Void Manticore and Scarred Manticore's Coordinated Cyber Assaults Unveiled
- Actor Motivations: Disinformation,Espionage,Exfiltration,Sabotage
- Attack Vectors: Vulnerability Exploitation,Backdoor,Malware,Wiper
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Void Manticore, an Iranian threat actor, executed destructive cyberattacks in Israel and Albania, targeting government sectors. They collaborated with Scarred Manticore, using CVE-2019-0604 for initial access, followed by custom tools like Foxshell and Liontail for command execution. The attacks involved data exfiltration and the deployment of wipers, including the custom BiBi wiper. The group employed Remote Desktop Protocol (RDP) for lateral movement and leveraged Domain Admin credentials for network control. Information leaks were disseminated through personas "Karma" and "Homeland Justice".
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Institute of Statistics (INSTAT) The Institute of Statistics is an independent public legal entity tasked with producing official statistics in the Republic of Albania. Institute of Statistics (INSTAT) has been targeted by Void Manticore as the main target. | Verified |
| Sector | Government Agencies and Services | Verified |
| Region | Albania | Verified |
| Region | Israel | Verified |
Exploited Vulnerabilities
Extracted IOCs
- 74d8d60e900f931526a911b7157511377c0a298af986d42d373f51aac4f362f6
- 85fa58cc8c4560adb955ba0ae9b9d6cab2c381d10dbd42a0bceb8b62a92b7636
- 87f0a902d6b2e2ae3647f10ea214d19db9bd117837264ae15d622b5314ff03a5
- cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e
- d0c03d40772cd468325bbc522402f7b737f18b8f37a89bacc5c8a00c2b87bfc6
- deeaf85b2725289d5fc262b4f60dda0c68ae42d8d46d0dc19b9253b451aea25a
- 64[.]176.169.22
- 64[.]176.172.101
- 64[.]176.172.165
- 64[.]176.172.235
- 64[.]176.173.77
Tip: 11 related IOCs (5 IP, 0 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.
FAQs
Understanding the Scarred & Void Manticore Campaigns
A series of coordinated cyberattacks targeted organizations in Albania and Israel. The attackers first gained long-term access, then passed control to another group that destroyed data and leaked it online using politically themed personas.
The attacks were carried out by Iranian state-linked groups known as Scarred Manticore and Void Manticore. They are affiliated with Iran’s Ministry of Intelligence and Security.
The attackers aimed to both steal and destroy data, while also conducting influence operations to undermine trust in public institutions and stir political tension.
The first group infiltrated systems through a known vulnerability and remained undetected for over a year. Later, another group used this access to deploy destructive tools, delete files, and leak sensitive information.
Yes. Over 40 Israeli organizations were affected, including high-value government and private sector entities. In Albania, national institutions such as the statistics agency (INSTAT) were targeted.
Both countries have had tense relations with Iran. The attacks were politically motivated, aiming to punish governments and sow distrust during periods of heightened geopolitical tension.
The handoff strategy between the two threat groups shows a high level of coordination. The use of wipers also indicates a shift from espionage to more destructive, retaliatory tactics.
Organizations should update vulnerable systems, monitor for unusual remote access activity, and enforce strict access controls. Regular backups and strong incident response plans are also essential.
These were highly targeted operations against strategic victims. However, the methods used—especially the vulnerabilities and tools—could be repurposed for broader campaigns in the future.