Introduction
Void Manticore, referenced in reports as STORM-842, Homeland Justice, or Karma, is a contemporary model of hybrid cyber operations. Emerging in 2022, this group incorporates hacktivist tactics with Iranian state interests. They combine information theft, destructive malware, and coordinated information operations to shape narratives and cause operational harm to target states and organizations.
This blog post discusses Void Manticore’s background, motivations, tradecraft, key operations, and strategic implications of hybrid warfare. Profiles are based on open reporting, observed activity through 2024 and 2025, and common patterns across Iran-aligned threat actors.
Origins and Motivation
Void Manticore appears at a time of growing geopolitical tensions in the Middle East. Unlike simply criminal groups, its actions often contain an explicit political aspect. During its operations, the group targets entities identified as enemy nations to Iran or associated with Western influences, concentrating on Israel, countries aligned with NATO, & other regional adversaries. In addition, any public statements made by Void Manticore, as well as the narratives staged in the released leaks, align closely with Iranian state messaging, suggesting a relationship with Iranian state intelligence services or of passive approval.
The motivations include being visible, revenge and disruption. The combination of data generation leaks & disruptive actions allows Void Manticore to humiliate and degrade the capability and credibility of its victims. The group also attempts to shape the narrative by publicly releasing & distributing to social media selected materials.
Tradecraft and Techniques
The Void Manticore adopts a layered approach to achieve impact. Their TTPs focus on exploitation of exposed services, credential theft, social-engineering, and direct deployment of destructive malware. The two technical themes common with Void Manticore include the use of wiper-style malware masquerading as ransomware and coordination of information operations and technical operations.
Initial access almost always comes from exploiting unpatched web servers, VPN gateways, and remote access solutions. Phishing and credential harvesting are common methods used for initial access. Once inside, the actor uses living-off-the-land tools, such as PowerShell and scheduled tasks, to move laterally and establish persistence.
In connection with destructive activities, Void Manticore employs wiper families like CaddyWiper and ZeroCleare. These are designed to wipe file systems, corrupt boot records, or otherwise render systems inoperable. Unlike criminal ransomware operators, Void Manticore does not seem to care about ransom payments. Secondly, the malware is often incapable of or does not include a decryption mechanism, which leads one to conclude that its goal is destruction and not simply profit.
Information operations augment technical attacks. The group will use Telegram channels, X, or dark web forums to share stolen data, and also to push narratives more generally aligned with Iran’s political goals. Leak packages provided by Void Manticore are designed to maximize political or reputational damage while maintaining media attention.
Notable Campaigns and Targets
Void Manticore has participated in numerous geographies and across multiple sectors. Its targets segment include government ministries, telecommunications, energy companies, NGOs, among others. Three campaigns provide a representative sample of the group’s scope and aims.
Operation Homeland Justice, attributed to Void Manticore in 2022, was a targeting of government web properties in a Balkan country. The operation combined defacements, theft and data leaks, and service interruptions. The messaging framed the operation as a response to political grievances, and the leak were coincided with diplomatic events.
In 2023, the group shifted to incorporate more disruptive operations in the Levant. While targeting critical infrastructure in Israel, the group executed several wiper malware attacks on target systems. The objective appeared to command a debilitating effect to operational resilience, along with signaling capabilities. In some instances, the wiper malware operated a ransom-styled message, but the analytic conclusion was there wasn’t true decryption capability, reinforcing the destructiveness.
From 2024 to 2025, Void Manticore expanded its campaign set to include NGOs and a few Western think tanks. The intrusions in these cases consisted of both document theft and amplified narratives that were released on social media, seeking to erode trust in the targeted institutions and influence perceptions internationally.
Operational Patterns and Evolution
Void Manticore has progressed from basic defacements to organized, multi-layered operations. There is an indication of advancement in operational security with the use of proxy infrastructure and transient command and control utilities. The group has employed techniques derived from other Iran-aligned actors, a harmony between open-source tooling and custom destructive payloads.
A key change has been the inclusion of propaganda techniques in the attack lifecycle. Leak publication is no longer an endpoint, but became instead a designed phase after the technical compromise, with outreach to social platforms designed to accelerate distribution and media and political pressure.
Strategic Implications
Void Manticore highlights several significant trends regarding states are using cyber as a tool of policy. First, there is an increasing reliance on hybrid machines meaning information operations and technical sabotage. This is asymmetric and difficult to assess cost-wise and attribution-wise.
Second, the group’s tactics complicate traditional responses and incident response. Defenders should prepare for not only data exfiltration but also organized publication of leaks and amplification of narratives. Recovery from disruptive and destructive attacks also involves integrated planning across IT, OT, legal, and communications teams.
Finally, the group’s actions are a sign of the growing importance of non-state and quasi-observation entities projecting influence. Even when groups were not fully owned by the state, the groups are utilized as strategic extensions of the aspirations of the nation-state, using plausible deniability to achieve state goals.
Defensive Recommendations
Organizations with risks should implement a multi-layered defense posture encompassing technical and a layer that encompasses informational threats. Some helpful steps that can be taken to implement this posture include:
- Focus on patching internet-facing assets, for example VPNs, web servers, and remote management consoles.
- Segregate operational technology and critical infrastructure from enterprise networks to limit lateral movement.
- Be vigilant for signs of credential theft and unusual scheduled creation of new scheduled tasks, as well as enforcing strong authentication with administrator accounts.
- Use threat intelligence feeds that can track Iran-aligned indicators, including known wiper families and command and control patterns.
- Have coordinated communication plans ready, available to implement in the event a leak is imminent, including fact checking and controlled disclosures.
- Conduct tabletop exercises, simulating a combined data leak and destructive malware incident to enhance cross-functional readiness.
Conclusion
Void Manticore is a notable case study of how actors aligned to a state have weaponized hybrid tactics for geopolitical objectives. The group uses both destructive technical capabilities and targeted information campaigns to create operational disruption and narrative advantage. For defenders, the challenge is twofold: first, to quickly detect and remediate an intrusion, and second, to address the information environment that follows a compromise.
As the group continues to refine its capabilities, organizations and governments must strengthen both their technical defenses as well as their strategic communications. The cost of being unprepared in this regard is high, as the damage is not only operational, but reputational and political as well.
You can download and review the sheet for all the details!
