splunk · tccontre · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -1,7 +1,7 @@
 name: BCDEdit Failure Recovery Modification
 id: 809b31d2-5462-11eb-ae93-0242ac130002
 version: 12
-date: '2026-03-10'
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -57,6 +57,7 @@ tags:
         - Compromised Windows Host
         - Ryuk Ransomware
         - Storm-2460 CLFS Zero Day Exploitation
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1490

@@ -1,7 +1,7 @@
 name: Deleting Shadow Copies
 id: b89919ed-ee5f-492c-b139-95dbb162039e
 version: 16
-date: '2026-03-10'
+date: '2026-03-16'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -75,6 +75,7 @@ tags:
         - VanHelsing Ransomware
         - Termite Ransomware
         - Storm-2460 CLFS Zero Day Exploitation
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1490

@@ -1,7 +1,7 @@
 name: Detect Regasm Spawning a Process
 id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f
 version: 14
-date: '2026-03-10'
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
         - Compromised Windows Host
         - DarkGate Malware
         - Snake Keylogger
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.009

@@ -1,7 +1,7 @@
 name: Detect Regasm with Network Connection
 id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f
 version: 13
-date: '2026-03-10'
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -59,6 +59,7 @@ tags:
         - Living Off The Land
         - Handala Wiper
         - Hellcat Ransomware
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.009

@@ -1,7 +1,7 @@
 name: Detect Regasm with no Command Line Arguments
 id: c3bc1430-04e7-4178-835f-047d8e6e97df
 version: 13
-date: '2026-03-10'
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -58,6 +58,7 @@ tags:
         - Suspicious Regsvcs Regasm Activity
         - Living Off The Land
         - Handala Wiper
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.009

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
 version: 24
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -147,6 +147,7 @@ tags:
         - SesameOp
         - DynoWiper
         - XML Runner Loader
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
 version: 20
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -130,6 +130,7 @@ tags:
         - SesameOp
         - PromptFlux
         - XML Runner Loader
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

@@ -1,7 +1,7 @@
 name: Ping Sleep Batch Command
 id: ce058d6c-79f2-11ec-b476-acde48001122
 version: 13
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -73,6 +73,7 @@ tags:
         - Meduza Stealer
         - WhisperGate
         - BlackByte Ransomware
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1497.003

@@ -1,7 +1,7 @@
 name: Prevent Automatic Repair Mode using Bcdedit
 id: 7742aa92-c9d9-11eb-bbfc-acde48001122
 version: 9
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -51,6 +51,7 @@ tags:
     analytic_story:
         - Ransomware
         - Chaos Ransomware
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1490

@@ -1,7 +1,7 @@
 name: Remote Process Instantiation via WMI
 id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da
 version: 16
-date: '2026-03-10'
+date: '2026-03-16'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
         - Suspicious WMI Use
         - Salt Typhoon
         - Active Directory Lateral Movement
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1047

@@ -1,7 +1,7 @@
 name: Sdelete Application Execution
 id: 31702fc0-2682-11ec-85c3-acde48001122
 version: 11
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -55,6 +55,7 @@ tags:
     analytic_story:
         - Masquerading - Rename System Utilities
         - Scattered Spider
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1070.004

@@ -1,7 +1,7 @@
 name: Windows AutoIt3 Execution
 id: 0ecb40d9-492b-4a57-9f87-515dd742794c
 version: 11
-date: '2026-03-10'
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,6 +71,7 @@ tags:
         - Crypto Stealer
         - Handala Wiper
         - DarkGate Malware
+        - Void Manticore
     asset_type: Endpoint
     atomic_guid: []
     mitre_attack_id:

@@ -1,7 +1,7 @@
 name: Windows Data Destruction Recursive Exec Files Deletion
 id: 3596a799-6320-4a2f-8772-a9e98ddb2960
 version: 10
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -49,6 +49,7 @@ tags:
         - Data Destruction
         - Handala Wiper
         - Disk Wiper
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1485

@@ -1,7 +1,7 @@
 name: Windows High File Deletion Frequency
 id: 45b125c4-866f-11eb-a95a-acde48001122
 version: 12
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: Anomaly
@@ -53,6 +53,7 @@ tags:
         - APT37 Rustonotto and FadeStealer
         - DynoWiper
         - ZOVWiper
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1485

@@ -1,7 +1,7 @@
 name: Windows Raw Access To Disk Volume Partition
 id: a85aa37e-9647-11ec-90c5-acde48001122
 version: 10
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -40,6 +40,7 @@ tags:
         - NjRAT
         - Disk Wiper
         - PathWiper
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1561.002

@@ -1,7 +1,7 @@
 name: Windows Raw Access To Master Boot Record Drive
 id: 7b83f666-900c-11ec-a2d9-acde48001122
 version: 10
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -43,6 +43,7 @@ tags:
         - NjRAT
         - Disk Wiper
         - PathWiper
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1561.002

@@ -1,7 +1,7 @@
 name: Windows Suspicious Process File Path
 id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
 version: 20
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -91,6 +91,7 @@ tags:
         - Lokibot
         - Castle RAT
         - SesameOp
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1543

@@ -1,7 +1,7 @@
 name: Windows Vulnerable Driver Installed
 id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f
 version: 7
-date: '2026-03-10'
+date: '2026-03-16'
 author: Dean Luxton
 status: production
 type: TTP
@@ -41,6 +41,7 @@ rba:
 tags:
     analytic_story:
         - Windows Drivers
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1543.003

@@ -1,7 +1,7 @@
 name: Windows Vulnerable Driver Loaded
 id: a2b1f1ef-221f-4187-b2a4-d4b08ec745f4
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-16'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -39,6 +39,7 @@ tags:
     analytic_story:
         - Windows Drivers
         - BlackByte Ransomware
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1543.003

@@ -1,7 +1,7 @@
 name: Windows Gather Victim Network Info Through Ip Check Web Services
 id: 70f7c952-0758-46d6-9148-d8969c4481d1
 version: 17
-date: '2026-03-10'
+date: '2026-03-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -55,6 +55,7 @@ tags:
         - Quasar RAT
         - 0bj3ctivity Stealer
         - Castle RAT
+        - Void Manticore
     asset_type: Endpoint
     mitre_attack_id:
         - T1590.005

@@ -0,0 +1,27 @@
+name: Void Manticore
+id: a8c98827-907a-4121-a4fe-83e22001e616
+version: 1
+date: '2026-03-16'
+author: Teoderick Contreras, Splunk
+status: production
+description: This analytic story contains detections that allow security analysts to detect and investigate activity associated with Void Manticore (aka Red Sandstorm, Banished Kitten, Handala Hack), an Iranian MOIS-affiliated threat actor. The story covers initial access via compromised VPN and supply-chain targets, credential dumping and AD reconnaissance, lateral movement over RDP and NetBird tunneling, and destructive operations including custom wipers, PowerShell-based wiping, VeraCrypt disk encryption, and manual data destruction. Use these analytics to hunt for hands-on-keyboard behavior, default hostnames and wiper or GPO-based execution.
+narrative: |
+  Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), also tracked as Red Sandstorm and Banished Kitten. The group operates multiple online personas—Handala Hack (focused on Israel and recently US enterprises such as Stryker), Homeland Justice (targeting Albania since mid-2022), and the largely retired Karma—with highly similar TTPs and code overlap in deployed wipers.
+
+  The actor relies on manual, hands-on operations and short-lived indicators: commercial VPN egress, open-source and publicly available offensive tools, and at times direct connectivity from Iranian or Starlink IP ranges. Initial access is often achieved through supply-chain targeting of IT and service providers to obtain VPN credentials, or via brute force and credential stuffing against organizational VPN infrastructure. Logons frequently originate from hosts with default Windows names (DESKTOP-XXXXXX, WIN-XXXXXX). After establishing access, the group has been observed disabling Windows Defender, dumping LSASS (e.g., via comsvcs.dll and rundll32), exporting sensitive registry hives, and running ADRecon (e.g., dra.ps1) to reach Domain Admin and enable broad destructive action.
+
+  Lateral movement is conducted mainly over RDP. To reach internal hosts not directly reachable, the group deploys NetBird—downloaded from the official site on compromised systems—to build a zero-trust mesh and tunnel traffic. During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks; an AI-assisted PowerShell wiper that deletes user directories and drops handala.gif; use of VeraCrypt to encrypt system drives; and manual deletion of VMs and files. Wipers are often pushed via GPO (e.g., handala.bat) so that the executable runs from the Domain Controller without being written to disk on every endpoint.
+
+  This story ties detections to these TTPs so analysts can identify Void Manticore tradecraft, prioritize VPN and RDP monitoring (especially from default-named machines and high-risk geographies), and respond to wiper and credential-theft activity before or during destructive phases.
+references:
+- https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
+tags:
+  category:
+  - Data Destruction
+  - Malware
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection