Connect with us

Hi, what are you looking for?



Iranian Cyber Spies Use ‘LionTail’ Malware in Latest Attacks

Check Point reports that an Iranian APT has been observed using a new malware framework in targeted attacks in the Middle East.

An Iranian espionage group has been caught using a new malware framework in a recent spate of cyberattacks, according to a warning from researchers at Check Point.

Tracked as Scarred Manticore and linked to the OilRig threat actor, the nation-state hacking group has been active since at least 2019, targeting high-profile organizations in the Middle East.

In its most recent campaign, Scarred Manticore has been observed using LionTail, a set of custom loaders and in-memory shellcode payloads that do not show code overlaps with known malware families, and which allow the attackers to stay hidden, blending in with legitimate traffic.

The campaign employs techniques “notably more sophisticated compared to previous activities” previously tied to Iran, demonstrating “the progress the Iranian actors have undergone over the last few years.”

As part of the framework, Check Point found that Scarred Manticore deploys the passive backdoor LionTail on Windows servers, to execute commands via HTTP requests and run payloads attackers send to URLs specified in the malware’s configuration.

“Utilizing access from a publicly facing server, the threat actor chains a set of passive implants to access internal resources. The internal instances of the LionTail backdoors we’ve seen so far either listen on HTTP(s), similar to the internet-facing instances, or in some cases use named pipes to facilitate remote code execution,” Check Point added.

The threat actor uses a tailor-made implant for each compromised server, to ensure communication blends in, and the backdoor is installed either as a standalone executable or as a DLL loaded via search order hijacking.

As part of the observed attacks, web shells, shellcodes, and legitimate tools are leveraged to perform various operations, including fingerprinting, establishing communication with the command-and-control (C&C) server, conceal traffic, and exfiltrate data.

Advertisement. Scroll to continue reading.

The LionTail framework has been used in attacks targeting government, military, telecommunication, and financial organizations in Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. A regional affiliate of a global non-profit humanitarian network was also infected.

“The geographic region and the targeted profile are aligned with Iranian interests and in line with the typical victim profile that MOIS-affiliated clusters usually target in espionage operations,” Check Point notes.

LionTail appears to be the evolution of FoxShell, another tool attributed to Scarred Manticore, but stands out from other observed variants, as it uses different methods of implementing listeners, and allows the attackers to customize the implants, with enhanced stealth.

While most of the recent activity of Scarred Manticore is primarily focused on maintaining covert access and data extraction, the troubling example of the attack on the Albanian government networks serves as a reminder that nation-state actors may collaborate and share access with their counterparts in intelligence agencies,” Check Point added.

Related: Iranian Cyberspies Target US Think Tank With macOS Malware

Related: Android Malware Used in Iranian Government Surveillance Operation

Related: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.