A new investigation has revealed that Iran’s Ministry of Intelligence and Security (MOIS) is orchestrating a sophisticated, multi-faceted cyber campaign utilizing at least three distinct hacker personas: Homeland Justice, Karma/KarmaBelow80, and Handala. Previously perceived as independent hacktivist groups, these entities have now been confirmed to be operating under a unified, state-directed strategy. This coordinated effort integrates cyber intrusions, sensitive data theft, destructive cyberattacks, and psychological influence operations, targeting governments and organizations globally.
The campaign’s origins can be traced back to 2022, when the group identifying as “Homeland Justice” launched significant attacks against the Government of Albania. These attacks were characterized by meticulous planning, including the establishment of access to Albanian government systems approximately fourteen months prior to their public announcement. This period allowed for the exfiltration of sensitive documents and the deployment of destructive tools, culminating in high-profile public claims of responsibility. This fusion of technical intrusion and deliberate public messaging transformed a cyberattack into a significant geopolitical influence operation.
Iranian MOIS Leverages Multiple Hacker Personas for Coordinated Cyber Campaigns
Further analysis by DomainTools researchers indicated a strategic pivot by the same threat actor. In late 2023, this entity re-branded as “Karma,” and subsequently “KarmaBelow80,” shifting its focus to Israeli organizations. Despite the name changes, the underlying tools, infrastructure, and attack methodologies remained consistent across these rebranded campaigns. Shared domain registration patterns, the persistent use of Telegram for command-and-control communications, and recurring technical behaviors provided DomainTools with high confidence to conclude that these operations were a unified system directly controlled by the MOIS.
The operation evolved further in 2024 and continued into 2026 under the guise of the “Handala” persona. Named after a prominent Palestinian cartoon character, this iteration of the campaign heavily emphasized information operations. This included the curated leaking of stolen data and targeted harassment directed at journalists, dissidents, and individuals with Israeli connections. In March 2026, the U.S. Department of Justice announced the seizure of four domains demonstrably linked to this operation: Handala-Hack.to, Karmabelow80.org, Justicehomeland.org, and Handala-Redwanted.to. These domains had been actively employed for disseminating stolen information, claiming credit for cyber incidents, and inciting violence against specific individuals.
Security researchers track the overarching threat actor as “Void Manticore,” also identified in DomainTools reporting as MOIST GRASSHOPPER. This group’s activities are directly attributed to Iran’s MOIS, positioning it as one of the most active state-linked cyber influence ecosystems currently operational. The group’s tactics extend beyond conventional hacking, incorporating long-term network access with psychological manipulation, data weaponization, and strategically timed public disclosures designed to influence public opinion and behavior in targeted nations.
Multi-Persona Infrastructure and Deception Tactics
A key characteristic of this extensive campaign is the strategic deployment of multiple branded identities, each serving distinct operational objectives while drawing from a single, shared backend infrastructure. Homeland Justice was instrumental in executing destructive operations against Albania. Karma and KarmaBelow80 targeted Israeli entities during a specific timeframe, and Handala currently serves as the principal platform for influence and information warfare. This operational structure enables Iran’s intelligence service to segment its messaging and targeting, while maintaining the appearance of entirely separate and unconnected hacktivist collectives.
The common technical infrastructure connecting these personas is notable, encompassing shared hosting patterns, overlapping domain registration behaviors, and the consistent reuse of identical malware components across various operations. The threat actor has deployed wiper tools designed for permanent data destruction, alongside ransomware-style encryption employed not for financial gain but exclusively to maximize operational disruption. Tools like Rhadamanthys, a commercial infostealer readily available on darknet forums, have been observed in Handala-linked operations. These were often paired with custom wiper malware in phishing campaigns that impersonated software update notifications from prominent vendors such as F5.
Security organizations and government agencies have advised continuous monitoring for the exploitation of internet-facing services, such as Microsoft SharePoint, which was identified as an initial access vector in the Albania campaign. Implementing robust network segmentation, conducting regular audits of privileged account activity, and deploying endpoint detection tools capable of identifying manual intrusion behaviors are critical protective measures. Furthermore, threat intelligence teams should actively monitor domain infrastructure associated with MOIST GRASSHOPPER and ensure the blocking of domains previously flagged in the March 2026 Justice Department seizure to mitigate ongoing risks.
The continued evolution of these personas and their interconnected infrastructure suggests an ongoing, adaptive cyber strategy by the MOIS. Defense agencies and cybersecurity firms will likely maintain heightened vigilance for any further shifts in tactics, techniques, and procedures employed by Void Manticore, and will continue to analyze the geopolitical implications of these state-sponsored cyber operations.