Analytics Story: Void Manticore

Date: 2026-03-16 ID: a8c98827-907a-4121-a4fe-83e22001e616 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate activity associated with Void Manticore (aka Red Sandstorm, Banished Kitten, Handala Hack), an Iranian MOIS-affiliated threat actor. The story covers initial access via compromised VPN and supply-chain targets, credential dumping and AD reconnaissance, lateral movement over RDP and NetBird tunneling, and destructive operations including custom wipers, PowerShell-based wiping, VeraCrypt disk encryption, and manual data destruction. Use these analytics to hunt for hands-on-keyboard behavior, default hostnames and wiper or GPO-based execution.

Why it matters

Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), also tracked as Red Sandstorm and Banished Kitten. The group operates multiple online personas—Handala Hack (focused on Israel and recently US enterprises such as Stryker), Homeland Justice (targeting Albania since mid-2022), and the largely retired Karma—with highly similar TTPs and code overlap in deployed wipers. The actor relies on manual, hands-on operations and short-lived indicators: commercial VPN egress, open-source and publicly available offensive tools, and at times direct connectivity from Iranian or Starlink IP ranges. Initial access is often achieved through supply-chain targeting of IT and service providers to obtain VPN credentials, or via brute force and credential stuffing against organizational VPN infrastructure. Logons frequently originate from hosts with default Windows names (DESKTOP-XXXXXX, WIN-XXXXXX). After establishing access, the group has been observed disabling Windows Defender, dumping LSASS (e.g., via comsvcs.dll and rundll32), exporting sensitive registry hives, and running ADRecon (e.g., dra.ps1) to reach Domain Admin and enable broad destructive action. Lateral movement is conducted mainly over RDP. To reach internal hosts not directly reachable, the group deploys NetBird—downloaded from the official site on compromised systems—to build a zero-trust mesh and tunnel traffic. During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks; an AI-assisted PowerShell wiper that deletes user directories and drops handala.gif; use of VeraCrypt to encrypt system drives; and manual deletion of VMs and files. Wipers are often pushed via GPO (e.g., handala.bat) so that the executable runs from the Domain Controller without being written to disk on every endpoint. This story ties detections to these TTPs so analysts can identify Void Manticore tradecraft, prioritize VPN and RDP monitoring (especially from default-named machines and high-risk geographies), and respond to wiper and credential-theft activity before or during destructive phases.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP
Detect Regasm Spawning a Process	Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	Regsvcs/Regasm	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Ping Sleep Batch Command	Time Based Checks	Anomaly
Prevent Automatic Repair Mode using Bcdedit	Inhibit System Recovery	TTP
Remote Process Instantiation via WMI	Windows Management Instrumentation	TTP
Sdelete Application Execution	File Deletion, Data Destruction	TTP
Windows AutoIt3 Execution	Command and Scripting Interpreter	TTP
Windows Data Destruction Recursive Exec Files Deletion	Data Destruction	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe	TTP
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Resource Name or Location	TTP
Windows Vulnerable Driver Installed	Windows Service	TTP
Windows Vulnerable Driver Loaded	Windows Service	Hunting
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 6	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 9	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`

References

https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

Source: GitHub | Version: 1