Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇮🇷 IR5 malware familiesExploits CVEs in the wild

Scarred Manticore

Also known asScarred Manticore

Scarred Manticore is an Iranian threat actor linked in the provided reporting to activity associated with APT34/OilRig and described as overlapping with or paralleling UNC1860, Shrouded Snooper, and Microsoft Storm-0842/Storm-0861 reporting. The content characterizes Scarred Manticore as an initial-access and espionage-focused cluster that commonly establishes footholds and conducts long-term intelligence collection before handing access to other operators, especially Void Manticore, for disruptive or destructive phases. Reported tradecraft includes exploitation of Microsoft SharePoint vulnerabilities, specifically CVE-2019-0604 and a SharePoint “one-day” vulnerability, to gain initial access. The actor is described as collaborating with Void Manticore in a dual-actor model, where Scarred Manticore performs initial access and collection and Void Manticore conducts wiper deployment and other destructive actions. The content also states that Karma and Homeland Justice collaborated with Scarred Manticore. Reporting cited in the content links Scarred Manticore to Iranian operations targeting Israeli municipalities and broader Israeli targets, and notes overlap with MOIS-linked activity; one passage also describes Scarred Manticore as an IRGC-linked APT group, while another links it to APT34/OilRig. Known aliases directly mentioned in the content are APT34 and OilRig.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇮🇱 Israel
  • 🇦🇱 Albania

Where they're from

Attributed origin per open-source reporting.

  • IR
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics8 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1190×2
Exploit Public-Facing Application
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1505
Server Software Component
T1505.003×2
Web Shell
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
2 techniques
T1036
Masquerading
T1078
Valid Accounts
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
HTTPSnoopShroudedSnooper is associated with the Iranian government, mainly tasked with gaining initial access and then deploying webshells and passive implants such as HTTPSnoop, PipeSnoop and more.1Jun 14, 2026
LionTailShroudedSnooper built a sprawling toolkit of passive backdoors and web shells — including the LionTail framework, TEMPLEDOOR, SASHEYAWAY, and a repurposed Windows kernel driver derived from Iranian antivirus software — designed to sustain long-term, low-visibility access.1Mar 13, 2026
PipeSnoopShroudedSnooper is associated with the Iranian government, mainly tasked with gaining initial access and then deploying webshells and passive implants such as HTTPSnoop, PipeSnoop and more.1Jun 14, 2026
SASHEYAWAYShroudedSnooper built a sprawling toolkit of passive backdoors and web shells — including the LionTail framework, TEMPLEDOOR, SASHEYAWAY, and a repurposed Windows kernel driver derived from Iranian antivirus software — designed to sustain long-term, low-visibility access.1Mar 13, 2026
TEMPLEDOORShroudedSnooper built a sprawling toolkit of passive backdoors and web shells — including the LionTail framework, TEMPLEDOOR, SASHEYAWAY, and a repurposed Windows kernel driver derived from Iranian antivirus software — designed to sustain long-term, low-visibility access.1Mar 13, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2019-0604Microsoft SharePoint Remote Code Execution VulnerabilityIn the wildEvidence1

Scarred Manticore (linked to activity associated with APT34/OilRig) typically establishes the initial foothold, frequently through vulnerabilities such as CVE-2019-0604 in Microsoft SharePoint, and conducts a period of intelligence collection.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
osint team blogNews
Mar 28, 2026
Iran-Linked Handala Hacked the FBI Director’s Personal Email. Here Is What That Actually Tells You About the Group. | by Sigmund Brandstaetter CISSP, CCSP, CISM, OSCP, CEH | Mar, 2026 | OSINT Team

A separate Iranian-linked group described as handling initial access in a dual-actor MOIS operational model before operations are handed to Void Manticore for destructive actions.

Read more
industrialcyberNews
Mar 13, 2026
Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions - Industrial Cyber

IRGC-linked Iranian threat group noted here for significant overlap with Handala/Void Manticore.

Read more
socradar blogNews
Mar 13, 2026
Dark Web Profile: Handala Hack

Iran-linked access-focused cluster that establishes initial footholds, performs intelligence collection, and transfers access, including web shells and Domain Admin credentials, to Handala/Void Manticore for disruptive or destructive operations.

Read more
checkpoint research blogNews
Mar 12, 2026
“Handala Hack” - Unveiling Group's Modus Operandi - Check Point Research

Separate Iranian threat actor referenced as collaborating with Void Manticore personas (Karma and Homeland Justice) in operations; no additional operational details provided in this content.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.