Cyber Threat Actor: Void Manticore
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
1 incident |
|---|
Profile
Void Manticore is an Iran‑linked hacktivist group that has been publicly identified by that alias in cybersecurity reporting. The group’s known location is Iran, and it operates under the label of a hacktivist collective rather than a traditional criminal enterprise. Public sources describe Void Manticore as acting in support of Iranian interests, though the exact nature of any state direction is not detailed beyond the Iran linkage. The actor has not been associated with any other aliases in the available material.
The group’s observed activity focuses on the healthcare and medical technology sector, exemplified by the March 2026 attack on Stryker, a U.S.–based medical device manufacturer. In that incident Void Manticore sought to disrupt the victim’s operations by wiping tens of thousands of internally managed Microsoft devices through the Intune endpoint management platform. The attackers gained initial access by compromising administrator credentials, which they then used to execute a mass wipe that interfered with order processing, manufacturing, and shipping functions. While the actors claimed to have exfiltrated large volumes of data, investigators found no evidence of successful data theft, indicating that the primary effect was operational disruption rather than espionage or financial gain. The TTPs observed include credential abuse, legitimate administration tool misuse, and destructive data wiping as a means of causing service outage.
Attribution to Void Manticore is based on public statements from the group itself and corroboration by U.S. cybersecurity agencies that linked the activity to Iran‑linked hacktivist actors. The Stryker campaign stands as the only publicly reported operation attributed to this group in the supplied context, and it resulted in noticeable delays in product delivery and short‑term financial impacts for the target before systems were restored to pre‑attack levels within weeks. The incident prompted advisories urging organizations to harden Intune configurations and enforce least‑privilege access controls to mitigate similar credential‑based attacks. No further campaigns, malware families, or tooling specifics are documented in the available sources.
