The report assesses Homeland Justice, Karma/KarmaBelow80, and Handala as a single, state-aligned cyber influence ecosystem directed by Iran’s MOIS that fuses low-to-moderate intrusion capability with coordinated information operations to generate high-impact narratives. The actors rely on identity- and access-focused compromises, ephemeral domains, and Telegram-based command-and-control and amplification to convert modest technical access into widely publicized “hack-and-leak” events. #HomelandJustice #Handala #KarmaBelow80
Keypoints
- Homeland Justice, Karma/KarmaBelow80, and Handala operate as interchangeable personas within a single, centrally managed cyber influence ecosystem aligned with Iran’s Ministry of Intelligence and Security (MOIS).
- The campaign combines intrusion, surveillance, disruption, and influence as integrated, simultaneous functions rather than discrete sequential phases.
- Operational tradecraft favors identity- and access-compromise (password guessing, credential stuffing, phishing, weak or reused credentials) and exploitation of misconfigured or exposed services over advanced zero-day malware.
- Ephemeral infrastructure—rotated domains, Telegram channels, and rebranded personas—supports resilient messaging, selective data disclosure, and rapid narrative amplification.
- The actors leverage Telegram both as a command-and-control mechanism (encrypted bot channels) and as a public dissemination/amplification platform to bridge technical compromise and media impact.
- The true operational effect is often reputational and psychological through a predictable amplification loop (claim → media pickup → public discourse → institutional response), meaning perception substitutes for deep technical compromise.
MITRE Techniques
- [T1110 ] Brute Force – Access obtained via password guessing and credential stuffing (‘password guessing, credential stuffing’)
- [T1566 ] Phishing – Initial access and targeted lures used to compromise user accounts (‘phishing’)
- [T1078 ] Valid Accounts – Use of compromised or weak/reused credentials and compromised accounts to maintain access (‘a compromised account’, ‘exploitation of weak or reused credentials’)
- [T1190 ] Exploit Public-Facing Application – Access arising from misconfigured management infrastructure or exposed services rather than novel vulnerabilities (‘misconfigured management infrastructure’, ‘poor security hygiene in externally exposed services’)
- [T1041 ] Exfiltration Over C2 Channel – Large-scale data exfiltration and selective disclosure of stolen data to support narrative operations (‘data exfiltration’, ‘stolen data is selectively exposed’)
- [T1485 ] Data Destruction – Destructive or disruptive actions used as part of operations to enable psychological impact (‘destructive or disruptive action’)
- [T1102 ] Web Service – Use of Telegram and other public web services for command-and-control and dissemination (‘Telegram-based command-and-control’, ‘Telegram channels act as dissemination and amplification nodes’)
- [T1204 ] User Execution – Trojanized applications and user-targeted lures enabling persistent surveillance of individuals (‘Trojanized applications and user-targeted lures enable persistent monitoring of individuals’)
Indicators of Compromise
- [Domains ] Public-facing and disposable infrastructure used for dissemination and amplification – example: frequently rotated public-facing domains (no specific domains provided in source)
- [Telegram channels/accounts ] Command-and-control and public amplification nodes – example: Telegram-based command-and-control bots, Telegram amplification accounts (handles not specified)
- [Account identifiers ] Compromised personal and administrative accounts used for access and narrative leverage – example: Kash Patel personal account compromise, generic ‘compromised account’ incidents
- [Organizations/Targets ] Notable targeted entities referenced in reporting and amplification – example: Stryker Corporation, a referenced FBI director’s 2009 email account (no specific addresses provided)
- [Exposed datasets/files ] Data exposures and selectively published stolen data used to drive narratives – example: exposed datasets and selectively released stolen data (and other unspecified files)