Iranian State‑Aligned Actors Weaponize Admin Identities to Remote‑Wipe 200k+ Devices Globally
What Happened – Iranian APT groups have abandoned custom wiper binaries and are now compromising highly privileged identities to issue legitimate remote‑wipe commands through Mobile Device Management (MDM) platforms. The campaign, attributed to the “Void Manticore (Handala)” persona, has forced the erasure of more than 200 000 devices worldwide.
Why It Matters for TPRM –
- Identity‑based abuse bypasses traditional endpoint detection, raising false‑negative risk for third‑party SaaS services.
- Remote‑wipe commands can cause massive service disruption for customers of MDM and related cloud providers.
- The shift to living‑off‑the‑land techniques expands the attack surface to any vendor that exposes administrative APIs.
Who Is Affected – Enterprises that rely on cloud‑hosted MDM/Enterprise Mobility Management solutions, telecom operators, healthcare providers, and any organization with large fleets of managed mobile devices.
Recommended Actions –
- Review contracts with MDM vendors for MFA, least‑privilege, and audit‑log requirements.
- Enforce MFA and conditional access for all privileged accounts that can invoke remote‑wipe APIs.
- Deploy continuous monitoring of privileged credential usage and anomalous API calls.
- Conduct tabletop exercises simulating large‑scale device wipe scenarios.
Technical Notes – The campaign leverages stolen privileged credentials (often obtained via phishing or credential‑dumping) to execute native remote‑wipe commands via MDM APIs—no new malware payload is dropped. This “living‑off‑the‑land” approach evades EDR telemetry that focuses on binary execution. Source: Palo Alto Unit 42 – Iranian Cyber Threat Evolution