Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportVoid Manticore is an Iranian advanced persistent threat group operating under the direction of Iran’s Ministry of Intelligence and Security (MOIS), tracked across vendors as Storm-0842, Banished Kitten, and operating under the public personas “Homeland Justice,” “Karma,” and “Handala.” First surfacing in July 2022 with destructive cyberattacks against Albania’s e-government systems, Void Manticore has evolved into a sophisticated hybrid warfare operation that seamlessly integrates technical destruction with information operations, targeted intimidation, and narrative control to achieve maximum geopolitical impact.
Void Manticore targets government agencies and critical infrastructure across Israel, United States, Albania, Jordan, and Gulf States, focusing on sectors including oil and gas, energy, telecommunications, defense, NGOs, media, think tanks, IT service providers, education, transportation, airlines, maritime, and healthcare. The group operates under multiple regional personas combining technical destruction with psychological warfare as a hallmark operational approach, deploying custom wiper malware including BiBi Wiper (named after Israeli Prime Minister Benjamin Netanyahu), Cl Wiper, and No-Justice Wiper.
A critical element of Void Manticore’s operational model is structured collaboration with Scarred Manticore, another MOIS-linked espionage group. This “handoff” workflow sees Scarred Manticore first breach targets to establish persistent access and conduct quiet data exfiltration, sometimes for over a year, before transferring control to Void Manticore when a decision is made to shift from intelligence collection to destruction. This partnership allows Iran to maintain espionage access while reserving the option to weaponize it during geopolitical escalations, a procedure observed against both Albania in 2022 and Israel from 2023-2026, demonstrating Iran’s mature, process-driven model of modern hybrid warfare.
Void Manticore is an Iranian advanced persistent threat group operating under the direction of Iran’s Ministry of Intelligence and Security (MOIS), tracked across security vendors as Storm-0842 and BANISHED KITTEN. The Void Manticore group first surfaced in July 2022 with a destructive cyberattack against Albania’s e-government systems under the persona “Homeland Justice,” strategically timed to disrupt a conference of the Iranian opposition group MEK (Mujahedin-e-Khalq).
Iranian actors operating as Void Manticore had maintained access to Albanian networks for approximately 14 months before striking, deploying custom wipers including Cl Wiper and No-Justice to cripple government infrastructure. A second Void Manticore wave targeted Albanian border systems in September 2022 following Albania’s severing of diplomatic ties with Iran, with stolen data publicly leaked on Telegram to amplify psychological impact.
The Void Manticore group operates under multiple regional personas including “Homeland Justice” for Albania and “Karma” for Israel, combining technical destruction with psychological warfare as a hallmark operational approach. A critical element of Void Manticore’s operational model is its structured collaboration with Scarred Manticore, another MOIS-linked espionage group.
This Void Manticore “handoff” workflow sees Scarred Manticore first breach targets to establish persistent access and conduct quiet data exfiltration, sometimes for over a year, before transferring control to Void Manticore when a decision is made to shift from intelligence collection to destruction. This partnership allows Iran to maintain espionage access while reserving the option to weaponize it during geopolitical escalations, a procedure observed against both Albania in 2022 and Israel from 2023-2026.
Following the October 2023 Israel-Hamas conflict, Void Manticore pivoted aggressively toward Israeli organizations under the persona “Karma,” claiming attacks against more than 40 entities, though the verified impact of many claims remains unclear. The Void Manticore group deployed its signature BiBi Wiper malware, named after Israeli Prime Minister Benjamin Netanyahu, in Windows and Linux variants to corrupt files while appending the “.BiBi” extension. Newer BiBi Wiper variants evolved to target disk partition tables directly, complicating data restoration efforts.
These Void Manticore destructive operations were consistently paired with public data leaks on Telegram to amplify psychological impact, demonstrating the group’s integration of technical destruction with information warfare operations.
In late 2023, the Void Manticore group adopted its most sophisticated persona yet: Handala, a name borrowed from a Palestinian refugee cartoon symbol to create moral legitimacy while complicating Iranian attribution. Under this Handala branding, Void Manticore expanded into cognitive warfare, targeting personal devices of aides and family members to indirectly access senior Israeli decision-makers. Their “RedWanted” (also known as “Saturday Files”) campaign doxed personal details of Israelis in defense and media sectors while offering financial rewards for information.
Technically, the Void Manticore group demonstrated significant adaptability through campaigns attributed to the cluster that used commercial infostealers disguised as legitimate software updates, Telegram account takeover via session hijacking and SIM swapping, and attempts to mask destructive payloads as security software updates.
Between 2024 and 2026, Void Manticore targeting broadened to include NGOs and Western think tanks, with leak publication evolving into a deliberately planned phase of the attack lifecycle. Since mid-January 2026, the Void Manticore group has exploited Starlink terminals smuggled into Iran via black markets to maintain operations during government-imposed internet blackouts, demonstrating operational resilience.
In the current escalation following Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel) in late February 2026, Handala (Void Manticore) remains active, claiming attacks on Israeli energy companies and Jordanian fuel infrastructure. However, with Iran’s internet connectivity below 4%, researchers assess that near-term sophisticated Void Manticore operations from within Iran are likely constrained, with much observed activity being opportunistic.
Void Manticore’s evolution from Homeland Justice through Karma to Handala represents a mature, process-driven model of modern hybrid warfare, seamlessly integrating technical destruction with information operations, targeted intimidation, and narrative control to achieve maximum geopolitical impact for Iranian interests.
Prioritize patching known exploited vulnerabilities, especially CVE-2019-0604 in Microsoft SharePoint, which Void Manticore uses for initial access. Regularly update all internet-facing applications, VPN gateways, and remote access solutions to eliminate entry points that enable Void Manticore destructive attacks.
Void Manticore’s post-access TTPs are relatively unsophisticated and detectable by modern endpoint security. Configure EDR to detect known wiper behaviors including mass file corruption, partition table manipulation, “.BiBi” file extension changes, ElRawDisk driver abuse, and suspicious Mimikatz or batch file execution characteristic of BiBi Wiper, Cl Wiper, and No-Justice Wiper deployed by Void Manticore.
Wiper malware deployed by Void Manticore, including BiBi, Cl Wiper, and No Justice Wiper, are specifically designed to render data irrecoverable by corrupting files and disk partition tables. Maintain air-gapped, immutable backups of all critical data and systems, and regularly test restoration procedures through tabletop exercises. Particular attention should be given to protecting boot records and partition layouts, as Void Manticore wipers target disk structures to make data inaccessible even when underlying data remains intact.
Void Manticore’s attack lifecycle deliberately integrates data leaks and narrative amplification alongside technical destruction—leak publication is a planned phase, not a byproduct. Develop cross-functional response plans covering IT, legal, and communications teams for combined wiper-and-leak scenarios, and monitor Telegram channels and social media for Void Manticore’s active personas (Homeland Justice, Karma, Handala). The handoff from Scarred Manticore to Void Manticore leaves an extremely short window before destruction begins, so pre-authorized containment playbooks should be ready for immediate execution.
Initial Access:
Execution:
Persistence:
Privilege Escalation:
Defense Evasion:
Credential Access:
Discovery:
Lateral Movement:
Collection:
Command and Control:
Exfiltration:
Resource Development:
Impact:
Reconnaissance:
SHA256 (selected):
IPv4:
File Names:
Get through updates and upcoming events, and more directly in your inbox