A new cyber campaign, attributed to an Iran-linked group called Educated Manticore, used deceptive documents to deliver a sophisticated malware known as PowerLess to Israeli targets.

Who is behind this attack?

The attacks are attributed to Educated Manticore, an activity cluster connected to Iran’s Phosphorus group, which has previously targeted academics and high-profile individuals.

What was the goal of the attack?

The campaign aimed to spy on targets by installing a tool that collects system data, monitors activity, and steals files and credentials.

The evidence suggests Israeli individuals, likely academics or researchers, were targeted through documents themed around Iraq.

How was the attack carried out?

Victims received files disguised as academic resources. Opening these files triggered hidden programs that secretly installed malware.

Why are these entities attractive targets?

Academic institutions and researchers often have access to sensitive geopolitical, scientific, or defense-related information.

What can individuals or organizations do to protect themselves?

Avoid opening suspicious ISO or archive files, especially unsolicited ones. Use advanced endpoint protection and monitor for unusual system behavior.

Is this part of a larger trend?

Yes, it's part of a broader pattern of Iranian cyber-espionage using sophisticated tools and targeting strategic sectors in the Middle East and beyond.

Threats Feed|Educated Manticore|Last Updated 01/04/2025|AuthorCertfa Radar|Publish Date25/04/2023

Educated Manticore Targets Israel with Improved Cyber Arsenal

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

Educated Manticore, an Iranian-aligned threat actor linked to the Phosphorus group, has been found targeting Israel with an improved arsenal of tools. The group adopts recent trends, using ISO images and other archive files to initiate infection chains. They have significantly enhanced their toolset with techniques such as .NET executables constructed as Mixed Mode Assembly. The final payload is an updated version of the implant PowerLess, previously attributed to Phosphorus ransomware operations. This evolution shows the group's continuous refinement of their toolsets and delivery mechanisms.

Reference and Credit: Check Point - April 2023

Educated Manticore – Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools

Detected Targets

Type	Description	Confidence
Sector	Researchers As the PDF files used in the attack contained academic content about Iraq, it is possible that academic researchers were the targets.	Verified
Region	Israel The attack lures and malware "most likely" used to target entities in Israel.	Verified

Extracted IOCs

deersharpfork[.]info
subinfralab[.]info
blackturtle.hopto[.]org
0f4d309f0145324a6867108bb04a8d5d292e7939223d6d63f44e21a1ce45ce4e
13bab4e32cd6365dba40424d20525cb84b4c6d71d3c5088fe94a6cfe07573e8e
1672a14a3e54a127493a2b8257599c5582204846a78521b139b074155003cba4
29318f46476dc0cfd7b928a2861fea1b761496eb5d6a26040e481c3bd655051a
3e1ed006e120a1afaa49f93b4156a992f8d799b1888ca6202c1098862323c308
4fcde8ec5983cf1465ff7dbcd7d90fcd47d666b0b8352db1dcd311084ed1b3e8
5704bc31061c7ca675bb9d56b9b56a175bf949accf6542999b3a7305af485906
59a4b11b9fb93e3de7c27c25258cec43de38f86f37d88615687ab8402e4ae51e
5d216f5625caf92d224200647147d27bb79e1cff6c8a9fbcac63f321f6bbf02b
62d0b8b5d4281ce107c43d36f222680b0cc85844b8973b645095ccdfb128454d
6e842691116c188b823b7692181a428e9255af3516857b9f2eebdeca4638e96e
706510916cfc7624ec5d9f9598c95570d48fa8601eecbbae307e0af7618d1460
737cb075ba0b5ed6d8901dcd798eecff0bc8585091bc232c54f92df7f9e9e817
7cc9d887d47f99ca37d2fee6171067df70b4417e96fdb661b9fef697124444cc
97a615e69c38db9dffda6be7c11dd27547ce4036a4998a1469fa81b548c6f0b0
bc8f075c1b3fa54f1d9f4ac622258f3e8a484714521d89aa170246ce04701441
bdb2a12f2f84c3742240b8b9e1d6638a73c6b8752aff476051fe33a0bb408010
c0de9b90a0ac591147d62864264bf00b6ec17c55f7095fdf58923085fe502400
cd813d56cf9f2201a2fa69e77fb9acaaa37e64183c708de64cb5cb7c3035a184
e5016dfeae584de20a90f1bef073c862028f410d5b0ae4c074a696b8f8528037
e5ba06943abb666f69f757fcd591dd1cceb66cad698fb894d9bc8911282198c4

download

Tip: 24 related IOCs (0 IP, 3 domain, 0 URL, 0 email, 21 file hash) to this threat have been found.

FAQs

Understanding the Educated Manticore Campaign

: A new cyber campaign, attributed to an Iran-linked group called Educated Manticore, used deceptive documents to deliver a sophisticated malware known as PowerLess to Israeli targets.
: The attacks are attributed to Educated Manticore, an activity cluster connected to Iran’s Phosphorus group, which has previously targeted academics and high-profile individuals.
: The campaign aimed to spy on targets by installing a tool that collects system data, monitors activity, and steals files and credentials.
: The evidence suggests Israeli individuals, likely academics or researchers, were targeted through documents themed around Iraq.
: Victims received files disguised as academic resources. Opening these files triggered hidden programs that secretly installed malware.
: Academic institutions and researchers often have access to sensitive geopolitical, scientific, or defense-related information.
: Avoid opening suspicious ISO or archive files, especially unsolicited ones. Use advanced endpoint protection and monitor for unusual system behavior.
: Yes, it's part of a broader pattern of Iranian cyber-espionage using sophisticated tools and targeting strategic sectors in the Middle East and beyond.

About Affiliation

Educated Manticore