C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
Analyst context for executives and security teams
HomeLand Justice matters because it shows how a long-running intrusion can turn into a public, disruptive business-continuity event. The campaign against Albanian government networks combined credential access, lateral movement, email/data collection, exfiltration, ransomware, wiper malware, and leak operations after approximately 14 months of access. For leaders, the key lesson is not only malware prevention; it is whether identity controls, endpoint visibility, email auditability, and incident response processes can detect and contain an adversary before a destructive phase begins.
Executive priority
Prioritize this as a resilience and crisis-readiness scenario: compromised valid accounts, remote administration paths, email access, and destructive tooling can convert an espionage-style foothold into operational disruption and public data exposure. Executives should ask whether privileged identity monitoring, RDP/SMB/WMI governance, email delegation review, endpoint logging, backup recoverability, and destructive-malware response playbooks are demonstrable with evidence, not just documented in policy.
Technical view
ATT&CK does not provide a campaign-level detection section, so defenders should validate coverage from the related techniques and software. Focus on Windows-heavy tradecraft reflected in the relationships: Mimikatz and LSASS access, Impacket, RDP, SMB/admin shares, WMI, PowerShell, Windows command shell, token impersonation, valid/default account abuse, email account discovery, added mailbox delegate permissions, remote email collection, FTP/tool transfer, C2-channel exfiltration, ROADSWEEP ransomware, CHIMNEYSWEEP backdoor, RawDisk, and ZeroCleare wiper activity. SOC and IR teams should test whether they can correlate identity events, endpoint process activity, remote service use, mailbox audit changes, and unusual file-transfer/exfiltration behavior across a long dwell-time timeline.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, cmd, WMI, credential dumping indicators, and suspicious tool execution
- Security logs and EDR telemetry for LSASS access, token impersonation behavior, and privileged account activity
- Authentication logs for valid account and default account use, especially administrative logons and anomalous RDP/SMB activity
- Network telemetry for RDP, SMB/admin share access, FTP usage, service scanning, tool transfer, and potential C2/exfiltration channels
- Email and Office Suite audit logs for account enumeration, remote email access, mailbox permission changes, and delegate permission additions
Detection direction
- Validate correlation rather than single-alert coverage: this campaign’s value to defenders is the chain from credential theft and valid account abuse to lateral movement, email collection, exfiltration, and destructive payload deployment.
- Tune detections for legitimate administrative tools used in suspicious contexts, including PowerShell, cmd, WMI, RDP, SMB, FTP, and Impacket-like activity; false positives are likely where administrators use the same protocols routinely.
- Review mailbox auditing and identity logs for additional email delegate permissions and remote email collection patterns, since these can be missed if SOC monitoring is endpoint-centric only.
- Hunt for credential-access precursors such as LSASS memory access and Mimikatz-like behavior, then pivot to subsequent administrative logons, remote service execution, and file transfer.
- Include destructive-malware readiness in detection engineering: monitor for unusual raw disk access, suspicious driver use, mass file modification, and ransomware/wiper staging while avoiding claims of guaranteed prevention.
Mitigation priorities
- Start with identity hardening: reduce default account exposure, enforce strong controls on privileged and remote-access accounts, and regularly review valid account use and mailbox permissions.
- Restrict and monitor remote administration pathways such as RDP, SMB/admin shares, and WMI, especially between user workstations, servers, and sensitive network segments.
- Improve endpoint hardening and logging around credential material, LSASS access, script execution, command shell activity, and suspicious driver or raw disk access.
- Ensure email platforms retain sufficient audit logs for account discovery, remote collection, and delegate permission changes.
- Prepare for destructive operations with tested, isolated backups, restoration runbooks, and IR playbooks that cover ransomware, wiper activity, data leaks, and public communications.
Analyst notes and limits
The supplied ATT&CK object is a campaign, not a single technique, and the official detection field is not provided. The relationships provide the practical defensive anchors: associated software and techniques indicate credential access, remote services, email collection, exfiltration, tool transfer, ransomware, and wiper behavior. Because platforms and tactics are not specified on the campaign object itself, platform references should be treated as relationship-derived, especially Windows and Office Suite coverage.
This take uses only the supplied STIX fields, external references, and relationships. It does not assess current activity, customer exposure, exploitability, or detection efficacy. Local validation is required to determine whether the organization collects the necessary endpoint, identity, network, and email telemetry and whether normal administrative activity would create false positives.
HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1046 | Network Service Discovery | During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1098.002 | Additional Email Delegate Permissions Sub-technique | During HomeLand Justice, threat actors added the `ApplicationImpersonation` management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | During HomeLand Justice, threat actors used custom tooling to acquire tokens using `ImpersonateLoggedOnUser/SetThreadToken`.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1078.001 | Default Accounts Sub-technique | During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1190 | Exploit Public-Facing Application | For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | During HomeLand Justice, threat actors used tools with legitimate code signing certificates. CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1685 | Disable or Modify Tools | During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During HomeLand Justice, threat actors used Windows batch files for persistence and execution.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.CitationCISA Iran Albanian Attacks September 2022CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1505.003 | Web Shell Sub-technique | For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During HomeLand Justice, threat actors used SMB for lateral movement.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1570 | Lateral Tool Transfer | During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1087.003 | Email Account Sub-technique | During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.CitationCISA Iran Albanian Attacks September 2022CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | During HomeLand Justice, threat actors deleted Windows events and application logs.CitationMicrosoft Albanian Government Attacks September 2022 |
| Enterprise | T1078 | Valid Accounts | During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.CitationCISA Iran Albanian Attacks September 2022 |
Groups, software, and campaigns
G1055: VOID MANTICORE
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]
S0357: Impacket
S1149: CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]
S1151: ZeroCleare
S0002: Mimikatz
S0095: ftp
S1150: ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.[1]
S0364: RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8a5ffe8351d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant ROADSWEEP August 2022
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Open source URL -
[2]
Microsoft Albanian Government Attacks September 2022
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Open source URL -
[3]
CISA Iran Albanian Attacks September 2022
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
Open source URL -
[4]
mitre-attack C0038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.