{ "id": "ddef5bfc-24d4-433a-b9c2-b90417810576", "created_at": "2026-04-06T00:13:19.576304Z", "updated_at": "2026-04-10T13:13:02.961749Z", "deleted_at": null, "sha1_hash": "0a61b4030102a7fbd115923f958e87e715b14b65", "title": "Unveiling Void Manticore: Structured Collaboration Between Espionage and Destruction in MOIS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59329, "plain_text": "Unveiling Void Manticore: Structured Collaboration Between\r\nEspionage and Destruction in MOIS\r\nBy gmcdouga\r\nPublished: 2024-05-20 · Archived: 2026-04-05 23:48:59 UTC\r\nCheck Point Research (CPR) has been actively monitoring the activities of Void Manticore, an Iranian\r\nthreat actor affiliated with the Ministry of Intelligence and Security (MOIS). This threat actor has garnered\r\nattention for its involvement in destructive wiping attacks, often coupled with influence operations. Notably,\r\nVoid Manticore has adopted various online personas to carry out its operations, with the most prominent\r\nones being “Homeland Justice” for attacks in Albania and “Karma” for operations targeting Israel.\r\nKey Highlights:\r\nVoid Manticore, linked to the Iranian Ministry of Intelligence and Security (MOIS), executes destructive\r\nwiping attacks alongside influence operations.\r\nOperating under various online personas, notably Homeland Justice for Albania and Karma for Israel,\r\nVoid Manticore targets different regions with tailored attacks.\r\nOverlaps exist between Void Manticore and Scarred Manticore targets, suggesting coordinated efforts and\r\na systematic handoff of victims in MOIS.\r\nUtilizing five distinct methods, including custom wipers for Windows and Linux, Void Manticore disrupts\r\noperations through file deletion and shared drive manipulation.\r\nVoid Manticore’s Collaborative Cyber Offensive\r\nIn recent years, the landscape of cyber security threats has evolved dramatically, with state-sponsored actors\r\nincreasingly utilizing sophisticated tactics to target organizations and nations. Among these actors, Void Manticore\r\nhas emerged as a significant threat to anyone who opposes to Iranian interests. With a reputation for conducting\r\ndestructive wiping attacks coupled with sophisticated influence operations, Void Manticore’s operations are\r\ncharacterized by their dual approach, combining psychological warfare with actual data destruction.\r\nIn this report, CPR has shed light on the intricate tactics employed by this threat actor, uncovering a complex web\r\nof online personas, strategic collaborations, and sophisticated attack methodologies. In this blog, we delve into the\r\nintricate details of Void Manticore’s operations, dissecting its modus operandi and shedding light on the evolving\r\nlandscape of state-sponsored cyber threats.\r\nUnderstanding Void Manticore\r\nVoid Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). Their\r\nmodus operandi involves carrying out destructive wiping attacks combined with influence operations. Operating\r\nunder various online personas, such as “Karma” for attacks in Israel and “Homeland Justice” for attacks in\r\nAlbania, Void Manticore has demonstrated a capacity for coordinated and targeted cyber assaults.\r\nhttps://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/\r\nPage 1 of 4\n\nCollaboration with Scarred Manticore\r\nA significant aspect of Void Manticore’s operations is their collaboration with another Iranian MOIS affiliated\r\nthreat group, Scarred Manticore. Analysis reveals a systematic handoff of targets between the two groups,\r\nindicating a coordinated effort to conduct destructive activities against selected victims. The handoff process\r\ninvolves Scarred Manticore initially accessing and exfiltrating data from targeted networks, followed by a\r\ntransition of control to Void Manticore, which then executes the destructive phase of the operation. This strategic\r\npartnership not only amplifies the scale and impact of their attacks but also poses a formidable challenge for\r\ncybersecurity defenders.\r\nBy leveraging the resources and expertise of multiple threat actors, Void Manticore and its collaborators can\r\nexecute sophisticated cyber campaigns with far-reaching consequences. This collaboration not only extends the\r\nreach of Void Manticore, but also suggests a level of sophistication beyond their individual capabilities.\r\nFigure 1 – A high-level timeline of the Void-Scarred Manticores Connection.\r\nThis handoff procedure is not unprecedented and is highly correlated with Microsoft’s reporting on the destructive\r\nattacks against Albania in 2022.\r\nA comparison of the process that happened in Albania and in Israel is summarized in the table below:\r\n  Albania (2022) Israel (2023-2024)\r\nActor #1 Storm-0861 ~ Scarred Manticore\r\nActor #1 Initial Access CVE-2019-0604 CVE-2019-0604\r\nActor #1 Tools Foxshell Liontail\r\nActor #1 Access Time Over a year Over a year\r\nActor #1 Objective Email Exfiltration Email Exfiltration (LionHead)\r\nActor #2 Storm-0842 ~ Void Manticore\r\nActor #2 Initial Access Provided by Actor #1 Provided by Actor #1\r\nhttps://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/\r\nPage 2 of 4\n\nAlbania (2022) Israel (2023-2024)\r\nActor #1 Objective Wiper (CL Wiper) + Ransomware Wiper (BiBi Wiper)\r\nLeaking Persona Homeland Justice Karma\r\nThe overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the\r\ntwo different actors, suggest this process has become routine.\r\nThe ties between the events in Israel and Albania have strengthened with the latest attacks against Albania (late\r\n2023 and early 2024), during which Void Manticore dropped partition wipers similar to those used in Israel as part\r\nof the BiBi wiper attacks.\r\nTechniques, Tactics, and Procedures\r\nVoid Manticore’s tactics are relatively straightforward yet effective. They often utilize basic, publicly available\r\ntools to establish access to target networks. Once inside, they deploy custom wipers for both Windows and Linux\r\nsystems, targeting critical files and partition tables to render data inaccessible. Additionally, the group engages in\r\nmanual data destruction activities, further amplifying the impact of their attacks.\r\nThe Wipers\r\nVoid Manticore employs a range of custom wipers to execute its destructive operations effectively. These wipers\r\nserve varying purposes, with some targeting specific files or file types within infected systems, enabling selective\r\nerasure of critical information and causing targeted damage to applications, user data, and system functionality.\r\nOthers focus on attacking the system’s partition table, obliterating it to render all data on the disk inaccessible,\r\ndespite remaining unaltered on the storage medium.\r\nNotably, the group utilizes the CI Wiper, which was first deployed in an attack against Albania in July 2022,\r\nalongside Partition Wipers like the LowEraser, used in attacks against entities such as INSTAT in Albania and\r\nmultiple Israeli entities.\r\nTheir most recent attacks saw the deployment of the BiBi Wiper, named after Israel’s Prime Minister Benjamin\r\nNetanyahu, which exists in both Linux and Windows variants, employing sophisticated techniques to corrupt files\r\nand disrupt system functionality.\r\nConclusion\r\nVoid Manticore’s ability to conduct coordinated, destructive attacks highlights the growing sophistication of state-sponsored cyber operations. As organizations and nations continue to grapple with cyber threats, understanding\r\nand mitigating the risks posed by groups like Void Manticore are paramount to safeguarding digital infrastructure\r\nand national security.\r\nIn the ever-evolving landscape of cybersecurity, staying vigilant and proactive is key to defending against\r\nemerging threats. As Void Manticore and other threat actors continue to adapt and evolve, ongoing collaboration\r\nhttps://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/\r\nPage 3 of 4\n\nbetween cybersecurity researchers, government agencies, and private sector organizations will be essential in\r\ncountering the challenges posed by state-sponsored cyber aggression.\r\nSource: https://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/\r\nhttps://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/" ], "report_names": [ "unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois" ], "threat_actors": [ { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-10T02:00:03.382078Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-10T02:00:03.58886Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-10T02:00:03.641005Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a61b4030102a7fbd115923f958e87e715b14b65.pdf", "text": "https://archive.orkl.eu/0a61b4030102a7fbd115923f958e87e715b14b65.txt", "img": "https://archive.orkl.eu/0a61b4030102a7fbd115923f958e87e715b14b65.jpg" } }