threatintel
actor tracker
All actors

Homeland Justice

homeland-justice · primary source: Other · first observed 2022 · last observed 2024
IR · IranHacktivistHigh confidencelast cited Jul 14, 2022 · 4y ago

Public-facing hacktivist persona operated by the Iranian MOIS-affiliated Void Manticore cluster, used for the July 2022 destructive intrusion of the Albanian government's central IT infrastructure. The operation deployed bespoke wipers (Cl Wiper, No-Justice / LowEraser) and exfiltrated Albanian state correspondence. The diplomatic consequence was unprecedented: in September 2022 Albania severed all diplomatic relations with Iran and expelled Iranian diplomatic personnel — the **first NATO member to break diplomatic ties with another country over a cyber attack**. Homeland Justice continued sporadic operations against Albanian government and Mujahedin-e-Khalq (MEK) Iranian-opposition targets through 2024.

Aliases

None tracked.

Motivations

destructioninformation operations

Target sectors

governmentmediango

Target countries

AL

Lineage & relationships

full graph →
Subgroup ofHomeland Just…this actorVoid ManticoreIRAPT

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Homeland Justice
  • Iran
  • destruction
  • information operations
Infrastructure
Victim
  • government
  • media
  • ngo
  • AL

MITRE ATT&CK techniques

Timeline

1 event

Indicators of compromise

4 indicators
csv
TypeValueFirst seenSource
MD5
bbe983dba3bf319621b447618548b740
family · ROADSWEEP
'GoXML.exe' ransomware-style file encryptor MD5 from CISA AA22-264A Appendix A. Drops the ransom note How_To_Unlock_MyFiles.txt and is propagated across the victim print-server network by 'mellona.exe'. Mandiant tracks the same family as ROADSWEEP, which dropped a politically themed anti-MEK note for the HomeLand Justice persona.
Jul 14, 2022CISA
MD5
7b71764236f244ae971742ee1bc6b098
family · Cl Wiper
Disk wiper 'cl.exe' MD5 published in Appendix A of CISA AA22-264A on the July 2022 HomeLand Justice destructive attack against the Government of Albania. Pairs with the 'rwdsk.sys' RawDisk driver (MD5 8f6e7653807ebb57ecc549cef991d505) to wipe raw disk drives. Mandiant tracks the same payload as a ZEROCLEAR variant.
Jul 14, 2022CISA
MD5
df9ab47726001883b5fcf58b56b34b41
family · CHIMNEYSWEEP
CHIMNEYSWEEP backdoor MD5 published in Mandiant's August 2022 'Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government' report. CHIMNEYSWEEP was deployed alongside ROADSWEEP ransomware and a ZEROCLEAR-variant wiper in the HomeLand Justice operation; Mandiant assesses involvement of one or more actors operating in support of Iranian goals with moderate confidence.
Jul 25, 2021Mandiant (Google Cloud)
MD5
8f766dea3afd410ebcd5df5994a3c571
'Pickers.aspx' webshell MD5 from CISA AA22-264A Appendix A. Used by the HomeLand Justice operators for persistence after initial access via CVE-2019-0604 on an Internet-facing SharePoint server roughly 14 months before the July 2022 destructive attack on Albanian government networks.
Apr 30, 2021CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-07-15). Homeland Justice — actor profile. Retrieved from https://threatintel.local/actors/homeland-justice

latest cited activity · 2022-07-15 · 4 cataloged indicators