Shadow Play: How Iran’s MOIS Orchestrates a Global Cyber Menagerie

In the shadowy world of cyber warfare, appearances can be deceiving. What looks like a chaotic clash of rival hacktivist groups is, in reality, a meticulously coordinated campaign directed by Iran’s Ministry of Intelligence and Security (MOIS). Behind the banners of Homeland Justice, Karma, and Handala lurks a unified team, seamlessly switching masks to wage psychological and technical warfare on a global stage.

The first major red flag waved in 2022, when “Homeland Justice” loudly claimed responsibility for crippling Albania’s government. At first glance, it looked like a rogue hacktivist stunt. But forensic analysis revealed a more chilling reality: MOIS operators had spent over a year lurking within Albanian networks, exploiting a vulnerable Microsoft SharePoint system, stealing emails, and setting the stage for maximum chaos with custom wipers and ransomware-style attacks. The final act - a public claim and data leak - was just the tip of the iceberg.

The playbook didn’t change, only the masks. When the Israel-Hamas war erupted in late 2023, the “Karma” persona picked up the torch, targeting Israeli organizations with a near-identical arsenal: webshells, credential harvesters, and destructive tools like the infamous BiBi Wiper. By 2024, “Handala” became the new face of the operation, cycling through lookalike domains and Telegram channels to leak stolen data and stoke political tension.

What unites these seemingly disparate groups is a shared toolkit and infrastructure. Researchers have traced the same servers, command-and-control channels, and even snippets of code across all three personas. U.S. agencies recently seized domains such as Justicehomeland[.]org and Handala‑Hack[.]to, confirming that these were not grassroots hacktivist sites but central hubs for Iranian psychological operations - sometimes even inciting violence against journalists and dissidents.

The sophistication of MOIS’s methods is evolving. In March 2026, the Handala persona hijacked a Microsoft Intune admin account at a major medical technology firm, using a legitimate remote-wipe feature to reset up to 200,000 devices across 79 countries. Before going public on Telegram, the attackers siphoned off tens of terabytes of sensitive data - a devastating blend of espionage, sabotage, and intimidation.

Analysts warn that treating Homeland Justice, Karma, and Handala as separate threats is a critical mistake. The evidence points to a single, state-directed influence machine - one that can pivot from espionage to public leaks, from ransomware to mass device wipes, all while camouflaging its true origin behind a carousel of online identities. For defenders, the telltale signs are clear: similar infrastructure, shared code, and a relentless cycle of hack-and-leak operations, all orchestrated from the heart of Iranian intelligence.

As the digital battlefield grows ever more complex, the lesson is stark: in cyber conflict, masks are easy to don and discard, but the hand behind them is often the same. Understanding the unity behind the chaos is the first step to real defense.

WIKICROOK

• Persona: A persona is a fake online identity crafted to deceive, often used in cyberattacks or security testing to manipulate targets or gather information.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Webshell: A webshell is a hidden program uploaded by hackers to a compromised website, giving them remote control and unauthorized access like a secret backdoor.
• Wiper: A wiper is malware that deletes or corrupts data to cause harm or cover tracks, making recovery difficult or impossible.
• Living off the Land: Living Off the Land means attackers use trusted, built-in system tools for malicious purposes, making their activities harder to detect.