Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Android 14 vulnerability lets attackers gain full control
July 8, 2026
CISA Warns of Adobe ColdFusion Path Traversal Vulnerability Exploited in Attacks
July 8, 2026
70% of WordPress Sites Exposed to Attacks Due to Outdated PHP Versions
July 8, 2026
Home/Threats/Iran’s MOIS Coordinated Cyber Espionage Uses Multiple Hacker Personas
Threats

Iran’s MOIS Coordinated Cyber Espionage Uses Multiple Hacker Personas

Key Takeaways Iran’s Ministry of Intelligence and Security (MOIS) operates a sophisticated cyber espionage and influence campaign using three seemingly independent hacktivist personas: Homeland...

Sarah simpson
Sarah simpson
April 20, 2026 4 Min Read
48 0

Key Takeaways

  • Iran’s Ministry of Intelligence and Security (MOIS) operates a sophisticated cyber espionage and influence campaign using three seemingly independent hacktivist personas: Homeland Justice, Karma/KarmaBelow80, and Handala.
  • This state-sponsored operation combines cyber intrusions, data theft, destructive attacks, and psychological warfare tactics, targeting governments and organizations across multiple countries, including Albania and Israel.
  • Researchers from DomainTools identified shared infrastructure, tools, and methodologies across these personas, confirming their coordination under MOIS, leading to the seizure of four associated domains by the U.S. Justice Department.

A recent in-depth investigation has unveiled that Iran’s Ministry of Intelligence and Security (MOIS) is orchestrating a sophisticated and prolonged cyber campaign, leveraging at least three distinct hacker personas previously thought to be independent hacktivist entities. These identities—Homeland Justice, Karma/KarmaBelow80, and Handala—have now been definitively linked to a singular, state-directed operation under the Iranian government’s control.

Table Of Content

  • Key Takeaways
  • Multi-Persona Infrastructure and Deception Tactics
  • What You Should Do

The comprehensive campaign integrates cyber intrusions, the illicit acquisition of sensitive data, destructive cyberattacks, and psychological influence operations. This multi-faceted approach forms a cohesive strategy aimed at governments and various organizations globally. More details on this research can be found in DomainTools’ research category.

The origins of this operation trace back to 2022, with the emergence of “Homeland Justice” and its subsequent attacks against the Albanian government. The defining characteristic of this particular campaign was its extensive pre-planning. Iranian state actors had already established access to Albanian government networks approximately 14 months prior to publicly launching their attacks. This prolonged access facilitated the exfiltration of sensitive documents, the deployment of destructive malware, and the subsequent high-profile public announcements claiming responsibility for the damage. This blend of technical intrusion and deliberate public messaging transformed a conventional cyberattack into a carefully orchestrated influence event with significant geopolitical ramifications.

Analysts at DomainTools subsequently observed the same threat actor adopting a new persona, “Karma,” later evolving into “KarmaBelow80,” to target Israeli organizations in late 2023. Despite the change in branding and targets, researchers noted a consistent underlying set of tools, infrastructure, and attack methodologies. Shared domain patterns, the persistent use of Telegram for command-and-control (C2) communications, and recurring technical behaviors across these seemingly disparate groups led DomainTools to confidently assess them as a unified system operating directly under MOIS authority.

By 2024, and projected to continue into 2026, the operation further evolved under the “Handala” banner. Named after the iconic Palestinian cartoon character, the Handala persona primarily focused on information operations. These included curated data leaks and targeted harassment campaigns against journalists, dissidents, and individuals perceived to have connections to Israel. In response, the U.S. Justice Department announced in March 2026 the seizure of four domains linked to these operations: Handala-Hack.to, Karmabelow80.org, Justicehomeland.org, and Handala-Redwanted.to. These domains had been actively used to publish stolen data, claim responsibility for cyberattacks, and incite violence against specific named individuals.

The overarching threat actor behind these activities is tracked by security researchers as “Void Manticore” and is also referred to as MOIST GRASSHOPPER in DomainTools’ reporting. This group is directly affiliated with Iran’s MOIS and represents one of the most active state-linked cyber influence ecosystems currently in operation. Its tactics extend far beyond mere hacking, combining long-term network access with psychological pressure, the weaponization of stolen data, and precisely timed public releases designed to manipulate public opinion and behavior in targeted countries.

MOIS-Attributed cyber groups and persona layer (Source - DomainTools)
MOIS-Attributed cyber groups and persona layer (Source – DomainTools)

Multi-Persona Infrastructure and Deception Tactics

A distinctive feature of this campaign is its strategic use of multiple branded identities to achieve varied operational objectives, all while relying on a unified backend infrastructure. Homeland Justice was tasked with destructive operations against Albania. Karma and KarmaBelow80 focused on Israeli entities during a specific period, while Handala now serves as the primary instrument for influence and information warfare. This organizational structure allows Iran’s intelligence service to compartmentalize its messaging and targeting, maintaining the illusion of entirely separate and unconnected hacktivist groups.

The technical infrastructure underpinning these personas exhibits shared hosting patterns, overlapping domain registration behaviors, and the consistent reuse of identical malware components across different operations. The group has deployed wiper tools designed for the permanent destruction of data, alongside ransomware-style encryption. This encryption was not used for financial extortion but rather purely to maximize operational disruption. Tools such as Rhadamanthys, a commercial infostealer available on darknet forums, were observed in Handala-linked operations, often paired with custom wipers in phishing campaigns that impersonated legitimate software updates from vendors like F5.

MOIS Connection (Source - DomainTools)
MOIS Connection (Source – DomainTools)

What You Should Do

  • Monitor for and immediately address suspicious exploitation attempts against internet-facing services, particularly those like Microsoft SharePoint, which was an initial access vector in the Albania campaign.
  • Implement robust network segmentation to limit lateral movement in the event of a breach and regularly audit privileged account activity for any anomalies.
  • Deploy advanced endpoint detection and response (EDR) solutions capable of identifying manual intrusion behaviors and custom malware deployments.
  • Integrate threat intelligence feeds related to MOIST GRASSHOPPER (Void Manticore) into your security operations and proactively block domains identified in the U.S. Justice Department’s March 2026 seizure to mitigate ongoing exposure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical API Flaw in Lovable AI App Builder Exposes User Data

Next Post

North Korean UNC1069 APT Hacks Crypto Pros With Fake Zoom, Teams Meetings

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical GhostLock Vulnerability in Linux Kernel Lets Attackers Escalate Privileges
July 8, 2026
OpenAI Secures US Government Clearance for GPT-5.6 Launch
July 8, 2026
Anthropic Extends Free Claude 3 Opus Access on All Paid Plans
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us