'Educated Manticore' Targets Israeli Victims in Improved Phishing Attacks

The Iranian threat actor displays activity similar to that of other advanced persistent threat groups.

Dark Reading Staff, Dark Reading

April 25, 2023

1 Min Read
an engraving of a manticore, a mythical creature, in stone.
Manticore is named after the mythical beast. Source: ASP Religion via Alamy Stock Photo

An Iranian threat actor, under the name of Educated Manticore, has been the cause of targeted phishing attacks towards Israeli victims, with researchers finding that its activity links the group to another advanced persistent threat (APT) group by the name of Phosphorus.

Its activity is similar to other well-known hacking groups like TA453 and Cobalt Illusion in that its phishing attempts are designed to deploy a new version of PowerLess — something that Phosphorus has managed to do in the past while operating in the Middle East and Africa.

In a report released by Check Point, researchers say that the new version of the PowerLess payload uses "an ISO file to initiate the infection chain." They also reported that other documents in the ISO file were written in Hebrew, Arabic, and English, claiming to feature information about Iraq from the Arab Science and Technology Foundation leading researchers to believe that "the research community may have been the target of the campaign."

It's likely that these threat actors will continue to test and refine the tools used to commit these attacks in the future. "While the new PowerLess payload remains similar," Check Point researchers said in the analysis, "its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights