Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Reading Time: 6 mins read
in Threat Actors
Void Manticore (Storm-0842) – Threat Actor

Void Manticore

Other Names

Storm-0842

Karma

Homeland Justice

Location

Iran

Date of initial activity

2023

Suspected attribution

State-sponsored Threat Group

Government Affiliation

Yes

Associated Groups

Scarred Manticore

Havoc Manticore

Motivation

Cyber Espionage

Associated tools

BiBi Wiper

Overview

Void Manticore is an Iranian threat actor group affiliated with the Ministry of Intelligence and Security (MOIS). The group first emerged in October 2023 and quickly gained notoriety for its destructive cyber operations. Void Manticore is known for executing high-impact, disruptive attacks primarily targeting organizations in Israel. The group’s activities are characterized by a combination of data-wiping attacks and information leaks, aimed at both causing operational disruption and advancing political motives. The group operates under various online personas, including “Karma” and “Homeland Justice,” to execute and publicize their attacks. These personas are used to leverage political tensions and amplify the impact of their cyber operations. “Karma” is notably linked to attacks in Israel, employing a custom wiper called the BiBi wiper, which is named after Israeli Prime Minister Benjamin Netanyahu. In contrast, “Homeland Justice” is associated with attacks in Albania, using similar tactics and tools. Void Manticore’s operational tactics include sophisticated handoffs with other threat groups, particularly Scarred Manticore. This coordination involves transferring access and targets between the two groups, with Scarred Manticore typically handling initial access and data exfiltration, while Void Manticore focuses on destructive activities. The handoff process is marked by a shift from advanced to more basic tools, with Void Manticore deploying custom wipers and manual data destruction methods. The group employs a range of wipers and tools to achieve their goals. Their arsenal includes custom-built wipers for both Windows and Linux systems, which target specific files and partitions to render data inaccessible. The group’s techniques are relatively straightforward, involving the manual deployment of wipers and the use of tools like Remote Desktop Protocol (RDP) for lateral movement within compromised networks. Void Manticore’s operations are designed to maximize damage and disrupt critical infrastructure, demonstrating a high level of coordination and strategic planning.

Common targets

Israeli Organizations: The group has been notably active against Israeli entities, particularly in the context of the ongoing Israel-Hamas conflict. Their attacks in Israel often involve destructive operations using custom wipers like the BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu. These attacks aim to disrupt operations and cause significant data loss. Albanian Entities: Void Manticore has also targeted organizations in Albania. Their activities here have included using politically charged messaging and executing destructive attacks. The group’s attacks in Albania often involve a similar pattern of initial data exfiltration by Scarred Manticore, followed by destructive operations by Void Manticore. High-Value Targets: Both in Israel and Albania, Void Manticore focuses on high-value targets, including government agencies, financial institutions, and other critical infrastructure. Their operations are designed to maximize impact and send political messages. Organizations with Existing Compromises: There is evidence that Void Manticore sometimes takes over networks previously compromised by other threat actors, such as Scarred Manticore. This strategy allows them to leverage existing access and target organizations more effectively.

Attack Vectors

Spear Phishing

Exploiting Vulnerabilities

Remote Desktop Protocol (RDP) Abuse

Malicious Software Downloads

Credential Dumping

Web Application Exploitation

How they operate

Void Manticore, an Iranian threat actor linked to the Ministry of Intelligence and Security (MOIS), has emerged as a formidable player in the realm of cyber warfare. Since its inception in 2022, this group has executed a series of high-profile attacks characterized by their destructive nature and psychological impact. Specializing in wipers and ransomware, Void Manticore’s operations are not just about causing damage but also about leveraging cyber-attacks to influence and intimidate its targets. The group’s modus operandi is marked by a combination of sophisticated and rudimentary techniques designed to achieve their objectives. The primary method involves the deployment of custom wipers such as the BiBi Wiper, which targets both Windows and Linux systems. These wipers are engineered to either corrupt files directly or obliterate partition tables, rendering data inaccessible and causing significant operational disruption. The BiBi Wiper, named derisively after Israeli Prime Minister Benjamin Netanyahu, has been used extensively in attacks against Israeli organizations, highlighting the group’s focus on politically charged targets. Void Manticore’s attack strategies also include manual data destruction activities using legitimate tools like Windows File Explorer, SysInternals SDelete, and the Windows Format Utility. These methods are employed to ensure thorough data eradication, often complementing automated wiper attacks. In addition to these destructive techniques, the group utilizes Remote Desktop Protocol (RDP) abuse and credential dumping to gain and maintain unauthorized access to victim networks. The group’s operations are further distinguished by their collaborative efforts with other threat actors, particularly Scarred Manticore. Evidence suggests a systematic “handoff” procedure where Scarred Manticore, a more sophisticated actor, first infiltrates a target network and then transfers access to Void Manticore. This collaboration allows Void Manticore to leverage advanced capabilities and access high-value targets, facilitating more impactful and targeted attacks. The synergy between these groups underscores a well-coordinated strategy to maximize the damage inflicted on their victims. Void Manticore employs a blend of bespoke and publicly available software. Key tools include the Karma Shell, a custom web shell used for lateral movement and network reconnaissance, and various partition wipers like JustMBR and Pinky. These tools are designed to cause maximum disruption and ensure that compromised data remains irretrievable. The group’s reliance on both custom and off-the-shelf tools reflects a pragmatic approach to cyber-attacks, balancing sophistication with accessibility. The attacks carried out by Void Manticore have had a profound impact on their targets, particularly in Israel and Albania. By combining destructive attacks with psychological operations, the group not only causes operational damage but also aims to create a climate of fear and uncertainty. Their use of politically charged messaging, such as the symbolism in the BiBi Wiper, indicates a strategic intent to amplify the political and psychological effects of their cyber operations.

MITRE Tactics and Techniques

T1071.001 – Application Layer Protocol: Web Protocols T1133 – External Remote Services: External Remote Services T1071.003 – Application Layer Protocol: Web Protocols T1105 – Ingress Tool Transfer: Ingress Tool Transfer T1203 – Exploitation for Client Execution: Exploitation for Client Execution T1075 – Pass the Hash: Pass the Hash T1059.003 – Command and Scripting Interpreter: Windows Command Shell T1021.001 – Remote Services: Remote Desktop Protocol T1072 – Application Layer Protocol: Application Layer Protocol T1555 – Credentials from Password Stores: Credentials from Password Stores T1566.001 – Phishing: Spearphishing Attachment

Impact / Significant Attacks

Israeli Cyberattacks (2022-2024): Void Manticore has targeted various organizations in Israel, leveraging wipers like the BiBi Wiper to inflict damage. These attacks have caused operational disruptions and are believed to be politically motivated, aimed at undermining Israeli entities. Albanian Government Attack (2022): The group conducted a major cyberattack against the Albanian government, leading to significant data breaches and disruptions. This attack was notable for its scale and impact, demonstrating Void Manticore’s capability to target and disrupt governmental operations. Operation Shaheen (2023): This operation involved a sophisticated campaign that combined wiper attacks with ransomware, targeting critical infrastructure and private sector organizations in various countries. The operation showcased Void Manticore’s ability to blend different attack methods for maximum effect. Lebanese Financial Sector Attacks (2024): The group targeted Lebanese financial institutions, employing custom wipers and credential dumping techniques to disrupt operations and steal sensitive data. This campaign highlighted the group’s focus on destabilizing financial systems. U.S. Cyberattacks (2024): Void Manticore has also been linked to attacks on U.S. organizations, including both government and private sector targets. These attacks involved sophisticated phishing campaigns and the deployment of wipers to cause data destruction and operational chaos.  
References:
  • Void Manticore
  • Bad Karma, No Justice: Void Manticore Destructive Activities in Israel
  • Void Manticore Attack Detection: Iranian Hackers Launch Destructive Cyber Attacks Against Israel
Tags: AlbaniaHavoc ManticoreHomeland JusticeIranIsraelKarmaLinuxMOISPhishingScarred ManticoreStorm-0842Threat ActorsVoid ManticoreVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025
UAC-0188 (FRwL) – Threat Actor

UAC-0188 (FRwL) – Threat Actor

March 2, 2025

Latest Alerts

Oil-Themed Phishing Spreads Snake Keylogger

Forminator Plugin Flaw Risks 600,000 Sites

Kimsuky Tricks Users Into Self Hacking

Scammers Use Fake Ads to Steal Pi Wallets

Blind Eagle Uses VBS Scripts to Deploy RATs

C4 Bomb Cracks Chrome Cookie Encryption

Subscribe to our newsletter

    Latest Incidents

    Cyberattack on Brazils CM Software Vendor

    Cyberattack Halts Hero España Production

    Hacker Attack on Australian Airline Qantas

    Cyberattack Hits Austrian Hospital Vendor

    Sophisticated Attack Hits War Crimes Court

    Ransomware Hits Swiss Government Vendor

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial