Cyber Threat Actor: Justice Blade
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
6 incidents |
|---|
Profile
The threat actor known publicly as Justice Blade and also as Homeland Justice is identified in open‑source reporting as operating from Iran. The group uses two aliases that appear in separate incident reports but refer to the same set of activities. Observations show the actor directs its efforts toward governmental and private‑sector entities in the Middle East and the Balkans, with a pattern of targeting ministries, municipal administrations, and outsourcing firms that support national infrastructure. Public statements and leak messages indicate that the motivations are ideological rather than financial, as no ransom demands have been accompanying the disclosed operations. Instead, the actor seeks to expose data, disrupt services, and convey a political message to the targeted governments.
Initial access in the observed campaigns has repeatedly involved the compromise of legitimate employee credentials, which were then used to pivot inside victim networks. After gaining a foothold, the actor has deployed the Metasploit Framework to execute post‑exploitation tasks and to explore internal systems such as Active Directory and associated applications. The actor routinely defaces public‑facing websites to announce the intrusion and to leak screenshots of remote desktop sessions and Office 365 communications as proof of access. Exfiltrated data is subsequently shared through a private Telegram channel created for the purpose of distributing stolen records, including CRM databases, personal information, contracts and email archives. No custom malware families have been described in the reports; the reliance on legitimate tools and stolen credentials characterizes the tradecraft.
One of the most detailed operations involved the Saudi Arabian outsourcing provider Smart Link BPO Solutions, where the actor extracted over one hundred thousand records linked to regional airlines and a central‑bank initiative, defaced the corporate site and used the compromised account to move laterally. In the Balkans, the actor has claimed responsibility for repeated intrusions against Tirana City Hall, resulting in website outages, email disruption and the wiping of municipal servers, while also attempting to breach Albania’s parliamentary network, an effort that was detected but did not lead to confirmed data loss. These incidents illustrate a tactical focus on exploiting weak points in local government infrastructure and on leveraging supply‑chain relationships to reach broader governmental audiences. The actor’s public postings consistently frame the leaks as exposés of government officials, reinforcing the ideological narrative that underlies the campaigns.
