Void Manticore / Handala
Iranian state-linked destructive operations group affiliated with the Ministry of Intelligence and Security (MOIS). Conducts wiper attacks, hack-and-leak campaigns, and data destruction operations under multiple hacktivist personas. Responsible for the March 2026 wiper attack on Stryker Corporation — the largest known destructive cyber operation against a single U.S. company.
Overview
Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), assessed with high confidence by Palo Alto Networks Unit 42, Check Point Research, Microsoft, and Brandefense. Unlike espionage-focused MOIS units such as MuddyWater, Void Manticore's mandate is destruction and disruption — wiping systems, leaking stolen data, and amplifying the psychological impact of its operations through coordinated information campaigns.
The group operates through multiple public-facing personas, each tailored to a specific theater of operations. Homeland Justice was created in mid-2022 for attacks against Albanian government and telecom infrastructure. Karma was used in Israel-focused operations beginning in late 2023, during which the group leaked data from over 40 Israeli organizations. Handala Hack emerged in December 2023 as the group's primary persona, expanding the targeting scope to include Western NGOs, think tanks, energy companies, and — as of March 2026 — major U.S. corporations.
Check Point Research published a March 2026 analysis confirming that all three personas exhibit highly similar TTPs and share code overlaps in their deployed wipers, establishing them as fronts for the same operational unit. Void Manticore has been observed receiving handoffs of pre-compromised targets from Scarred Manticore (Storm-861), a more sophisticated MOIS espionage actor, in a documented collaboration pattern where Scarred Manticore establishes persistent access and then transfers the victim to Void Manticore for destructive operations.
According to public reporting cited in the Check Point analysis, Void Manticore's operations overlap with activity linked to the MOIS Internal Security Deputy, particularly its Counter-Terrorism Division. The division reportedly operated under the supervision of Seyed Yahya Hosseini Panjaki, who was killed in the opening phase of Israeli strikes on Iran in early March 2026.
Target Profile
Void Manticore selects targets based on the intersection of political alignment, operational disruption potential, and media visibility. The group does not pursue traditional intelligence collection — it aims to destroy and to be seen destroying.
- Government and public administration: Albanian government ministries and public services were among the group's earliest targets under the Homeland Justice persona, beginning in mid-2022. These included government IT networks, telecom providers, and the national statistics institute INSTAT.
- Critical infrastructure and energy: Israeli energy companies and fuel distribution systems in Jordan have been targeted. Operations consistently seek targets whose disruption creates cascading real-world effects beyond the IT environment.
- Healthcare and medical technology: The March 2026 wiper attack on Stryker Corporation — a Fortune 500 medical device manufacturer — represents the group's most significant operation to date. The attack disrupted order processing, manufacturing, and shipping across 79 countries.
- Western organizations with Israeli ties: NGOs, think tanks, and enterprises with business connections to Israel are targeted for both data theft and destructive action. The group explicitly cited Stryker's 2019 acquisition of Israeli firm OrthoSpace as justification for the attack.
- IT and service providers (supply chain): Palo Alto Networks reports an increasing focus on supply-chain footholds through IT and service providers to reach downstream victims, consistent with a strategy of maximizing impact through trusted relationships.
Tactics, Techniques & Procedures
Documented TTPs based on observed campaigns and public threat intelligence from Check Point Research, Palo Alto Networks Unit 42, Microsoft, and Sophos.
| mitre id | technique | description |
|---|---|---|
| T1078 | Valid Accounts | Gains initial access through compromised credentials, including Global Admin accounts. In the Stryker attack, hijacked Intune administrator credentials to access the MDM control plane. |
| T1566 | Phishing | Deploys phishing campaigns using current-event lures, spoofing legitimate security vendors or government agencies. Has paired Rhadamanthys infostealer with custom wipers in phishing operations against Israeli targets. |
| T1190 | Exploit Public-Facing Application | Exploits vulnerabilities in internet-facing web servers and VPN gateways for initial access. Known exploitation of CVE-2019-0604 (Microsoft SharePoint) in earlier campaigns. |
| T1021.001 | Remote Desktop Protocol | Primary lateral movement method. Uses stolen Domain Admin credentials to move through victim networks via RDP. |
| T1505.003 | Web Shell | Deploys custom web shells including "Karma Shell" (disguised as an error page) and reGeorge tunneling shells for persistent access and command execution. |
| T1053.005 | Scheduled Task | Distributes wiper payloads through Group Policy logon scripts that execute batch files triggering wiper components as scheduled tasks. |
| T1485 | Data Destruction | Core operational objective. Deploys multiple wiper families (BiBi, Cl Wiper, Handala Wiper) to overwrite files and corrupt master boot records. In the Stryker attack, abused Microsoft Intune's remote wipe feature to factory-reset 200,000+ devices. |
| T1561.001 | Disk Content Wipe | Uses ElRawDisk driver (via Cl Wiper) and MBR-based wiping techniques to overwrite physical drive contents, rendering data forensically unrecoverable. |
| T1561.002 | Disk Structure Wipe | Partition wipers (No-Justice / LowEraser) remove disk partition layouts, causing system crashes and making OS data inaccessible. |
| T1491.001 | Internal Defacement | Drops propaganda images (handala.gif) across all logical drives and defaces login pages with the Handala logo for psychological impact. |
| T1059.001 | PowerShell | Deploys PowerShell-based wiper scripts distributed through Group Policy that enumerate and delete user directory files. Check Point noted the PowerShell wiper appeared to be developed with AI assistance. |
| T1567 | Exfiltration Over Web Service | Exfiltrates stolen data before destructive operations. Publishes exfiltrated material to Telegram channels and data leak portals as part of coordinated information campaigns. |
Known Campaigns
Confirmed or highly attributed destructive operations linked to Void Manticore across its multiple personas.
Abused Microsoft Intune's remote wipe capability to factory-reset over 200,000 devices across Stryker's global operations in 79 countries. Claimed 50TB data exfiltration. Disrupted manufacturing, shipping, and order processing for the $25 billion medical device manufacturer. First major wiper attack on a U.S. company in the Iran conflict. Operated under the Handala persona.
Read full briefingSustained wiper and hack-and-leak operations against Israeli entities under the Karma and Handala personas. Deployed the BiBi Wiper (named after Israeli PM Benjamin Netanyahu) in both Linux and Windows variants. Leaked data from over 40 Israeli organizations. Targeted energy companies, higher education institutions, and technology firms. Coordinated with Scarred Manticore (Storm-861) for initial access handoffs.
Targeted fuel distribution systems in Jordan. Part of an expansion of operations beyond Israel to Gulf-adjacent states, consistent with the group's stated objective of targeting the broader "Axis of Resistance" opposition.
Document theft and amplified information operations targeting Western non-governmental organizations and think tanks. Focused on eroding institutional trust and influencing international perceptions through strategic data leaks.
Destructive wiper attacks against Albanian government ministries, telecom infrastructure, and the national statistics institute INSTAT. Deployed Cl Wiper and partition wipers (No-Justice / LowEraser). This campaign marked Void Manticore's first known public operations and led to Albania severing diplomatic relations with Iran. Operated under the Homeland Justice persona.
Tools & Malware
Known custom and commodity tools associated with Void Manticore across its operational personas.
- BiBi Wiper: Custom wiper with Linux and Windows variants, named after Israeli PM Benjamin Netanyahu. Corrupts files and renames them with the ".BiBi" extension. Uses a multi-threaded architecture to accelerate destruction. Windows variant disables recovery mechanisms and deletes shadow copies. Primary tool used in Israeli-targeted operations from 2023 onward.
- Cl Wiper: Windows wiper using the legitimate ElRawDisk driver (rwdsk.sys) to access raw disk for overwrite operations. Fills the physical drive buffer with zero characters. Uses the same ElRawDisk license key as the ZeroCleare wiper. First deployed in the Albania attack in July 2022.
- No-Justice / LowEraser: Partition wiper that removes disk partition layouts, causing system crashes and rendering all disk data inaccessible. Deployed in both Albania and Israel.
- Handala Wiper: Custom executable distributed via Group Policy logon scripts. Overwrites file contents and employs MBR-based wiping. Accompanied by a secondary PowerShell wiper that enumerates and deletes user directory files. The PowerShell component appears AI-assisted based on code structure.
- Karma Shell: Custom web shell disguised as an error page. Provides persistent access with capabilities for command execution, file upload, and network reconnaissance.
- reGeorge: Publicly available tunneling web shell used for sustained access and traffic tunneling into compromised networks.
- Rhadamanthys: Commercially available infostealer sold on darknet forums. Paired with custom wipers in phishing campaigns, often disguised as software updates targeting Israeli organizations.
- NetBird: Legitimate tunneling tool newly observed in 2025-2026 operations for routing traffic into victim networks.
- Microsoft Intune (abused): In the Stryker attack, the group weaponized Microsoft's legitimate MDM platform by issuing mass remote wipe commands through compromised admin credentials — requiring no malware deployment for the destructive phase.
Indicators of Compromise
Publicly reported IOCs associated with Void Manticore operations. These are sourced from Check Point Research, Palo Alto Networks, and Microsoft reporting.
IOCs may be stale or burned after public disclosure. Void Manticore frequently rotates infrastructure. Cross-reference with live threat intel feeds before blocking. The Stryker attack notably did not rely on traditional malware IOCs — detection must focus on identity and administrative control plane abuse.
Mitigation & Defense
Recommended defensive measures based on observed TTPs and advisories from Palo Alto Networks Unit 42, CISA, and Check Point Research.
- Enforce JIT access for MDM administrators: Implement just-in-time provisioning through Microsoft Entra PIM or equivalent. No account should hold permanent standing access to mass device wipe capabilities. This is the single highest-priority mitigation given the Stryker attack vector.
- Require phishing-resistant MFA on all privileged accounts: Hardware-based FIDO2 security keys should be mandatory for any account with administrative access to Intune, Entra ID, or other identity and device management platforms.
- Alert on bulk wipe and bulk management operations: Create monitoring rules that trigger immediate investigation when device wipe, retire, or reset commands exceed a defined threshold (3-5 devices in a short window).
- Restrict MDM admin access by device and location: Conditional Access policies should limit Intune admin portal access to specific managed, compliant devices from named locations only.
- Audit and harden Group Policy objects: Monitor for unauthorized GPO modifications, especially logon scripts that deploy executables or PowerShell scripts to domain-joined machines.
- Segment and protect backups: Ensure backup systems are immutable, distributed, and inaccessible from the same administrative plane as production systems. Wiper attacks render recovery entirely dependent on backup integrity.
- Re-evaluate BYOD MDM enrollment: Consider containerized MDM solutions that isolate corporate data without granting full-device wipe authority over personal devices.
- Monitor for Scarred Manticore handoff patterns: Void Manticore frequently receives pre-compromised access from Scarred Manticore (Storm-861). Detecting the espionage precursor activity can prevent the destructive phase from executing.
Void Manticore's March 2026 Stryker operation demonstrated that destructive attacks can bypass all endpoint detection by abusing legitimate cloud management tools. Organizations whose threat model is limited to malware-based wiper scenarios have a significant blind spot. Identity and administrative control plane security is now a precondition for wiper defense.
Sources & Further Reading
Attribution and references used to build this profile.
- Check Point Research — "Handala Hack" - Unveiling Group's Modus Operandi (March 2026)
- Check Point Research — Bad Karma, No Justice: Void Manticore Destructive Activities in Israel (May 2024)
- Palo Alto Networks Unit 42 — Increased Risk of Wiper Attacks (March 2026)
- KrebsOnSecurity — Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker (March 2026)
- Moody's — From Silence to Stryker: Iran's Cyber Retaliation Begins (March 2026)
- SOCRadar — Dark Web Profile: Storm-842 (Void Manticore) (January 2025)
- Brandefense — Inside Void Manticore: Iran's Hybrid Hacktivist for Information Warfare (November 2025)
- SEC — Stryker Corporation 8-K Filing (March 2026)