Iran’s MOIS Orchestrates Coordinated Cyber Campaigns Under Multiple Hacker Personas
Iran’s Ministry of Intelligence and Security (MOIS) has been orchestrating a sophisticated cyber campaign utilizing multiple hacker personas to conduct coordinated operations targeting various governments and organizations worldwide. This campaign employs distinct identities—Homeland Justice, Karma/KarmaBelow80, and Handala—which, despite appearing as independent hacktivist groups, are now confirmed to be facets of a unified, state-directed initiative.
Homeland Justice: The Albanian Offensive
The campaign’s inception traces back to 2022 with the emergence of Homeland Justice, a group that executed a series of cyberattacks against the Albanian government. Investigations revealed that Iranian state actors had infiltrated Albanian government systems approximately fourteen months prior to the public disclosure of these attacks. During this period, they exfiltrated sensitive documents, deployed destructive malware, and orchestrated public announcements to claim responsibility, thereby transforming technical breaches into strategic influence operations with significant geopolitical ramifications.
Karma/KarmaBelow80: Shifting Focus to Israel
Following the operations in Albania, the MOIS rebranded its cyber activities under the personas Karma and subsequently KarmaBelow80, directing their efforts toward Israeli organizations in late 2023. Despite the change in identity, the operational methodologies, tools, and infrastructure remained consistent. Analysts observed shared domain patterns, the persistent use of Telegram for command-and-control communications, and uniform technical behaviors across these campaigns, leading to the assessment that these were not disparate groups but a singular entity operating under MOIS directives.
Handala: Information Warfare and Psychological Operations
By 2024, the campaign evolved into the Handala persona, named after a prominent Palestinian cartoon character symbolizing resistance. This phase emphasized information operations, including curated data leaks and targeted harassment of journalists, dissidents, and individuals connected to Israel. The U.S. Department of Justice responded in March 2026 by seizing four domains—Handala-Hack.to, Karmabelow80.org, Justicehomeland.org, and Handala-Redwanted.to—which were actively used to disseminate stolen data, claim responsibility for attacks, and incite violence against specific individuals.
Void Manticore: The Unified Threat Actor
Security researchers have collectively identified these operations under the moniker Void Manticore, also referred to as MOIST GRASSHOPPER in certain reports. This entity is directly linked to Iran’s MOIS and represents one of the most active state-sponsored cyber influence ecosystems currently in operation. Void Manticore’s tactics extend beyond mere hacking; they integrate prolonged network access with psychological manipulation, data weaponization, and strategically timed public disclosures designed to influence public opinion and behavior in targeted nations.
Multi-Persona Infrastructure and Deception Tactics
A distinctive feature of this campaign is the utilization of multiple branded identities to achieve specific operational objectives while operating from a unified backend infrastructure. Homeland Justice was responsible for destructive operations against Albania, Karma and KarmaBelow80 targeted Israeli entities during a defined period, and Handala currently serves as the primary conduit for influence and information warfare. This structure enables the MOIS to maintain plausible deniability and adapt its strategies to different geopolitical contexts, thereby enhancing the effectiveness and reach of its cyber operations.
Technical Analysis and Attribution
DomainTools analysts have meticulously traced the connections between these personas, identifying consistent patterns in domain registrations, hosting services, and command-and-control infrastructures. The repeated use of specific Telegram channels for coordination and the deployment of similar malware strains across different campaigns further corroborate the unified nature of these operations. These findings underscore the MOIS’s commitment to a long-term, multifaceted cyber strategy aimed at advancing Iran’s geopolitical interests through digital means.
Implications for Global Cybersecurity
The revelation of this coordinated campaign highlights the evolving landscape of state-sponsored cyber threats. The MOIS’s ability to seamlessly transition between different hacker personas and adapt its tactics poses significant challenges for cybersecurity professionals and policymakers. It underscores the necessity for robust, adaptive defense mechanisms and international cooperation to effectively counter such sophisticated cyber operations.
Conclusion
Iran’s MOIS has demonstrated a high level of sophistication and strategic planning in its cyber operations by employing multiple hacker personas to conduct coordinated campaigns. The seamless integration of technical intrusions with psychological operations and the ability to adapt to various geopolitical contexts reflect a comprehensive approach to cyber warfare. As these threats continue to evolve, it is imperative for the global community to enhance its cybersecurity posture and foster collaborative efforts to mitigate the risks posed by such state-sponsored activities.
