Homeland Justice
Public-facing hacktivist persona operated by the Iranian MOIS-affiliated Void Manticore cluster, used for the July 2022 destructive intrusion of the Albanian government's central IT infrastructure. The operation deployed bespoke wipers (Cl Wiper, No-Justice / LowEraser) and exfiltrated Albanian state correspondence. The diplomatic consequence was unprecedented: in September 2022 Albania severed all diplomatic relations with Iran and expelled Iranian diplomatic personnel — the **first NATO member to break diplomatic ties with another country over a cyber attack**. Homeland Justice continued sporadic operations against Albanian government and Mujahedin-e-Khalq (MEK) Iranian-opposition targets through 2024.
Aliases
Motivations
Target sectors
Target countries
Lineage & relationships
full graph →Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
1 eventIndicators of compromise
4 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| MD5 | family · ROADSWEEP 'GoXML.exe' ransomware-style file encryptor MD5 from CISA AA22-264A Appendix A. Drops the ransom note How_To_Unlock_MyFiles.txt and is propagated across the victim print-server network by 'mellona.exe'. Mandiant tracks the same family as ROADSWEEP, which dropped a politically themed anti-MEK note for the HomeLand Justice persona. | Jul 14, 2022 | CISA |
| MD5 | family · Cl Wiper Disk wiper 'cl.exe' MD5 published in Appendix A of CISA AA22-264A on the July 2022 HomeLand Justice destructive attack against the Government of Albania. Pairs with the 'rwdsk.sys' RawDisk driver (MD5 8f6e7653807ebb57ecc549cef991d505) to wipe raw disk drives. Mandiant tracks the same payload as a ZEROCLEAR variant. | Jul 14, 2022 | CISA |
| MD5 | family · CHIMNEYSWEEP CHIMNEYSWEEP backdoor MD5 published in Mandiant's August 2022 'Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government' report. CHIMNEYSWEEP was deployed alongside ROADSWEEP ransomware and a ZEROCLEAR-variant wiper in the HomeLand Justice operation; Mandiant assesses involvement of one or more actors operating in support of Iranian goals with moderate confidence. | Jul 25, 2021 | Mandiant (Google Cloud) |
| MD5 | 'Pickers.aspx' webshell MD5 from CISA AA22-264A Appendix A. Used by the HomeLand Justice operators for persistence after initial access via CVE-2019-0604 on an Internet-facing SharePoint server roughly 14 months before the July 2022 destructive attack on Albanian government networks. | Apr 30, 2021 | CISA |
Related actors
shared ATT&CK techniques- RU · RussiaCadet Blizzard3 shared techniques
- IR · IranVoid Manticore3 shared techniques
- KP · DPRKAndariel1 shared technique
- RU · RussiaAPT281 shared technique
- CN · ChinaAPT31 shared technique
- IR · IranAPT341 shared technique
References
cite this page
Threat Intel Tracker. (2026-07-15). Homeland Justice — actor profile. Retrieved from https://threatintel.local/actors/homeland-justice