Iran’s MOIS Coordinated Cyber Espionage Uses Multiple Hacker Personas
Key Takeaways Iran’s Ministry of Intelligence and Security (MOIS) operates a sophisticated cyber espionage and influence campaign using three seemingly independent hacktivist personas: Homeland...
Key Takeaways
- Iran’s Ministry of Intelligence and Security (MOIS) operates a sophisticated cyber espionage and influence campaign using three seemingly independent hacktivist personas: Homeland Justice, Karma/KarmaBelow80, and Handala.
- This state-sponsored operation combines cyber intrusions, data theft, destructive attacks, and psychological warfare tactics, targeting governments and organizations across multiple countries, including Albania and Israel.
- Researchers from DomainTools identified shared infrastructure, tools, and methodologies across these personas, confirming their coordination under MOIS, leading to the seizure of four associated domains by the U.S. Justice Department.
A recent in-depth investigation has unveiled that Iran’s Ministry of Intelligence and Security (MOIS) is orchestrating a sophisticated and prolonged cyber campaign, leveraging at least three distinct hacker personas previously thought to be independent hacktivist entities. These identities—Homeland Justice, Karma/KarmaBelow80, and Handala—have now been definitively linked to a singular, state-directed operation under the Iranian government’s control.
Table Of Content
The comprehensive campaign integrates cyber intrusions, the illicit acquisition of sensitive data, destructive cyberattacks, and psychological influence operations. This multi-faceted approach forms a cohesive strategy aimed at governments and various organizations globally. More details on this research can be found in DomainTools’ research category.
The origins of this operation trace back to 2022, with the emergence of “Homeland Justice” and its subsequent attacks against the Albanian government. The defining characteristic of this particular campaign was its extensive pre-planning. Iranian state actors had already established access to Albanian government networks approximately 14 months prior to publicly launching their attacks. This prolonged access facilitated the exfiltration of sensitive documents, the deployment of destructive malware, and the subsequent high-profile public announcements claiming responsibility for the damage. This blend of technical intrusion and deliberate public messaging transformed a conventional cyberattack into a carefully orchestrated influence event with significant geopolitical ramifications.
Analysts at DomainTools subsequently observed the same threat actor adopting a new persona, “Karma,” later evolving into “KarmaBelow80,” to target Israeli organizations in late 2023. Despite the change in branding and targets, researchers noted a consistent underlying set of tools, infrastructure, and attack methodologies. Shared domain patterns, the persistent use of Telegram for command-and-control (C2) communications, and recurring technical behaviors across these seemingly disparate groups led DomainTools to confidently assess them as a unified system operating directly under MOIS authority.
By 2024, and projected to continue into 2026, the operation further evolved under the “Handala” banner. Named after the iconic Palestinian cartoon character, the Handala persona primarily focused on information operations. These included curated data leaks and targeted harassment campaigns against journalists, dissidents, and individuals perceived to have connections to Israel. In response, the U.S. Justice Department announced in March 2026 the seizure of four domains linked to these operations: Handala-Hack.to, Karmabelow80.org, Justicehomeland.org, and Handala-Redwanted.to. These domains had been actively used to publish stolen data, claim responsibility for cyberattacks, and incite violence against specific named individuals.
The overarching threat actor behind these activities is tracked by security researchers as “Void Manticore” and is also referred to as MOIST GRASSHOPPER in DomainTools’ reporting. This group is directly affiliated with Iran’s MOIS and represents one of the most active state-linked cyber influence ecosystems currently in operation. Its tactics extend far beyond mere hacking, combining long-term network access with psychological pressure, the weaponization of stolen data, and precisely timed public releases designed to manipulate public opinion and behavior in targeted countries.

Multi-Persona Infrastructure and Deception Tactics
A distinctive feature of this campaign is its strategic use of multiple branded identities to achieve varied operational objectives, all while relying on a unified backend infrastructure. Homeland Justice was tasked with destructive operations against Albania. Karma and KarmaBelow80 focused on Israeli entities during a specific period, while Handala now serves as the primary instrument for influence and information warfare. This organizational structure allows Iran’s intelligence service to compartmentalize its messaging and targeting, maintaining the illusion of entirely separate and unconnected hacktivist groups.
The technical infrastructure underpinning these personas exhibits shared hosting patterns, overlapping domain registration behaviors, and the consistent reuse of identical malware components across different operations. The group has deployed wiper tools designed for the permanent destruction of data, alongside ransomware-style encryption. This encryption was not used for financial extortion but rather purely to maximize operational disruption. Tools such as Rhadamanthys, a commercial infostealer available on darknet forums, were observed in Handala-linked operations, often paired with custom wipers in phishing campaigns that impersonated legitimate software updates from vendors like F5.

What You Should Do
- Monitor for and immediately address suspicious exploitation attempts against internet-facing services, particularly those like Microsoft SharePoint, which was an initial access vector in the Albania campaign.
- Implement robust network segmentation to limit lateral movement in the event of a breach and regularly audit privileged account activity for any anomalies.
- Deploy advanced endpoint detection and response (EDR) solutions capable of identifying manual intrusion behaviors and custom malware deployments.
- Integrate threat intelligence feeds related to MOIST GRASSHOPPER (Void Manticore) into your security operations and proactively block domains identified in the U.S. Justice Department’s March 2026 seizure to mitigate ongoing exposure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.