G1055: VOID MANTICORE
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]
Analyst context for executives and security teams
MITRE describes VOID MANTICORE as an Iran MOIS-linked threat group active since at least mid-2022, associated with destructive operations that combine wiper activity and hack-and-leak campaigns. For leaders, the material issue is not just espionage: the mapped behavior points to credential abuse, lateral movement, data collection/exfiltration, and destructive disruption against government, critical infrastructure, and private-sector targets.
Executive priority
Prioritize this as an operational resilience and identity-risk scenario. The ATT&CK relationships emphasize valid account abuse, domain and cloud account misuse, LSASS credential access, RDP, WMI, PowerShell, software deployment tools, data staging, and exfiltration over C2. Executives should ask whether identity controls, privileged access monitoring, backup/recovery, and incident communications are ready for a combined data-theft, public-leak, and destructive-impact event.
Technical view
SOC and IR teams should validate coverage across the mapped behaviors rather than relying on a single group indicator. Key areas include Windows credential theft from LSASS, domain account discovery, RDP and WMI-based lateral movement/execution, PowerShell and Python execution, software deployment tool abuse, account manipulation, cloud account misuse, web-based C2, tool ingress, data staging, compression, and exfiltration over C2 channels. The HomeLand Justice relationship adds context for disruptive operations involving ransomware, wiper malware, data leaks, lateral movement, exfiltration, persistence, and long dwell time before public impact.
Likely telemetry
- Identity provider and cloud/SaaS sign-in logs, including failed login patterns, successful logins, MFA outcomes, source locations, and account changes
- Active Directory/domain controller logs for domain account enumeration, group membership changes, authentication events, and privileged account use
- Endpoint telemetry for LSASS access, suspicious process creation, PowerShell execution, Python execution, WMI activity, service/task creation, and masqueraded names or locations
- Remote access logs for RDP sessions, especially unusual source/destination pairs, off-hours use, or administrative logons
- Software deployment and systems management platform logs showing package creation, job execution, remote command execution, and administrative changes
Detection direction
- Because MITRE provides no official detection text for this object, build detections from the related ATT&CK techniques and validate them against local administrative baselines.
- Correlate credential-access signals with follow-on behavior: LSASS access, password guessing, valid account use, RDP, WMI, and domain account discovery become more meaningful when seen in sequence.
- Tune for abuse of legitimate administration paths, especially RDP, WMI, PowerShell, Python, and software deployment tools; false positives are likely unless detections include user role, host criticality, change window, and source context.
- Monitor identity and cloud-account changes for persistence and privilege escalation, including account manipulation and suspicious use of domain or cloud accounts.
- Look for collection-to-exfiltration chains: local data access, staging, compression, outbound web traffic, use of web services, and exfiltration over an existing C2 channel.
Mitigation priorities
- Harden identity first: enforce strong authentication, reduce password-guessing exposure, review privileged/domain/cloud accounts, and monitor account manipulation.
- Limit lateral movement and administrative abuse by restricting RDP, WMI, PowerShell, Python, and software deployment tool access to approved administrators and managed systems.
- Protect credential material by reducing unnecessary administrative privileges and validating controls around LSASS access on Windows systems.
- Improve egress governance by monitoring and controlling outbound web protocols, external web services, and unusual data-transfer patterns.
- Reduce impact risk through tested backups, recovery procedures, segmentation, and incident playbooks for destructive events and hack-and-leak communications.
Analyst notes and limits
This take is based on ATT&CK group G1055, its aliases, official description, external references, and the supplied relationships to HomeLand Justice and related techniques. The source material supports a focus on destructive operations, hack-and-leak activity, credential abuse, lateral movement, data collection, exfiltration, web-based C2, and account misuse.
The group object lists no platforms, tactics, or official detection guidance. Platform and tactic discussion is derived from the related ATT&CK techniques, not from an explicit platform list on the group object. Local exposure, active targeting, and detection coverage cannot be inferred from ATT&CK alone and require environment-specific telemetry and threat intelligence validation.
VOID MANTICORE
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | VOID MANTICORE has captured screen content during an active Zoom session.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | VOID MANTICORE has conducted password guessing to gain initial access.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1119 | Automated Collection | VOID MANTICORE conducted large-scale data exfiltration in the Stryker operation, consistent with automated or scripted collection against enterprise systems.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | VOID MANTICORE has utilized a disk wiping utility to facilitate destructive actions on victim servers.CitationDOJ FBI Handala Hack March 2026 VOID MANTICORE has also utilized legitimate remote disk wiping commands.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026 |
| Enterprise | T1486 | Data Encrypted for Impact | VOID MANTICORE has utilized legitimate disk encryption utilities to increase likelihood of encrypting system drives and reduce system recovery efforts.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1566 | Phishing | VOID MANTICORE has emailed victims threatening messages.CitationDOJ FBI Handala Hack March 2026 VOID MANTICORE has used phishing as an initial access vector.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1589 | Gather Victim Identity Information | VOID MANTICORE has gathered details on their intended victims to aid in social engineering efforts for leveraging tailored themes of attacks.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1657 | Financial Theft | VOID MANTICORE has conducted data exfiltration and posted stolen information on data leak sites for the purposes of financial and political extortion.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationDOJ FBI Handala Hack March 2026 VOID MANTICORE has also sold stolen data to prospective buyers for cryptocurrency.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1102 | Web Service | VOID MANTICORE has utilized Telegram API for C2.CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1059.001 | PowerShell Sub-technique | VOID MANTICORE has utilized PowerShell to execute malware in victim environments.CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1047 | Windows Management Instrumentation | VOID MANTICORE has utilized WMIC to log into the victim host and create a process `process call create “cmd.exe /c copy \\?\\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public”`.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | VOID MANTICORE had utilized Group Policy logon scripts to distribute the malicious payloads to victim devices through the execution of a batch file.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | VOID MANTICORE has utilized PowerShell scripts that run without notifying the user of its execution to include `-nop -w hidden- ep bypass -enc`.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1583.001 | Domains Sub-technique | VOID MANTICORE has registered domains for messaging purposes.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026 VOID MANTICORE has created typosquatted domains and sub-domains in attempts to avoid detection or draw suspicion.CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has also purchased domains leveraging cryptocurrency platforms to include LiteCoin and Ramzinex.CitationDOJ FBI Handala Hack March 2026 VOID MANTICORE has registered and rotated domains to support public-facing dissemination infrastructure, replacing disrupted domains with new registrations.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1123 | Audio Capture | VOID MANTICORE has gathered audio during a Zoom session.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1190 | Exploit Public-Facing Application | VOID MANTICORE has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | VOID MANTICORE has gathered victim email-content from victim servers.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1074 | Data Staged | VOID MANTICORE has staged compressed files in specified locations prior to exfiltration over C2.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | VOID MANTICORE has used previously compromised Domain Administrator credentials to maintain persistent access.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1027.015 | Compression Sub-technique | VOID MANTICORE has compressed their payloads by leveraging zip files.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1684.001 | Impersonation Sub-technique | VOID MANTICORE has impersonated individuals familiar to the victim and technical support associated with social messaging services.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | VOID MANTICORE has masqueraded malicious payloads to resemble legitimate applications.CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has leveraged malicious payloads that use nomenclature associated with common applications that include Pictory, KeePass, WhatsApp, and Telegram.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1679 | Selective Exclusion | VOID MANTICORE has avoided interacting with specific directories in order to reduce the likelihood of detection.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1087.002 | Domain Account Sub-technique | VOID MANTICORE has utilized ADRecon to enumerate the active directory environment.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1588.001 | Malware Sub-technique | VOID MANTICORE has developed or obtained trojanized applications used for persistent surveillance of targeted individuals.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1490 | Inhibit System Recovery | VOID MANTICORE has deleted virtual machines directly from the virtualization platform.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1072 | Software Deployment Tools | VOID MANTICORE has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationPalo Alto VOID MANTICORE Iran Cyber Threats March 2026 VOID MANTICORE has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationPalo Alto VOID MANTICORE Iran Cyber Threats March 2026 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | VOID MANTICORE has dumped LSASS credentials using `comsvcs.dll` via `rundll32.exe`.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1651 | Cloud Administration Command | VOID MANTICORE has abused built-in remote wipe or factory reset commands to wipe devices managed within an organization’s Cloud management solution impacting laptops, servers, and mobile devices.CitationPalo Alto VOID MANTICORE Iran Cyber Threats March 2026 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | VOID MANTICORE has utilized VPS solutions for C2.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1583.006 | Web Services Sub-technique | VOID MANTICORE has obtained access to commercial VPN services to launch malicious activity.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationSPECOPS Outpost24 Handala Hack Stryker March 2026 VOID MANTICORE has also leveraged Starlink internet services.CitationCheck Point VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has used operator-controlled Telegram bots and channels as C2 infrastructure.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | VOID MANTICORE has disabled Windows Defender protections to allow for follow-on activities within the compromised host.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | VOID MANTICORE had exported credentials from registry hives to include those stored in HKLM.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | VOID MANTICORE has accessed victim’s public facing SharePoint servers and exfiltrated data.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | VOID MANTICORE has installed NetBird on victim devices to create a mesh network that facilitated control of several victim devices at once.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | VOID MANTICORE has scanned victim environments for susceptibility to vulnerability exploitation.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | VOID MANTICORE has deployed custom wipers that overwrite system files and the host devices master boot records (MBR) to corrupt or destroy files.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1583.004 | Server Sub-technique | VOID MANTICORE has leveraged backend servers within Iran.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1105 | Ingress Tool Transfer | VOID MANTICORE has deployed additional payloads from dedicated C2 servers.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has also downloaded legitimate tools and software from publicly available services.CitationCheck Point VOID MANTICORE Handala Hack March 2026 VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1082 | System Information Discovery | VOID MANTICORE has gathered system information and disseminated it back to C2.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | VOID MANTICORE has leveraged privileged cloud accounts to access cloud-based management consoles to include Microsoft Intune.CitationPalo Alto VOID MANTICORE Iran Cyber Threats March 2026 VOID MANTICORE has also compromised existing accounts within the Microsoft Entra ID environment.CitationSEC 8-K Stryker Corporation Filing Handala Hack March 2026 |
| Enterprise | T1133 | External Remote Services | VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1588.002 | Tool Sub-technique | VOID MANTICORE has obtained and utilized commercial VPN services, open-source software and publicly available offensive security tools to facilitate malicious activities.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | VOID MANTICORE has created Windows Registry entries to autorun stage two malware payloads to maintain persistence.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1204.002 | Malicious File Sub-technique | VOID MANTICORE has delivered malicious payloads that initiate through user execution to include interaction with a masqueraded file.CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has used trojanized application lures to induce targets into executing malware enabling persistent surveillance.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1005 | Data from Local System | VOID MANTICORE has collected cached data and files from within the victim environment.CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationDOJ FBI Handala Hack March 2026CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1098 | Account Manipulation | VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026CitationSEC 8K Palo Alto Statement Stryker Corp Handala March 2026 |
| Enterprise | T1125 | Video Capture | VOID MANTICORE has collected video from compromised victim devices.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1572 | Protocol Tunneling | VOID MANTICORE has used tunneling tools to facilitate destructive attacks on compromised devices.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1587.001 | Malware Sub-technique | VOID MANTICORE has utilized custom-malware and wipers to include BiBi Wiper.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | VOID MANTICORE has created email accounts to send threatening messages to victims to include ‘Handala_Team[@]outlook[.]com’.CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | VOID MANTICORE has utilized HTTPS for communication to C2 domains.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1199 | Trusted Relationship | VOID MANTICORE has targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1110.004 | Credential Stuffing Sub-technique | VOID MANTICORE has utilized credential stuffing attacks to obtain initial access to victim environments.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | VOID MANTICORE has created Telegram Accounts.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has also leveraged online personas such as Handala Hack, Karma, and Homeland Justice on social media to include Telegram.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationDOJ FBI Handala Hack March 2026 VOID MANTICORE has established and maintained social media accounts on Twitter/X and Telegram to amplify operational claims and stolen data disclosures.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1485 | Data Destruction | VOID MANTICORE has conducted data wiping attacks on compromised systems.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationSPECOPS Outpost24 Handala Hack Stryker March 2026CitationDOJ FBI Handala Hack March 2026CitationPalo Alto VOID MANTICORE Iran Cyber Threats March 2026 VOID MANTICORE has also manually deleted files from compromised hosts, to include selecting all files and then deleting them.CitationCheck Point VOID MANTICORE Handala Hack March 2026CitationDOJ FBI Handala Hack March 2026 |
| Enterprise | T1078 | Valid Accounts | VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure.CitationCheck Point VOID MANTICORE Handala Hack March 2026 VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1110 | Brute Force | VOID MANTICORE has conducted brute-force attempts against organizational VPN infrastructure.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | VOID MANTICORE has masqueraded as commonly used programs and services on Windows hosts.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1059.006 | Python Sub-technique | VOID MANTICORE has utilized Python scripts to execute its malicious payloads.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | VOID MANTICORE has stored collected data in a password protected compressed file prior to exfiltration.CitationFBI IC3 Flash VOID MANTICORE Handala Hack March 2026 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | VOID MANTICORE malware has exfiltrated collected data via Telegram bot C2 channels using encrypted communications.CitationDomain Tools Handala Hack Karma Homeland Justice MOIS April 2026 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | VOID MANTICORE has used RDP to move laterally within the victim environment.CitationCheck Point VOID MANTICORE Handala Hack March 2026 |
Groups, software, and campaigns
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3196289b91d0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point VOID MANTICORE Handala Hack March 2026
Check Point Research. (2026, March 12). “Handala Hack” – Unveiling Group’s Modus Operandi. Retrieved April 20, 2026.
Open source URL -
[2]
Palo Alto VOID MANTICORE Iran Cyber Threats March 2026
Justin Moore. (2026, March 16). Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization. Retrieved April 20, 2026.
Open source URL -
[3]
DOJ FBI Handala Hack March 2026
DOJ/FBI. (2026, March 19). Case 1:26-mj-00683-CDA: Affidavit in Support of Seizure Warrant: In the Matter of the Seizure of Domain Names Justicehomeland[.]org; karmabelow80[.]org; handala-hack[.]to; and handala-redwatned[.]to. Retrieved April 20, 2026.
Open source URL -
[4]
Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026
DomainTools Investigations. (2026, April 6). Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment. Retrieved April 20, 2026.
Open source URL -
[5]
BANISHED KITTEN
(Citation: Check Point VOID MANTICORE Handala Hack March 2026)
-
[6]
COBALT MYSTIQUE
(Citation: Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026)
-
[7]
Handala Hack
(Citation: DOJ FBI Handala Hack March 2026)
-
[8]
Homeland Justice
(Citation: DOJ FBI Handala Hack March 2026)
-
[9]
Karma
(Citation: DOJ FBI Handala Hack March 2026)
-
[10]
Karmabelow80
(Citation: Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026)
-
[11]
Red Sandstorm
(Citation: Check Point VOID MANTICORE Handala Hack March 2026)
-
[12]
Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026
Sophos. (2026, April 20). Iran COBALT MYSTIQUE. Retrieved April 20, 2026.
Open source URL -
[13]
mitre-attack G1055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.