Void Manticore
Iranian state-sponsored intrusion set publicly attributed to the Ministry of Intelligence and Security (MOIS), specialised in destructive operations and conducting them under a rotating set of public-facing hacktivist personas — most prominently **Homeland Justice** (Albania 2022), **Karma** (Israel 2023), and **Handala** (Israel + U.S. 2023-2026). Tradecraft splits across two MOIS units: Scarred Manticore (Storm-0861) gains initial access and exfiltrates, then Void Manticore deploys destructive wipers (Cl Wiper, No-Justice / LowEraser) and orchestrates the persona-driven leak / branding stage. The MITRE ATT&CK G1055 entry consolidates the persona ecosystem under this name. The March 2026 Stryker compromise (claimed by Handala) is the operation's first confirmed major U.S. multinational victim outside Israel.
Aliases
Motivations
Target sectors
Target countries
Lineage & relationships
full graph →Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
3 events- ReportHigh2024-05-20·Check Point
Check Point documents Void Manticore / Scarred Manticore MOIS handoff
In a companion blog post Check Point described a systematic handoff procedure between two MOIS-affiliated groups: Scarred Manticore (Storm-0861) gains initial access and exfiltrates data over extended dwell times, then transfers the foothold to Void Manticore (Storm-0842) which executes destructive wipes paired with leak-site disclosure. The pattern was observed in the 2022 Albanian government intrusions ('Homeland Justice') and again across 2023-2024 attacks on Israeli targets under the 'Karma' persona.
moisscarred-manticorewiperalbaniaisrael - ReportHigh2024-05-20·Check Point Research
Check Point Research details Void Manticore wipers and Karma persona
Check Point Research published 'Bad Karma, No Justice,' attributing destructive wiper operations against Israeli organisations to Void Manticore — an Iranian MOIS-linked actor that Microsoft tracks as Storm-0842. The report catalogues custom wipers including BiBi (Windows and Linux variants), CIWiper, LowEraser/Pinky, and JustMBR, alongside manual destruction using Windows Format and SDelete. Void Manticore fronts the Karma and Homeland Justice leak-and-influence personas in Israel and Albania respectively.
wiperbibi-wiperkarmahomeland-justicemois - CompromiseHigh2022-07-15·Check Point Research
Homeland Justice persona disrupts Albanian government IT under MOIS direction
In mid-July 2022 destructive intrusions disrupted Albanian government services and the Total Information Management System (TIMS) used at border crossings, claimed via the 'Homeland Justice' leak site. Albania severed diplomatic relations with Iran in September 2022, and subsequent vendor reporting (Microsoft, Check Point, Mandiant) attributed the destructive component to the MOIS cluster now tracked as Void Manticore / Storm-0842, with initial access handed off from Scarred Manticore.
albaniahomeland-justicewipergovernment
Indicators of compromise
2 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| IPv4 | IP address listed in Check Point Research's Void Manticore IOC appendix (May 2024 report on destructive activities in Israel). | May 19, 2024 | Check Point Research |
| SHA-256 | family · BiBi Wiper SHA-256 listed in Check Point Research's May 2024 'Bad Karma, No Justice' report on Void Manticore. The actor uses BiBi wiper (Linux and Windows variants) along with CIWiper and partition wipers in destructive operations against Israeli and Albanian targets. | May 19, 2024 | Check Point Research |
Related actors
shared ATT&CK techniques- RU · RussiaCadet Blizzard3 shared techniques
- IR · IranHomeland Justice3 shared techniques
- KP · DPRKAndariel2 shared techniques
- CN · ChinaAPT32 shared techniques
- RU · RussiaDragonfly2 shared techniques
- CN · ChinaFlax Typhoon2 shared techniques
References
cite this page
Threat Intel Tracker. (2026-05-19). Void Manticore — actor profile. Retrieved from https://threatintel.local/actors/void-manticore