Void Manticore
BLUF (Bottom Line Up Front)
Void Manticore (Microsoft: Storm-0842) is an Iranian state-sponsored threat actor assessed with high confidence to operate under the direction of the Ministry of Intelligence and Security (MOIS) or IRGC Cyber Command. Distinguished from espionage-focused Iranian APTs by its emphasis on destructive wiper malware and psychological warfare operations, Void Manticore executes hack-and-leak campaigns paired with data destruction to maximise cognitive impact — primarily targeting Israel, Albania, and Gulf state infrastructure.
Organizational Profile
- Type: State-sponsored APT (Iran)
- Attributed to: MOIS / IRGC Cyber Command
- Microsoft Designation: Storm-0842
- Operational Focus: Destructive cyber operations + information warfare (not espionage)
- Active Since: ~2020 (confirmed destructive operations)
Strategic Objectives
- Maximise psychological and reputational damage to Israeli civilian and government infrastructure
- Execute retaliatory operations in response to Israeli/US kinetic or cyber actions against Iran
- Conduct hack-and-leak operations exposing Israeli-aligned intelligence networks
- Signal Iranian offensive cyber capacity as strategic deterrence
Capabilities & Methods
| Domain | Capability | Key Tools |
|---|---|---|
| Destructive Cyber | High | BiBi Wiper (Linux/Windows), Cl Wiper, Partition Wipers |
| Hack-and-Leak | High | Exfiltration + Telegram / dark web publication |
| Psychological Operations | Medium-High | ”Karma” personae; fabricated leak sites |
| Infrastructure Targeting | Medium | ICS/SCADA reconnaissance |
Signature Tool: BiBi Wiper
Deployed during October 2023 escalation, BiBi Wiper (named as deliberate psychological provocation referencing PM Netanyahu’s nickname) targets Linux and Windows systems. Unlike ransomware, it destroys data with no decryption path — the destruction is the operational objective.
Documented Operations
| Operation | Target | Date | Method |
|---|---|---|---|
| Albanian Government Attack | Albanian state infrastructure | Jul–Sep 2022 | Wiper + ransomware decoy; prompted NATO invocation |
| BiBi Wiper Campaign | Israeli private sector, logistics | Oct–Nov 2023 | Linux/Windows wipers post-Oct 7 |
| ”Karma” Leak Operations | Israeli personal data | 2023–2024 | Exfiltration + Telegram publication |
Key Relationships
- State patron: Islamic Republic of Iran
- Coordination: Assessed to coordinate with Scarred Manticore (espionage-focused) for target handoff
- Adversaries: Israel Defense Forces, Israeli CERT, Shin Bet
- Operational context: Strategic analysis on Iran conflict
Key Connections
Sources
- Microsoft Threat Intelligence — Storm-0842 profile (2023)
- Check Point Research — BiBi Wiper technical analysis (2023)
- Mandiant/Google TAG — Iranian APT ecosystem mapping