← threatfilter.dev / all groups / VOID MANTICORE
VOID MANTICORE
Also known as: COBALT MYSTIQUE · Handala Hack · Homeland Justice · Karma · Karmabelow80 · BANISHED KITTEN · Red Sandstorm
Overview
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States. VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation. VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.
Targets
Civil society · Education · Government · Healthcare · High-Tech · Media · NGOs · Pharmaceuticals · Telecommunications
Regions
Europe · Israel · Middle East · United States
Capabilities
- Destructive / data-wiping operations — ATT&CK T1485, T1561.001, T1561.002
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 63 techniques across 14 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1595.002Vulnerability Scanning
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1583.004Server -
T1583.006Web Services -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1587.001Malware -
T1588.001Malware -
T1588.002Tool
Initial Access
-
T1190Exploit Public-Facing Application -
T1199Trusted Relationship -
T1566Phishing
Execution
-
T1047Windows Management Instrumentation -
T1059.001PowerShell -
T1059.006Python -
T1072Software Deployment Tools -
T1204.002Malicious File -
T1651Cloud Administration Command
Persistence
-
T1098Account Manipulation -
T1133External Remote Services -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.015Compression -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1078.004Cloud Accounts -
T1564.003Hidden Window -
T1679Selective Exclusion -
T1684.001Impersonation
Defense Impairment
-
T1484.001Group Policy Modification -
T1686.003Windows Host Firewall
Credential Access
-
T1003.001LSASS Memory -
T1110Brute Force -
T1110.001Password Guessing -
T1110.004Credential Stuffing -
T1552.002Credentials in Registry
Discovery
-
T1082System Information Discovery -
T1087.002Domain Account
Lateral Movement
-
T1021.001Remote Desktop Protocol
Collection
-
T1005Data from Local System -
T1074Data Staged -
T1113Screen Capture -
T1114.002Remote Email Collection -
T1119Automated Collection -
T1123Audio Capture -
T1125Video Capture -
T1213.002Sharepoint -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1102Web Service -
T1105Ingress Tool Transfer -
T1219.002Remote Desktop Software -
T1572Protocol Tunneling
Exfiltration
Impact
-
T1485Data Destruction -
T1486Data Encrypted for Impact -
T1490Inhibit System Recovery -
T1561.001Disk Content Wipe -
T1561.002Disk Structure Wipe -
T1657Financial Theft
Reporting (3)
- Iran COBALT MYSTIQUE — Sophos
- Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment — DomainTools Investigations
- Case 1:26-mj-00683-CDA: Affidavit in Support of Seizure Warrant: In the Matter of the Seizure of Domain Names Justicehomeland[.]org; karmabelow80[.]org; handala-hack[.]to; and handala-redwatned[.]to — DOJ/FBI