Iran flag

Iranian hackers caught spying on governments and military in Middle East

An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report.

Tracked as Scarred Manticore, the group primarily targets government, military, and telecom sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.

In recent years, Scarred Manticore has been quietly conducting secret operations in Middle Eastern countries, infiltrating telecommunications and government entities to systematically exfiltrate data from their systems, according to researchers at Check Point, one of the companies that investigated this campaign.

Check Point believes that Scarred Manticore is affiliated with Iran's Ministry of Intelligence and Security (MOIS). The location of the group's victims aligns with Iranian interests and matches the typical victim profile that MOIS-affiliated clusters usually target in espionage operations, the researchers said.

Scarred Manticore has been active since at least 2019, and over the years its toolset has undergone significant changes.

The tools and capabilities used by the group in their ongoing campaign, which reached its peak in mid-2023 and had remained under the radar for at least a year, “demonstrate[s] the progress that Iranian actors have made over the past few years,” researchers said.

For example, in their latest attacks the group used advanced malware known as Liontail — a sophisticated backdoor that allows attackers to execute commands remotely through HTTP requests.

According to Check Point, the group is known for generating a unique implant for every compromised server, making their malicious activities indistinguishable from legitimate network traffic. These customization features allow Liontail operators to evade detection for an extended period, according to Check Point.

While Liontail appears to be unique and shows no clear code overlaps with any known malware family, other tools used by Scarred Manticore in this campaign do overlap with previously reported activities, particularly those associated with the Iranian hacker group OilRig or its affiliates.

“We do not have sufficient data to properly attribute the Scarred Manticore to OilRig, even though we do believe they’re likely related,” the researchers said.

Some of the tools used by the group have also been associated with the destructive attack against Albanian government infrastructure, allegedly sponsored by MOIS.

The researchers predict that Scarred Manticore operations will continue and could extend into other regions in line with Iranian long-term goals.

On Tuesday, FBI Director Christopher Wray called Iran “the world’s largest sponsor of terrorism” and noted that Hezbollah — Terhan’s “primary strategic partner” — has a history of spying in the U.S.

He also warned that digital attacks against the U.S. by Iran and non-state actors could worsen if the conflict between Israel and Hamas grows.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.