism, which allows multiple HTTP services to share the same TCP port and IP address, was\r\nintroduced in Windows Server 2003. This mechanism is encapsulated within HTTP.sys, a kernel-mode driver that\r\nassumes the responsibility of processing HTTP requests, listens to incoming HTTP requests, and directs them to\r\nthe relevant user-mode processes or services for further handling.\r\nOn top of the driver layer, Windows provides the HTTP Server API, a user-mode component that provides the\r\ninterface for interacting with HTTP.sys. In addition, the Internet Information Services (IIS) under the hood relies\r\non HTTP API to interact with the HTTP.sys driver. In a similar fashion, the HttpListener class within the .NET\r\nframework is a simple wrapper around the HTTP Server API.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 4 of 25\n\nFigure 2 – Schema of HTTP stack components on Windows Servers (source).\r\nThe process of receiving and processing requests for specific URL prefixes by an application (or, in our case,\r\nmalware) can be outlined as follows:\r\n1. The malware registers one or more URL prefixes with HTTP.sys by any of the means provided by the\r\nWindows operating system.\r\n2. When an HTTP request is received, HTTP.sys identifies the application associated with the request’s prefix\r\nand forwards the request to the malware if it’s responsible for that prefix.\r\n3. The malware’s request handler then receives the request intercepted by HTTP.sys and generates a response\r\nfor it.\r\nC\u0026C Communication\r\nAfter extracting the configuration, the malware uses the same one-byte XOR to decrypt a shellcode responsible\r\nfor establishing the C\u0026C communication channel by listening to the provided URL prefixes list. While the\r\nconcept of passive backdoors on web-facing Windows servers is not new and was observed in the wild hijacking\r\nthe same Windows DLL  wblsctrl.dll  as early as 2019 (by Chinese-linked Operation ShadowHammer), the\r\nLIONTAIL developers elevated their approach. Instead of using the HTTP API, the malware uses IOCTLs to\r\ninteract directly with the underlying HTTP.sys driver. This approach is stealthier as it doesn’t involve IIS or HTTP\r\nAPI, which are usually closely monitored by security solutions, but is not a straightforward task given that the\r\nIOCTLs for HTTP.sys are undocumented and require additional research efforts by the threat actors.\r\nFirst, the shellcode registers the URL prefixes with HTTP.sys using the following IOCTLs:\r\n0x128000 –  UlCreateServerSessionIoctl  – Creates an HTTP/2.0 session.\r\n0x128010 –  UlCreateUrlGroupIoctl  – Creates a new UrlGroup. UrlGroups are configuration containers\r\nfor a set of URLs created under the server session and inherit its configuration settings.\r\n0x12801d –  UlSetUrlGroupIoctl  – Associates the UrlGroup with the request queue by\r\nsetting HttpServerBindingProperty.\r\n0x128020 –  UlAddUrlToUrlGroupIoctl  – Adds the array of  listen_urls  to the newly created UrlGroup.\r\nFigure 3 - HTTP.sys IOCTL table.\r\nFigure 3 – HTTP.sys IOCTL table.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 5 of 25\n\nAfter registering the URL prefixes, the backdoor initiates a loop responsible for handling the incoming requests.\nThe loop continues until it gets the request from a URL equal to the end_string provided in the backdoor’s\nconfiguration.\nThe backdoor receives requests from HTTP.sys using 0x124036 – UlReceiveHttpRequestIoctl IOCTL.\nDepending on the version of the compromised server, the body of the request is received using 0x12403B –\n UlReceiveEntityBodyIoctl or (if higher than 20348) 0x12403A – UlReceiveEntityBodyFastIo . It is then\nbase64-decoded and decrypted by XORing the whole data with the first byte of the data. This is a common\nmethod of encryption observed in multiple malware families, including but not limited to DEV-0861’s web-deployed Reverse proxy.\nFigure 4 - C\u0026C decryption scheme from the LIONTAIL payload.\n\nThe decrypted\npayload has the following structure:\nFigure 4 – C\u0026C decryption scheme from the LIONTAIL payload.\nThe decrypted payload has the following structure:\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\nQWORD shellcode_size\n_BYTE[] shellcode\nQWORD shellcode_output (should be 0 in the incoming msg)\nQWORD shellcode_output_size (should be 0 in the incoming msg)\nQWORD MAGIC_NUM (has to be 0x18)\n_BYTE[] argument\nQWORD shellcode_size _BYTE[] shellcode QWORD shellcode_output (should be 0 in the incoming msg)\nQWORD shellcode_output_size (should be 0 in the incoming msg) QWORD MAGIC_NUM (has to be 0x18)\n_BYTE[] argument\nQWORD shellcode_size\n_BYTE[] shellcode\nQWORD shellcode_output (should be 0 in the incoming msg)\nQWORD shellcode_output_size (should be 0 in the incoming msg)\nQWORD MAGIC_NUM (has to be 0x18)\n_BYTE[] argument\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\nPage 6 of 25\n\nThe malware creates a new thread and runs the shellcode in memory. For some reason, it uses shellcode_output\r\nand shellcode_output_size  in the request message as pointers to the respective data in memory.\r\nTo encrypt the response, the malware chooses a random byte, XOR-encodes the data using it as a key, prepends\r\nthe key to the result, and then base64-encodes the entire result before sending it back to the C\u0026C server using the\r\nIOCTL 0x12403F –  UlSendHttpResponseIoctl .\r\nLIONTAIL web shell\r\nIn addition to PE implant, Scarred Manticore uses a web shell-based version of the LIONTAIL shellcode loader.\r\nThe web shell is obfuscated in a similar manner to other Scarred Manticore .NET payloads and web shells.\r\nFigure 5 – The main function of the LIONTAIL web shell (formatted, with obfuscations preserved).\r\nThe web shell gets requests with 2 parameters:\r\nThe shellcode to execute.\r\nThe argument for the shellcode to use.\r\nBoth parameters are encrypted the same way as other communication: XOR with the first byte followed by base64\r\nencoding.\r\nThe structure of shellcodes and of arguments sent to the web shell-based shellcode loader is identical to those used\r\nin the LIONTAIL backdoor, which suggests that the artifacts observed are part of a bigger framework that allows\r\nthe dynamic building of loaders and payloads depending on the actor’s access and needs.\r\nLIONTAIL version using named pipes\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 7 of 25\n\nDuring our research, we also found loaders that have a similar internal structure to the LIONTAIL samples.\r\nInstead of listening on URL prefixes, this version gets its payloads from a named pipe and likely is designated to\r\nbe installed on internal servers with no access to the public web. The configuration of the malware is a bit\r\ndifferent:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nQWORD var_0\r\nQWORD var_8\r\nQWORD var_10\r\nDWORD var_18\r\nDWORD dwOpenMode\r\nDWORD dwPipeMode\r\nDWORD nMaxInstances\r\nDWORD nOutBufferSize\r\nDWORD nInBufferSize\r\nDWORD nDefaultTimeOut\r\nSTRING pipe_name\r\nQWORD var_0 QWORD var_8 QWORD var_10 DWORD var_18 DWORD dwOpenMode DWORD\r\ndwPipeMode DWORD nMaxInstances DWORD nOutBufferSize DWORD nInBufferSize DWORD\r\nnDefaultTimeOut STRING pipe_name\r\nQWORD var_0\r\nQWORD var_8\r\nQWORD var_10\r\nDWORD var_18\r\nDWORD dwOpenMode\r\nDWORD dwPipeMode\r\nDWORD nMaxInstances\r\nDWORD nOutBufferSize\r\nDWORD nInBufferSize\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 8 of 25\n\nDWORD nDefaultTimeOut\r\nSTRING pipe_name\r\nThe main shellcode starts with converting the string security descriptor  \"D:(A;;FA;;;WD)”  into a valid,\r\nfunctional security descriptor. As the string starts with “D”, it indicates a DACL (discretionary access control\r\nlist) entry, which typically has the following format:  entry_type:inheritance_flags(ACE_type; ACE_flags;\r\nrights; object_GUID; inherit_object_GUID; account_SID) . In this case, the security descriptor allows ( A )\r\nFile All Access  ( FA ) to everyone ( WD ).\r\nThe security descriptor is then used to create a named pipe based on the values provided in the configuration. In\r\nthe samples we observed, the name of the pipe used is  \\\\.\\pipe\\test-pipe .\r\nIt’s noteworthy that, unlike the HTTP version, the malware doesn’t employ any more advanced techniques for\r\nconnecting to the named pipe, reading from it, and writing to it. Instead, it relies on standard  kernel32.dll  APIs\r\nsuch as  CreateNamedPipe , and  ReadFileWriteFile .\r\nThe communication of named pipes-based LIONTAIL is identical to the HTTP version, with the same encryption\r\nmechanism and the same structure of the payload which runs as a shellcode in memory.\r\nLIONTAIL in-memory components\r\nTypes of payloads\r\nAfter the LIONTAIL loader decrypts the payload and its argument received from the attackers’ C\u0026C server, it\r\nstarts with parsing the argument. It is a structure that describes a type of payload for the shellcode to execute and it\r\nis built differently depending on the type of payload:\r\nTYPE = 1 – Execute another shellcode:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD type // 1\r\nQWORD shellcode_size\r\n_BYTE[] Shellcode\r\nDWORD type // 1 QWORD shellcode_size _BYTE[] Shellcode\r\nDWORD type // 1\r\nQWORD shellcode_size\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 9 of 25\n\n_BYTE[] Shellcode\r\nTYPE = 2 – Execute the specified API function:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD type // 2\r\nCHAR[] library_name\r\nCHAR[] api_name\r\nDWORD type // 2 CHAR[] library_name CHAR[] api_name\r\nDWORD type // 2\r\nCHAR[] library_name\r\nCHAR[] api_name\r\nThe argument for the API execution has the following structure:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD need_to_be_freed_flag\r\nQWORD argument_size\r\n_BYTE[] argument\r\nDWORD need_to_be_freed_flag QWORD argument_size _BYTE[] argument\r\nDWORD need_to_be_freed_flag\r\nQWORD argument_size\r\n_BYTE[] argument\r\nNext stages\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 10 of 25\n\nTo make things more complicated, Scarred Manticore wraps the final payload in nested shellcodes. For example,\r\none of the shellcodes received from the attackers runs another almost identical shellcode, which in turn runs a\r\nfinal shellcode responsible for machine fingerprinting.\r\nThe data gathered by this payload is collected by running specific Windows APIs or enumerating the registry keys,\r\nand includes these components:\r\nComputer Name (using  GetComputerNameW  API) and Domain Name\r\n(using  GetEnvironmentVariableA  API)\r\nFlag if the system is 64-bit (using  GetNativeSystemInfo  API, the check is done with\r\nwProcessorArchitecture == 9 )\r\nNumber of processors (dwNumberOfProcessors using  GetNativeSystemInfo  API)\r\nPhysical RAM ( GetPhysicallyInstalledSystemMemory )\r\nData from  CurrentVersion  registry key (Type, Name length, Name, Data length, Data)\r\nData from SecureBoot\\State  registry key (the same data)\r\nData from  System\\Bios  registry key (the same data)\r\nThe final structure, which contains all the gathered information, also has a place for error codes for the threat actor\r\nto use to figure out why some of the APIs they use don’t work as expected:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD last_error (GetComputerNameW)\r\nDWORD last_error (GetPhysicallyInstalledSystemMemory)\r\nDWORD last_error (GetEnvironmentVariableA)\r\nDWORD last_error (NtOpenKey CurrentVersion)\r\nDWORD last_error (NtQueryKey CurrentVersion)\r\nDWORD num_of_values (CurrentVersion)\r\nDWORD last_error (NtOpenKey SecureBoot\\State)\r\nDWORD last_error (NtQueryKey SecureBoot\\State)\r\nDWORD num_of_values (SecureBoot\\State)\r\nDWORD last_error (NtOpenKey System\\Bios)\r\nDWORD last_error (NtQueryKey System\\Bios)\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 11 of 25\n\nDWORD num_of_values (System\\Bios)\r\nQWORD num_of_proccesors\r\nQWORD total_RAM\r\nQWORD tick_count\r\nQWORD is_64_bit\r\n_CHAR[0X10] computer_name\r\n_CHAR[0X10] domain_name\r\n_BYTE[] CurrentVersion_data\r\n_BYTE[] SecureBootState_data\r\n_BYTE[] SystemBios_data\r\nDWORD last_error (GetComputerNameW) DWORD last_error (GetPhysicallyInstalledSystemMemory)\r\nDWORD last_error (GetEnvironmentVariableA) DWORD last_error (NtOpenKey CurrentVersion) DWORD\r\nlast_error (NtQueryKey CurrentVersion) DWORD num_of_values (CurrentVersion) DWORD last_error\r\n(NtOpenKey SecureBoot\\State) DWORD last_error (NtQueryKey SecureBoot\\State) DWORD num_of_values\r\n(SecureBoot\\State) DWORD last_error (NtOpenKey System\\Bios) DWORD last_error (NtQueryKey\r\nSystem\\Bios) DWORD num_of_values (System\\Bios) QWORD num_of_proccesors QWORD total_RAM\r\nQWORD tick_count QWORD is_64_bit _CHAR[0X10] computer_name _CHAR[0X10] domain_name _BYTE[]\r\nCurrentVersion_data _BYTE[] SecureBootState_data _BYTE[] SystemBios_data\r\nDWORD last_error (GetComputerNameW)\r\nDWORD last_error (GetPhysicallyInstalledSystemMemory)\r\nDWORD last_error (GetEnvironmentVariableA)\r\nDWORD last_error (NtOpenKey CurrentVersion)\r\nDWORD last_error (NtQueryKey CurrentVersion)\r\nDWORD num_of_values (CurrentVersion)\r\nDWORD last_error (NtOpenKey SecureBoot\\State)\r\nDWORD last_error (NtQueryKey SecureBoot\\State)\r\nDWORD num_of_values (SecureBoot\\State)\r\nDWORD last_error (NtOpenKey System\\Bios)\r\nDWORD last_error (NtQueryKey System\\Bios)\r\nDWORD num_of_values (System\\Bios)\r\nQWORD num_of_proccesors\r\nQWORD total_RAM\r\nQWORD tick_count\r\nQWORD is_64_bit\r\n_CHAR[0X10] computer_name\r\n_CHAR[0X10] domain_name\r\n_BYTE[] CurrentVersion_data\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 12 of 25\n\n_BYTE[] SecureBootState_data\r\n_BYTE[] SystemBios_data\r\nAdditional Tools\r\nIn addition to using LIONTAIL, Scarred Manticore was observed leveraging other custom components.\r\nLIONHEAD web forwarder\r\nOn some of the compromised exchange servers, the actors deployed LIONHEAD, a tiny web forwarder.\r\nLIONHEAD is also installed as a service using the same phantom DLL hijacking technique as LIONTAIL and\r\nutilizes similar mechanisms to forward the traffic directly to Exchange Web Services (EWS) endpoints.\r\nLIONHEAD’s configuration is different from LIONTAIL:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDWORD timeout 0x493E0\r\nDWORD forward_port 444\r\nSTRING end_string '\u003credacted\u003e'\r\nSTRING forward_server 'localhost'\r\nSTRING forward_path '/ews/exchange.asmx'\r\nSTRING[] listen_urls 'https://+:443/\u003credacted\u003e/'\r\nDWORD timeout 0x493E0 DWORD forward_port 444 STRING end_string '\u003credacted\u003e' STRING forward_server\r\n'localhost' STRING forward_path '/ews/exchange.asmx' STRING[] listen_urls 'https://+:443/\u003credacted\u003e/'\r\nDWORD timeout 0x493E0\r\nDWORD forward_port 444\r\nSTRING end_string '\u003credacted\u003e'\r\nSTRING forward_server 'localhost'\r\nSTRING forward_path '/ews/exchange.asmx'\r\nSTRING[] listen_urls 'https://+:443/\u003credacted\u003e/'\r\nThe backdoor registers the  listen_urls  prefixes in the same way as LIONTAIL and listens for requests. For\r\neach request, the backdoor copies the content type, cookie, and body and forwards it to\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 13 of 25\n\nthe  \u003cforward_server\u003e/\u003cforward_path\u003e:\u003cforward port\u003e  specified in the configuration. Next, the backdoor gets a\r\nresponse from  forward_server  and sends it back to the URL that received the original request.\r\nThis forwarder might be used to bypass the restrictions on external connections to EWS, hide the real consumer of\r\nEWS data being external, and consequently conceal data exfiltration.\r\nWeb shells\r\nScarred Manticore deploys multiple web shells, including those previously attributed indirectly to OilRig. Some\r\nof these web shells stand out due to their obfuscations, naming conventions and artifacts. The web shells retain\r\nclass and method obfuscation and a similar string encryption algorithm (XOR with one byte, the key is derived\r\nfrom the first byte or from the first 2 bytes) to many other web shells and .NET-based tools used by Scarred\r\nManticore in their attacks over the past few years.\r\nOne of those shells is a heavily obfuscated and slightly modified version of an open-source XML/XSL transform\r\nweb shell, Xsl Exec Shell. This web shell also contains two obfuscated functions that return the string\r\n“ ~/1.aspx ”. These functions are never called and likely are remnants from other versions, as we observed them\r\nin tools used previously by Scarred Manticore, such as FOXSHELL, which is discussed later:\r\nFigure 6 - Unused strings remained from the FOXSHELL web shell versions.\r\nFigure 6 – Unused strings remained from the FOXSHELL web shell versions.\r\nTargeting\r\nBased on our visibility into the latest wave of attacks that utilize LIONTAIL, the observed victims are located\r\nacross the Middle East region, including Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and\r\nIsrael. The majority of the impacted entities belong to government, telecommunications, military,\r\nand financial sectors, as well as IT services providers. However, we also observed the infection on the Exchange\r\nservers belonging to a regional affiliate of a global non-profit humanitarian network.\r\nThe geographic region and the targeted profile are aligned with Iranian interests and in line with the typical victim\r\nprofile that MOIS-affiliated clusters usually target in espionage operations.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 14 of 25\n\nFigure 7 – Targeted countries.\r\nPreviously, DEV-0861, a cluster we believed aligns with Scarred Manticore, was publicly exposed for the initial\r\naccess to and data exfiltration from the Albanian government networks, as well as email exfiltration from multiple\r\norganizations in the Middle Eastern countries such as Kuwait, Saudi Arabia, Turkey, UAE, and Jordan.\r\nAttribution and Historical Activity\r\nSince at least 2019, Scarred Manticore deployed unique tools on compromised Internet-facing Windows servers in\r\nthe Middle East region. During these years, their toolset went through significant development. It began as open-source-based web-deployed proxies and over time evolved to become a diverse and powerful toolset that utilizes\r\nboth custom-written and open-source components.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 15 of 25\n\nFigure 8 – Overview of code and capabilities evolution of multiple malware versions used by\r\nScarred Manticore.\r\nTunna-based web shell\r\nOne of the earliest samples related to the threat actor’s activity is based on a web shell from Tunna, an open-source tool designed to tunnel any TCP communication over HTTP. The Tunna web shell allows to connect from\r\nthe outside to any service on the remote host, including those that are blocked on the firewall, as all the external\r\ncommunication to the web shell is done via HTTP. The IP and the port of the remote host are sent to the web shell\r\nin the configuration stage, and in many cases, Tunna is mostly used to proxy RDP connections.\r\nThe web shell used by the threat actor has the internal version  Tunna v1.1g  (only version 1.1a is available on\r\nGithub). The most significant change from the open-source version is the encryption of requests and responses by\r\nXORing the data with the pre-defined string  szEncryptionKey  and appending the constant string  K_SUFFIX  at\r\nthe end:\r\nFigure 9 - Encryption function in “Tunna 1.1g” proxy used by the threat actors.\r\nFigure 9 – Encryption function in “Tunna 1.1g” proxy used by the threat actors.\r\nFigure 10 - Decryption and encryption of data by Tunna proxy.\r\nFigure 10 – Decryption and encryption of data by Tunna proxy.\r\nFOXSHELL: XORO version\r\nOver time, the code was refactored and lost its resemblance to Tunna. We track this and all further versions as\r\nFOXSHELL.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 16 of 25\n\nThe biggest changes resulted from organizing multiple entities into classes using an objective-oriented approach.\r\nThe following class structure persists in most of the FOXSHELL versions:\r\nFigure 11 – Classes within FOXSHELL.\r\nAll the functionality responsible for encrypting the traffic moved to a separate  EncryptionModule  class. This\r\nclass loads a .NET DLL embedded in a base64-encoded string inside the body of FOXSHELL and invokes\r\nits  encrypt  and  decrypt  methods:\r\nFigure 12 - Base64-encoded EncryptionDll inside the web shell.\r\nFigure 12 – Base64-encoded EncryptionDll inside the web shell.\r\nFigure 13 - EncryptionModule class responsible for the encrypt and decrypt method invocation.\r\nFigure 13 – EncryptionModule class responsible for the encrypt and decrypt method invocation.\r\nThe embedded encryption module’s name is  XORO.dll , and its class  Encryption.XORO  implements decrypt and\r\nencrypt methods the same way as the Tunna-based web shell, using the same hardcoded values:\r\nFigure 14 - Encryption constants and decryption function inside XORO.dll.\r\nFigure 14 – Encryption constants and decryption function inside XORO.dll.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 17 of 25\n\nAll requests to the web shell are also encapsulated within a class called  Package , which handles\r\ndifferent  PackageTypes : Data, Config, OK, Dispose, or Error. The PackageType is defined by the first byte of the\r\npackage, and depending on the type of Package, the web shell parses the package and applies the configuration\r\n(opens a new socket to the remote machine specified in the configuration and applies a new EncryptionDll if\r\nprovided), or disposes of the existing socket, or proxies the connection if the package is type Data:\r\nFigure 15 - Package handling in FOXSHELL.\r\nFigure 15 – Package handling in FOXSHELL.\r\nFOXSHELL: Bsae64 version (not a typo)\r\nThis version of the web shell is still unobfuscated, and its internal version is specified in the code:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nconst string Version = \"1.5\"\r\nconst string Version = \"1.5\"\r\nconst string Version = \"1.5\"\r\nThe web shell also contains the default EncryptionDll embedded inside. The module’s name is  Base64.dll , and\r\nthe encryption class, which is misspelled as  Bsae64 , exposes the encrypt and decrypt methods. However, both\r\nare just simple base64 encoding:\r\nFigure 16 - Encrypt and decrypt methods in Base64.dll.\r\nFigure 16 – Encrypt and decrypt methods in Base64.dll.\r\nAlthough this simple encoding could be done in the code of the web shell itself, the existence of other embedded\r\nDLLs, such as  XORO.dll  (described previously), and the ability to provide yet another EncryptionDll on the\r\nconfiguration stage, implies that the attackers prefer to control which specific type of encryption they want to use\r\nby default in certain environments.\r\nOther changes in this version are the renaming of the PackageType  Config  to  RDPconfig ,\r\nand  ConfigPackage  to  RDPConfigPackage , indicating the actors are focused on proxying RDP connections. The\r\ncode of these classes remains the same:\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 18 of 25\n\nFigure 17 – RDP Configuration class.\r\nFinally, another condition in the code handles the case of the web shell receiving a non-empty parameter  WV-RESET,  which calls a function to shut down the proxy socket and sends an  OK  response back to the attackers:\r\nFigure 18 - “Close proxy” WV-RESET parameter.\r\nFigure 18 – “Close proxy” WV-RESET parameter.\r\nWeb shell within a web shell: compiled FOXSHELL\r\nThe versions that were described above, targeted entities in Middle Eastern countries, such as Saudi Arabia, Qatar,\r\nand the United Arab Emirates. This version, in addition to being leveraged against Middle Eastern governmental\r\nentities, was part of the attack against the Albanian government in May 2021. Through the exploitation of an\r\nInternet-facing Microsoft SharePoint server, the actors deployed  ClientBin.aspx  on the compromised server to\r\nproxy external connections and thus facilitate lateral movement throughout the victim’s environment.\r\nThe details of the samples may vary but in all of them, the FOXHELL is compiled as DLL and embedded inside\r\nthe base web shell in base64. The compiled DLL is loaded with  System.Reflection.Assembly.Load , and then\r\nthe  ProcessRequest  method from it is invoked. The DLL is written in .NET and has the name\r\npattern  App_Web_\u003crandom\u003e.dll, which indicates an ASP.NET dynamically compiled DLL.\r\nFigure 19 – A web shell loading App_Web_*.dll.\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 19 of 25\n\nThe  App_Web*  DLL is affected by the class and method obfuscation, and all the strings are encrypted with a\r\ncombination of Base64, XOR with the first byte, and AES:\r\nFigure 20 - The inchpublic function, responsible for string encryption, showcases obfuscations of\r\nmethods and classes.\r\nFigure 20 – The inchpublic function, responsible for string encryption, showcases obfuscations of\r\nmethods and classes.\r\nWhen the web shell is compiled into DLL, it contains the initialization stub, which ensures that the web shell\r\nlistens on the correct URI. In this case, the initialization happens in the following piece of code:\r\nFigure 21 – Initialization stub in the web shell App_Web_*.dll.\r\nOr, after deobfuscation:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\npublic concertthis_medal() {\r\nbase.AppRelativeVirtualPath = \"~/1.aspx\"\r\nif (!concertthis_medal.__initialized) {\r\nconcertthis_medal.__fileDependencies = base.GetWrappedFileDependencies(new string{\"~/1.aspx\"});\r\nconcertthis_medal.__initialized = true; }\r\npublic concertthis_medal() { base.AppRelativeVirtualPath = \"~/1.aspx\" if (!concertthis_medal.__initialized) {\r\nconcertthis_medal.__fileDependencies = base.GetWrappedFileDependencies(new string{\"~/1.aspx\"});\r\nconcertthis_medal.__initialized = true; }\r\npublic concertthis_medal() {\r\n base.AppRelativeVirtualPath = \"~/1.aspx\"\r\n if (!concertthis_medal.__initialized) {\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 20 of 25\n\nconcertthis_medal.__fileDependencies = base.GetWrappedFileDependencies(new string{\"~/1.aspx\"});\r\n concertthis_medal.__initialized = true; }\r\nThis initialization sets the FOXSHELL to listen to the requests on the relative path  ~/1.aspx , which we\r\nobserved as an unused artifact in other web shells related to attacks involving LIONTAIL.\r\nInternally, the DLL has the same “ 1.5 ” version of FOXSHELL, which includes the  WV-RESET  parameter to\r\nstop the proxy and the same default Bsae64 Encryption DLL as in previous versions.\r\nStandalone backdoor based on IIS ServerManager and HTTPListener\r\nSince mid-2020, in addition to the FOXSHELL as a means to proxy the traffic, we also observed a rather\r\nsophisticated standalone passive backdoor, written in .NET and meant to be deployed on IIS servers. It is\r\nobfuscated with similar techniques as FOXSHELL and masquerades as  System.Drawing.Design.dll . The SDD\r\nbackdoor was previously analyzed by a Saudi researcher but was never attributed to a specific threat actor or\r\ncampaign.\r\nC\u0026C Communication\r\nThe SSD backdoor sets up C\u0026C communication through an HTTP listener on the infected machine. It is achieved\r\nusing two classes:\r\nServerManager – A part of the System.Web.Administration namespace in .NET used for managing and\r\nconfiguring Internet Information Services (IIS) on a Windows server, such as get configuration, create,\r\nmodify, or delete IIS sites, applications, and application pools.\r\nHTTPListener – A class in the .NET Framework used for creating custom HTTP servers, independent of\r\nIIS and based on HTTP API.\r\nServerManager is used to extract the sites hosted by the IIS server and build the HashSet of URL prefixes to listen\r\non:\r\nFigure 22 – Obfuscated code of angleoppose_river function that builds HashSet of URL prefixes\r\nbased on sites and bindings configured on the IIS server (Illdefy array provides the relative URls).\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 21 of 25\n\nIn this specific case, the only relative URI configured in the malware sample is Temporary_Listen_Addresses .\nThe malware then uses the HttpListener class to start listening on the specified URL prefixes:\nFigure 23 – The HttpListener start code.\n\n**C\u0026C command execution** Figure 23 – The HttpListener start code.\nC\u0026C command execution\nThe backdoor has several capabilities: execute commands using cmd.exe , upload and download files, execute\nprocesses with specified arguments, and run additional .NET assemblies.\nFigure 24 - Request handler of the SDD backdoor.\nFigure 24 – Request handler of the SDD backdoor.\nFirst, if the POST request body contains data, the malware parses it and handles the message as one of the 4\ncommands it supports. Otherwise, if the request contains a parameter Vet , the malware simply decodes its value\nfrom base64 and executes it with cmd /c . If none of these is true, then the malware handles the heartbeat\nmechanism: if the request URL contains the string wOxhuoSBgpGcnLQZxipa in lowercase, then the malware sends\nback UsEPTIkCRUwarKZfRnyjcG13DFA along with a 200 OK response.\nThe data from the POST request is encrypted using Base64 and simple XOR-based encryption:\nFigure 25 – Command decryption algorithm.\nAfter decrypting the data of the message, the malware parses it according to the following order:\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\nDWORD command_type\nDWORD command_name_length\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\nPage 22 of 25\n\nSTRING command_name\r\nSTRING data\r\nDWORD command_type DWORD command_name_length STRING command_name STRING data\r\nDWORD command_type\r\nDWORD command_name_length\r\nSTRING command_name\r\nSTRING data\r\nFigure 26 - Switch that handles possible SDD backdoor command types.\r\nFigure 26 – Switch that handles possible SDD backdoor command types.\r\nThe possible commands, as named by the threat actors, include:\r\n“Command”  – Executes a process with a specified argument. In this case, the data is parsed to extract the\r\nprocess name and its argument.\r\n“Upload”  – Uploads a file to the specified path in the infected system.\r\n“Download”  – Sends a specified file to the threat actors.\r\n“Rundll”  – Loads assembly and runs it with specified parameter (if exists).\r\nThe response data is built the same way as the request (returns command type, command name, and output) and\r\nthen encrypted with the same XOR-based algorithm as the request.\r\nWINTAPIX driver\r\nRecently, Fortinet revealed a wave of attacks against Middle Eastern targets (mostly Saudi Arabia, but also Jordan,\r\nQatar, and the United Arab Emirates) that involve kernel mode drivers that the researchers named WINTAPIX.\r\nAlthough the exact infection chain to install the drivers is unknown, they target only IIS servers as they use the IIS\r\nServerManager object. The high-level execution flow is the following:\r\n1. WINTAPIX driver is loaded in the kernel.\r\n2. WINTAPIX driver enumerates user-mode processes to find a suitable process with local system privileges.\r\n3. WINTAPIX driver injects an embedded shellcode into a previously found process. The shellcode is\r\ngenerated using the open-source Donut project, which allows the creation of a position-independent\r\nshellcode capable of loading and executing .NET assemblies from memory.\r\n4. The injected shellcode loads and executes an encrypted .NET payload.\r\nThe final payload is obfuscated with a commercial obfuscator in addition to already familiar class, method, and\r\nstring obfuscations, and it combines the functionality of the SDD backdoor and FOXSHELL proxy. To achieve\r\nboth, it listens on two sets of URL prefixes, using ServerManager and HTTPListener similarly to the SSD\r\nbackdoor.\r\nThe FOXSHELL version used within the driver payload is set to  1.7 . The main enhancement introduced in this\r\nversion is the Event Log bypass using a known technique of suspending EventLog Service threads. The default\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 23 of 25\n\nEncryptionDll hardcoded in the driver is the same Bsae64.dll , and the core proxy structure remains largely\r\nunaltered when compared to FOXSHELL version 1.5.\r\nFigure 27 - Version hardcoded in the .NET payload.\r\nFigure 27 – Version hardcoded in the .NET payload.\r\nFigure 28 - Embedded FOXSHELL 1.7 class structure.\r\nFigure 28 – FOXSHELL 1.7 class structure.\r\nAs an extensive analysis of the WINTAPIX driver and its version SRVNET2 was already provided, here we only\r\nhighlight the main overlaps between those and other discussed tools that strengthen their affiliation:\r\nThe same code base as the SDD backdoor, including the heartbeat based on the same string values\r\nwOxhuoSBgpGcnLQZxipa  and  UsEPTIkCRUwarKZfRnyjcG13DFA .\r\nThe same supported backdoor command types and encryption with the same key.\r\nThe same codebase as FOXSHELL, structure, and functionality.\r\nThe same obfuscation and encryption methods.\r\nOutlook\r\nLIONTAIL framework components share similar obfuscation and string artifacts with FOXSHELL, SDD\r\nbackdoor, and WINTAPIX drivers. Currently, we are not aware of any other threat actors utilizing these tools, and\r\nwe attribute them all to Scarred Manticore based on multiple code overlaps and shared victimology.\r\nConclusion\r\nFor the last few years, Scarred Manticore has been observed carrying out multiple stealthy operations in Middle\r\nEastern countries, including gaining access to telecommunications and government organizations in the region,\r\nand maintaining and leveraging this access for months to systematically exfiltrate data from the victims’ systems.\r\nExamining the history of their activities, it becomes evident how far the threat actor has come in improving their\r\nattacks and enhancing their approach which relies on passive implants.\r\nWhile LIONTAIL represents a logical progression in the evolution of FOXSHELL and still bears some distinctive\r\ncharacteristics that allow us to attribute attacks involving LIONTAIL to Scarred Manticore, it stands out from\r\nother observed variants. The LIONTAIL framework does not use common, usually monitored methods for\r\nimplementing listeners: it no longer depends on Internet Information Services (IIS), its modules, or any other\r\noptions and libraries provided by the .NET framework to manage IIS programmatically. Instead, it utilizes the\r\nlowest level of Windows HTTP Stack by interacting directly with the HTTP.sys driver. In addition, it apparently\r\nallows the threat actors to customize the implants, their configuration parameters, and loaders’ file delivery type.\r\nAll those have enhanced the stealth ability of the implants, enabling them to evade detection for an extended\r\nperiod.\r\nWe expect that Scarred Manticore operations will persist and may spread into other regions as per Iranian long-term interests. While most of the recent activity of Scarred Manticore is primarily focused on maintaining covert\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 24 of 25\n\naccess and data extraction, the troubling example of the attack on the Albanian government networks serves as a\r\nreminder that nation-state actors may collaborate and share access with their counterparts in intelligence agencies.\r\nCheck Point Customers Remain Protected\r\nCheck Point Customers remain protected against attacks detailed in this report, while using IPS, Check\r\nPoint Harmony Endpoint and Threat Emulation.\r\nIPS:\r\nBackdoor.WIN32.Liontail.A/B\r\nThreat Emulation:\r\nAPT.Wins.Liontail.C/D\r\nIOCs\r\ndaa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33\r\nf4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596 2097320e71990865f04b9484858d279875cf\r\n67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542 4f6351b8fb3f49ff0061ee6f338cd1af8889\r\nf6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d 1485c0ed3e875cbdfc6786a5bd26d18ea9d3\r\nc5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0 9117bd328e37be121fb497596a2d0619a0ea\r\nSource: https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nhttps://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/" ], "report_names": [ "from-albania-to-the-middle-east-the-scarred-manticore-is-listening" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-10T02:00:03.382078Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775615021, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8867c6ca43e6cf941f6aebee38cee5846379c4a3.pdf", "text": "https://archive.orkl.eu/8867c6ca43e6cf941f6aebee38cee5846379c4a3.txt", "img": "https://archive.orkl.eu/8867c6ca43e6cf941f6aebee38cee5846379c4a3.jpg" } }