1. Home
  2. Groups
  3. VOID MANTICORE

VOID MANTICORE

VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]

ID: G1055
Associated Groups: COBALT MYSTIQUE, Handala Hack, Homeland Justice, Karma, Karmabelow80, BANISHED KITTEN, Red Sandstorm
Version: 1.0
Created: 20 April 2026
Last Modified: 12 May 2026

Associated Group Descriptions

Name Description
COBALT MYSTIQUE

[5]
Handala Hack

[3]
Homeland Justice

[3]
Karma

[3]
Karmabelow80

[5]
BANISHED KITTEN

[1]
Red Sandstorm

[1]

Campaigns

ID Name First Seen Last Seen References Techniques
C0038 HomeLand Justice May 2021 [6][7][8] September 2022 [8] Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Email Account, Account Manipulation: Additional Email Delegate Permissions, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encrypted for Impact, Disable or Modify Tools, Disable or Modify Tools: Disable or Modify Windows Event Log, Disk Wipe: Disk Structure Wipe, Email Collection: Remote Email Collection, Exfiltration Over C2 Channel, Exploit Public-Facing Application, Ingress Tool Transfer, Lateral Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Network Service Discovery, Obtain Capabilities: Code Signing Certificates, Obtain Capabilities: Tool, OS Credential Dumping: LSASS Memory, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Server Software Component: Web Shell, Valid Accounts: Default Accounts, Valid Accounts, Windows Management Instrumentation
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.[7]
Enterprise T1087 .002 Account Discovery: Domain Account

VOID MANTICORE has utilized ADRecon to enumerate the active directory environment.[1]
.003 Account Discovery: Email Account

During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[8]
Enterprise T1098 Account Manipulation

VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access.[4][9]
.002 Additional Email Delegate Permissions

During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[7]
Enterprise T1583 .001 Acquire Infrastructure: Domains

VOID MANTICORE has registered domains for messaging purposes.[10] VOID MANTICORE has created typosquatted domains and sub-domains in attempts to avoid detection or draw suspicion.[3][11] VOID MANTICORE has also purchased domains leveraging cryptocurrency platforms to include LiteCoin and Ramzinex.[3] VOID MANTICORE has registered and rotated domains to support public-facing dissemination infrastructure, replacing disrupted domains with new registrations.[4]
.003 Acquire Infrastructure: Virtual Private Server

VOID MANTICORE has utilized VPS solutions for C2.[1]
.004 Acquire Infrastructure: Server

VOID MANTICORE has leveraged backend servers within Iran.[3]
.006 Acquire Infrastructure: Web Services

VOID MANTICORE has obtained access to commercial VPN services to launch malicious activity.[1][10] VOID MANTICORE has also leveraged Starlink internet services.[1] VOID MANTICORE has used operator-controlled Telegram bots and channels as C2 infrastructure.[4]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

VOID MANTICORE has scanned victim environments for susceptibility to vulnerability exploitation.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

VOID MANTICORE has utilized HTTPS for communication to C2 domains.[11]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

VOID MANTICORE has stored collected data in a password protected compressed file prior to exfiltration.[11]
Enterprise T1123 Audio Capture

VOID MANTICORE has gathered audio during a Zoom session.[11]
Enterprise T1119 Automated Collection

VOID MANTICORE conducted large-scale data exfiltration in the Stryker operation, consistent with automated or scripted collection against enterprise systems.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

VOID MANTICORE has created Windows Registry entries to autorun stage two malware payloads to maintain persistence.[11]
Enterprise T1110 Brute Force

VOID MANTICORE has conducted brute-force attempts against organizational VPN infrastructure.[1]
.001 Password Guessing

VOID MANTICORE has conducted password guessing to gain initial access.[4]
.004 Credential Stuffing

VOID MANTICORE has utilized credential stuffing attacks to obtain initial access to victim environments.[4]
Enterprise T1651 Cloud Administration Command

VOID MANTICORE has abused built-in remote wipe or factory reset commands to wipe devices managed within an organization’s Cloud management solution impacting laptops, servers, and mobile devices.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

VOID MANTICORE has utilized PowerShell to execute malware in victim environments.[3][11]

During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[8][7]
.003 Command and Scripting Interpreter: Windows Command Shell

During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[8][7]
.006 Command and Scripting Interpreter: Python

VOID MANTICORE has utilized Python scripts to execute its malicious payloads.[11]
Enterprise T1485 Data Destruction

VOID MANTICORE has conducted data wiping attacks on compromised systems.[1][10][3][2] VOID MANTICORE has also manually deleted files from compromised hosts, to include selecting all files and then deleting them.[1][3]
Enterprise T1486 Data Encrypted for Impact

VOID MANTICORE has utilized legitimate disk encryption utilities to increase likelihood of encrypting system drives and reduce system recovery efforts.[1][3]

During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[6][8][7]
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

VOID MANTICORE has accessed victim’s public facing SharePoint servers and exfiltrated data.[3]
Enterprise T1005 Data from Local System

VOID MANTICORE has collected cached data and files from within the victim environment.[10][3][11]
Enterprise T1074 Data Staged

VOID MANTICORE has staged compressed files in specified locations prior to exfiltration over C2.[11]
Enterprise T1587 .001 Develop Capabilities: Malware

VOID MANTICORE has utilized custom-malware and wipers to include BiBi Wiper.[3]
Enterprise T1686 .003 Disable or Modify System Firewall: Windows Host Firewall

VOID MANTICORE has disabled Windows Defender protections to allow for follow-on activities within the compromised host.[1]
Enterprise T1685 Disable or Modify Tools

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[7]
.001 Disable or Modify Windows Event Log

During HomeLand Justice, threat actors deleted Windows events and application logs.[7]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

VOID MANTICORE has utilized a disk wiping utility to facilitate destructive actions on victim servers.[3] VOID MANTICORE has also utilized legitimate remote disk wiping commands.[10]
.002 Disk Wipe: Disk Structure Wipe

VOID MANTICORE has deployed custom wipers that overwrite system files and the host devices master boot records (MBR) to corrupt or destroy files.[1]

During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[8][7]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

VOID MANTICORE had utilized Group Policy logon scripts to distribute the malicious payloads to victim devices through the execution of a batch file.[1]
Enterprise T1114 .002 Email Collection: Remote Email Collection

VOID MANTICORE has gathered victim email-content from victim servers.[3]

During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[8]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

VOID MANTICORE has created Telegram Accounts.[11] VOID MANTICORE has also leveraged online personas such as Handala Hack, Karma, and Homeland Justice on social media to include Telegram.[1][10][3] VOID MANTICORE has established and maintained social media accounts on Twitter/X and Telegram to amplify operational claims and stolen data disclosures.[4]
.002 Establish Accounts: Email Accounts

VOID MANTICORE has created email accounts to send threatening messages to victims to include ‘Handala_Team[@]outlook[.]com’.[3]
Enterprise T1041 Exfiltration Over C2 Channel

VOID MANTICORE malware has exfiltrated collected data via Telegram bot C2 channels using encrypted communications.[4]

During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[8]
Enterprise T1190 Exploit Public-Facing Application

VOID MANTICORE has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604.[3]

For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[8]
Enterprise T1133 External Remote Services

VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments.[1]
Enterprise T1657 Financial Theft

VOID MANTICORE has conducted data exfiltration and posted stolen information on data leak sites for the purposes of financial and political extortion.[10][3] VOID MANTICORE has also sold stolen data to prospective buyers for cryptocurrency.[3]
Enterprise T1589 Gather Victim Identity Information

VOID MANTICORE has gathered details on their intended victims to aid in social engineering efforts for leveraging tailored themes of attacks.[11]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

VOID MANTICORE has utilized PowerShell scripts that run without notifying the user of its execution to include -nop -w hidden- ep bypass -enc.[11]
Enterprise T1105 Ingress Tool Transfer

VOID MANTICORE has deployed additional payloads from dedicated C2 servers.[1][3][11] VOID MANTICORE has also downloaded legitimate tools and software from publicly available services.[1] VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website.[1]

During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[7]
Enterprise T1490 Inhibit System Recovery

VOID MANTICORE has deleted virtual machines directly from the virtualization platform.[1]
Enterprise T1570 Lateral Tool Transfer

During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[8]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

VOID MANTICORE has masqueraded as commonly used programs and services on Windows hosts.[11]
.005 Masquerading: Match Legitimate Resource Name or Location

VOID MANTICORE has masqueraded malicious payloads to resemble legitimate applications.[3][11] VOID MANTICORE has leveraged malicious payloads that use nomenclature associated with common applications that include Pictory, KeePass, WhatsApp, and Telegram.[11]

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[8][6]
Enterprise T1046 Network Service Discovery

During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[8][7]
Enterprise T1027 .015 Obfuscated Files or Information: Compression

VOID MANTICORE has compressed their payloads by leveraging zip files.[11]
Enterprise T1588 .001 Obtain Capabilities: Malware

VOID MANTICORE has developed or obtained trojanized applications used for persistent surveillance of targeted individuals.[4]
.002 Obtain Capabilities: Tool

VOID MANTICORE has obtained and utilized commercial VPN services, open-source software and publicly available offensive security tools to facilitate malicious activities.[1]

During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[8][7]
.003 Obtain Capabilities: Code Signing Certificates

During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [8]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

VOID MANTICORE has dumped LSASS credentials using comsvcs.dll via rundll32.exe.[1]

During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[8]
Enterprise T1566 Phishing

VOID MANTICORE has emailed victims threatening messages.[3] VOID MANTICORE has used phishing as an initial access vector.[4]
Enterprise T1572 Protocol Tunneling

VOID MANTICORE has used tunneling tools to facilitate destructive attacks on compromised devices.[1]
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

VOID MANTICORE has installed NetBird on victim devices to create a mesh network that facilitated control of several victim devices at once.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

VOID MANTICORE has used RDP to move laterally within the victim environment.[1]

During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[8][7]
.002 Remote Services: SMB/Windows Admin Shares

During HomeLand Justice, threat actors used SMB for lateral movement.[8][7]
Enterprise T1113 Screen Capture

VOID MANTICORE has captured screen content during an active Zoom session.[11]
Enterprise T1679 Selective Exclusion

VOID MANTICORE has avoided interacting with specific directories in order to reduce the likelihood of detection.[11]
Enterprise T1505 .003 Server Software Component: Web Shell

For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[8][7]
Enterprise T1684 .001 Social Engineering: Impersonation

VOID MANTICORE has impersonated individuals familiar to the victim and technical support associated with social messaging services.[11]
Enterprise T1072 Software Deployment Tools

VOID MANTICORE has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions.[10][2] VOID MANTICORE has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune.[10][2]
Enterprise T1082 System Information Discovery

VOID MANTICORE has gathered system information and disseminated it back to C2.[11]
Enterprise T1199 Trusted Relationship

VOID MANTICORE has targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access.[1]
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

VOID MANTICORE had exported credentials from registry hives to include those stored in HKLM.[1]
Enterprise T1204 .002 User Execution: Malicious File

VOID MANTICORE has delivered malicious payloads that initiate through user execution to include interaction with a masqueraded file.[3][11] VOID MANTICORE has used trojanized application lures to induce targets into executing malware enabling persistent surveillance.[4]
Enterprise T1078 Valid Accounts

VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure.[1] VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems.[4] VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions.[1]

During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[8]
.001 Default Accounts

During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[7]
.002 Domain Accounts

VOID MANTICORE has used previously compromised Domain Administrator credentials to maintain persistent access.[1]
.004 Cloud Accounts

VOID MANTICORE has leveraged privileged cloud accounts to access cloud-based management consoles to include Microsoft Intune.[2] VOID MANTICORE has also compromised existing accounts within the Microsoft Entra ID environment.[12]
Enterprise T1125 Video Capture

VOID MANTICORE has collected video from compromised victim devices.[11]
Enterprise T1102 Web Service

VOID MANTICORE has utilized Telegram API for C2.[3][11]
Enterprise T1047 Windows Management Instrumentation

VOID MANTICORE has utilized WMIC to log into the victim host and create a process process call create "cmd.exe /c copy \\?\\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public".[1]

During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[7]

Software

ID Name References Techniques
S1149 CHIMNEYSWEEP [6] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Non-Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Execution Guardrails, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Dynamic API Resolution, Peripheral Device Discovery, Process Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: CMSTP, System Owner/User Discovery, System Shutdown/Reboot, Web Service
S0095 ftp [8] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0357 Impacket [7] Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0002 Mimikatz [8][7] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0364 RawDisk [8][7] Data Destruction, Disk Wipe: Disk Structure Wipe, Disk Wipe: Disk Content Wipe
S1150 ROADSWEEP [6] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Defacement: Internal Defacement, Deobfuscate/Decode Files or Information, Execution Guardrails, File and Directory Discovery, Indicator Removal: File Deletion, Inhibit System Recovery, Inter-Process Communication, Local Storage Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Service Stop, Subvert Trust Controls: Code Signing
S1151 ZeroCleare [8][7] Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Disk Wipe: Disk Structure Wipe, Exploitation for Privilege Escalation, Indicator Removal: File Deletion, Local Storage Discovery, Native API, Subvert Trust Controls: Code Signing

References

  1. Check Point Research. (2026, March 12). “Handala Hack” – Unveiling Group’s Modus Operandi. Retrieved April 20, 2026.
  2. Justin Moore. (2026, March 16). Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization. Retrieved April 20, 2026.
  3. DOJ/FBI. (2026, March 19). Case 1:26-mj-00683-CDA: Affidavit in Support of Seizure Warrant: In the Matter of the Seizure of Domain Names Justicehomeland[.]org; karmabelow80[.]org; handala-hack[.]to; and handala-redwatned[.]to. Retrieved April 20, 2026.
  4. DomainTools Investigations. (2026, April 6). Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment. Retrieved April 20, 2026.
  5. Sophos. (2026, April 20). Iran COBALT MYSTIQUE. Retrieved April 20, 2026.
  6. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  2. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  3. Troy Bettencourt. (2026, March 20). SEC 8k: Stryker Corporation Partner and Customer Connections to the Stryker Environment. Retrieved April 20, 2026.
  4. David Ketler. (2026, March 30). Stryker Cyber-Attack: What we Know so Far About the Remote Wipe Attack. Retrieved April 20, 2026.
  5. FBI. (2026, March 20). FBI Flash: FLASH-20260320-001:Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets. Retrieved April 20, 2026.
  6. Stryker Corporation. (2026, March 23). SEC 8-K Stryker Corporation. Retrieved April 20, 2026.