The world of cybersecurity is alarmed by new destructive attacks that are aimed at Israel and Albania. Behind the attacks there is an Iranian group associated with the Iranian Intelligence and Security Ministry (Mois). Specialists of Check Point Research shed light on the tactics of Iranian hackers.
The group, called Void Manticore (Storm-0842), uses various pseudonyms for its operations in different countries. The most famous of them are Homeland Justice for attacks in Albania and Karma – for operations against Israel.
Void Manticore is aimed at different regions, using unique approaches for each goal. The actions of the group are overlapped with the actions of another Iranian SCARRED MANTICORE group, which indicates the coordination and systematic choice of victims in the framework of work at the Iranian Intelligence and Security Ministry (Mois).
Check Point experts warn that Void Manticore poses a significant threat “for everyone who is opposed to Iranian interests.” The group uses a complex network of pseudonyms, strategic cooperation, and complex technologies for attacks.
The group is known for its double approach to cyber attacks, combining the physical destruction of data with psychological pressure. Using 5 different methods, including custom wipers for Windows and Linux, Void Manticore disrupts the operation of systems through file removal and manipulation with common disks.
Specialization in the destructive phase
Researchers analyzed the systematic transfer of goals between two cyber groups. Scarred Manticore is responsible for the initial access and extraction of data from target networks, after which it transfers Void Manticore control to perform the “destructive phases of the operation”. Such cooperation significantly increases the scale and influence of attacks.
The flaws in actions were seen in the attacks on Israel in 2023-2024 and Albania in 2022.
Simple, but effective tactics
Void Manticore attacks are distinguished by their simplicity and straightforwardness. Usually public tools and protocols are used, such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) to move inside the network before deploying malicious software. In some cases, initial access is achieved due to the operation of vulnerabilities like CVE-2019-0604 in Microsoft Sharepoint.
Once inside, hackers introduce the CL Wiper and No-Justice (LowerSer) wipers for Windows and