Skip to main content
Mallory
Back to threat actors
5 malware families

Druidfly

Also known asdruidfly

Druidfly, also known as Homeland Justice and Karma, is an Iranian attack group associated with destructive disk-wiping operations. Reporting cited in the provided content describes Druidfly as specializing in disk-wiping attacks and links the group to wiper activity targeting organizations in Albania. The content also states that Druidfly maintains BibiWiper capability pre-staged with HTTPSnoop malware, AnyDesk, ScreenConnect, and ReGeorg web shells as a recognizable pre-destructive indicator chain. Known aliases mentioned in the content are Homeland Justice and Karma.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003×2
Web Shell
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
1 technique
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1482
Domain Trust Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0011
Command and Control
1 technique
T1219×2
Remote Access Tools
TA0040
Impact
3 techniques
T1485×2
Data Destruction
T1486
Data Encrypted for Impact
T1561
Disk Wipe
T1561.001
Disk Content Wipe
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AnyDeskUse of the remote desktop tools AnyDesk and ScreenConnect1Mar 11, 2026
BibiWiperDruidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi”.1Mar 15, 2026
HTTPSnoopTracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks: HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks.1Mar 16, 2026
reGeorgUse of ReGeorg web shells1Mar 11, 2026
ScreenConnectUse of the remote desktop tools AnyDesk and ScreenConnect1Mar 11, 2026
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

Actor maintaining pre-staged destructive capability using BibiWiper supported by malware, RMM tools, and web shells.

Read more
symantec blogNews
Mar 5, 2026
Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | SECURITY.COM

Iranian attack group specializing in destructive disk-wiping operations, notably against Albania and Israel, often operating under hacktivist personas while conducting state-linked disruptive and destructive attacks.

Read more
cert eu threat intelNews
Jan 7, 2025
Cyber Brief 25-07 - June 2025

Destructive attacks and espionage operations targeting countries hostile to Iran, including Albania and Israel, using wipers, ransomware, and social engineering.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.