How hackers change identities to disrupt the network of Albania and Israel.
The cybersecurity world is alarmed by new devastating attacks targeting Israel and Albania. An Iranian group linked to the Iranian Ministry of Intelligence and Security (MOIS) is behind the attacks. Check Point Research experts shed light on the tactics of Iranian hackers.
The group, called Void Manticore (Storm-0842), uses different aliases for its operations in different countries. The most famous ones are Homeland Justice for attacks in Albania and Karma for operations against Israel.
Void Manticore targets different regions, applying unique approaches for each target. The group's actions overlap with the actions of another Iranian group, Scarred Manticore, which indicates coordination and systematic selection of victims in the framework of working for the Iranian Ministry of Intelligence and Security (MOIS).
Check Point experts warn that Void Manticore poses a significant threat "to anyone who opposes Iranian interests." The group uses a complex network of aliases, strategic collaboration, and sophisticated attack methodologies.
The group is known for its dual approach to cyber attacks, combining physical destruction of data with psychological pressure. Using 5 different methods, including custom vipers for Windows and Linux, Void Manticore disrupts systems by deleting files and manipulating shared disks.
Specialization in the destructive phase
The researchers analyzed the systematic transfer of targets between two cyber groups. Scarred Manticore is responsible for initial access and retrieval of data from target networks, and then transfers control to Void Manticore to perform the "destructive phase of the operation". Such cooperation significantly increases the scale and impact of attacks.
Overlapping actions were seen in the attacks on Israel in 2023-2024 and on Albania in 2022.
Simple but effective tactics
Void Manticore attacks are characterized by their simplicity and straightforwardness. Generally, public tools and protocols such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) are used to move within the network before deploying malware. In some cases, initial access is achieved by exploiting the CVE-2019-0604 vulnerability in Microsoft SharePoint.
Once inside, hackers deploy Cl Wiper and No-Justice (LowEraser) vipers for Windows and Linux systems. Some of the vipers target specific files, file types, or applications to selectively delete critical information (Cl Wiper), while others corrupt the system's partition table, making data inaccessible (No-Justice). The group deletes some data manually, which further increases the effect of attacks.
CI Wiper was first used in an attack on Albania in July 2022, along with LowEraser, which was used in attacks on Albania and Israel. The latest attacks also used BiBi Wiper, which exists in versions for Linux and Windows, using sophisticated techniques to corrupt files and disrupt the system.
The Void Manticore attacks indicate a high level of threat to countries that oppose Iranian interests. Researchers continue to monitor the activities of these groups in order to minimize the consequences of their destructive actions.
The cybersecurity world is alarmed by new devastating attacks targeting Israel and Albania. An Iranian group linked to the Iranian Ministry of Intelligence and Security (MOIS) is behind the attacks. Check Point Research experts shed light on the tactics of Iranian hackers.
The group, called Void Manticore (Storm-0842), uses different aliases for its operations in different countries. The most famous ones are Homeland Justice for attacks in Albania and Karma for operations against Israel.
Void Manticore targets different regions, applying unique approaches for each target. The group's actions overlap with the actions of another Iranian group, Scarred Manticore, which indicates coordination and systematic selection of victims in the framework of working for the Iranian Ministry of Intelligence and Security (MOIS).
Check Point experts warn that Void Manticore poses a significant threat "to anyone who opposes Iranian interests." The group uses a complex network of aliases, strategic collaboration, and sophisticated attack methodologies.
The group is known for its dual approach to cyber attacks, combining physical destruction of data with psychological pressure. Using 5 different methods, including custom vipers for Windows and Linux, Void Manticore disrupts systems by deleting files and manipulating shared disks.
Specialization in the destructive phase
The researchers analyzed the systematic transfer of targets between two cyber groups. Scarred Manticore is responsible for initial access and retrieval of data from target networks, and then transfers control to Void Manticore to perform the "destructive phase of the operation". Such cooperation significantly increases the scale and impact of attacks.
Overlapping actions were seen in the attacks on Israel in 2023-2024 and on Albania in 2022.
Simple but effective tactics
Void Manticore attacks are characterized by their simplicity and straightforwardness. Generally, public tools and protocols such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) are used to move within the network before deploying malware. In some cases, initial access is achieved by exploiting the CVE-2019-0604 vulnerability in Microsoft SharePoint.
Once inside, hackers deploy Cl Wiper and No-Justice (LowEraser) vipers for Windows and Linux systems. Some of the vipers target specific files, file types, or applications to selectively delete critical information (Cl Wiper), while others corrupt the system's partition table, making data inaccessible (No-Justice). The group deletes some data manually, which further increases the effect of attacks.
CI Wiper was first used in an attack on Albania in July 2022, along with LowEraser, which was used in attacks on Albania and Israel. The latest attacks also used BiBi Wiper, which exists in versions for Linux and Windows, using sophisticated techniques to corrupt files and disrupt the system.
The Void Manticore attacks indicate a high level of threat to countries that oppose Iranian interests. Researchers continue to monitor the activities of these groups in order to minimize the consequences of their destructive actions.
