Void Manticore is an Iranian threat actor affiliated with the MOIS, known for destructive wiping attacks and information leaks under personas such as Karma and Homeland Justice. The group collaborates with Scarred Manticore in victim handoffs, uses multiple wiper families across Windows and Linux, and conducts coordinated, disruptive operations against Israeli and Albanian targets.
#VoidManticore #Karma #HomelandJustice #ScarredManticore
#VoidManticore #Karma #HomelandJustice #ScarredManticore
Keypoints
- Void Manticore is an Iranian threat actor affiliated with MOIS that conducts destructive wiping attacks combined with influence operations.
- The actor operates online personas such as Homeland Justice (Albania) and Karma (Israel) to leak data and claim attacks.
- There are notable overlaps and a “handoff” of victims between Scarred Manticore and Void Manticore, indicating collaboration.
- Five different methods are used for disruptive operations, including custom wipers for Windows and Linux, plus manual deletion of files and shared drives.
- A documented “One-Two Punch” handoff procedure shows Scarred Manticore initiating access and Void Manticore deploying new web shells and wipers.
- The group uses the BiBi wiper in Israel, a wiper named after Benjamin Netanyahu, to conduct destructive campaigns.
- Technical activity includes web shells (Karma Shell), RDP-based lateral movement, domain admin credential use, and covert C2 via SSH proxies.
MITRE Techniques
- [T1505.003] Web Shell – Karma Shell on internet-facing servers masquerades as an error page and can perform several functions. ‘Among those was Karma Shell, which appears to be a homebrew tool. While masquerading as an error page … this tool can perform several functions.’
- [T1027] Obfuscated/Compressed Files and Information – Use of base64 and a one-byte XOR to decrypt supplied parameters. ‘base64 and a one-byte XOR to decrypt the supplied parameters.’
- [T1021.001] Remote Desktop Protocol – Lateral movement using RDP to access other systems on the network. ‘they often perform lateral movements using Remote Desktop Protocol (RDP)’
- [T1090.003] External Proxy – Establishing a C2 channel via OpenSSH tunneling to create a SOCKS proxy. ‘openSSH client … setting up a SOCKS proxy from compromised hosts’
- [T1078] Valid Accounts – Access gained using Domain Admin credentials, indicating credential reuse/privilege escalation. ‘a Domain Admin account … authentication for Domain Admin credentials’
- [T1485] Data Destruction – Wipers destroying data and partitions, including partition table wipes. ‘wipers … destroy the partition table’ and ‘BiBi wiper’ variants
- [T1082] System Information Discovery – Gathering network information using SysInternals AD Explorer as part of discovery. ‘collects information about target networks using SysInternal’s AD Explorer’
Indicators of Compromise
- [IP Address] context – IPs associated with activity: 64.176.169.22, 64.176.172.235, 64.176.172.165, 64.176.173.77, 64.176.172.101, and other related addresses
- [File Hash] context – D0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6, DEEAF85B2725289D5FC262B4F60DDA0C68AE42D8D46D0DC19B9253B451AEA25A, and 2 more hashes
- [File Name] context – do.exe (Domain Admin credential check), REDACTED_NAME_WEBSHELL_reGeorge (web shell copy), and 2 more file names