CISA Alert AA22-264A - Iranian HomeLand Justice APT Group's TTPs

Keep up to date with latest blog posts

On September 21, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the Federal Bureau of Investigation (FBI) on the Iranian state-sponsored cyber threat group HomeLand Justice.  The threat actors stayed hidden in the Albanian government networks for nearly 14 months and conducted cyber espionage, ransomware, and destructive malware attacks. 

Picus Labs added attack simulations to the Picus Threat Library for techniques and malware used by the HomeLand Justice Threat group. In this blog post, we explained the tactics, techniques, and procedures used by the Iranian threat group.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

HomeLand Justice Threat Group

HomeLand Justice is another Iranian state-sponsored cyber threat group like MuddyWater and OilRig. The threat actors' earliest known malicious activity was in May 2021, and the CISA advisory estimates that is when the threat actors gained initial access to the Albanian government networks. Since then, they had stayed hidden in the victim's network and conducted cyber espionage on Albanian citizens and government officials, including the prime minister of Albania. In July and September 2022, HomeLand Justice group launched ransomware and destructive malware attacks against their victim and announced their criminal activities over their website. The announcement and ransom note strongly indicated that these cyber attacks were politically motivated.

In their cyber attacks, HomeLand Justice group gained initial access to the victim's network by exploiting the Microsoft SharePoint CVE-2019-0604 vulnerability. It is a remote code execution vulnerability with a CVSS score of 9.8 (Critical). Then, threat actors established persistence via webshells and moved laterally in the network via RDP, SMB, and FTP. During their attack, HomeLand Justice group exfiltrated the victim's sensitive data and stole credentials. Lastly, they made their presence known by launching ransomware and destructive malware attacks.

TTPs Used by HomeLand Justice Threat Group

HomeLand Justice Threat group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

Tactic: Initial Access

  • T1190 Exploit Public Facing Application

HomeLand Justice threat actors exploited Microsoft SharePoint Remote Code Execution (CVE-2019-0604) vulnerability. Although the vulnerability was discovered in 2019, unpatched assets still pose risks due to the vulnerability's high CVSS score (9.8 Critical). Organizations are advised to patch their Microsoft SharePoint update to the latest version without delay.

Tactic: Execution      

  • T1059 Command and Scripting Interpreter

HomeLand Justice threat actors use many batch files in their ransomware attacks. For ransomware attacks, two batch files with the same name "win.bat". One file establishes persistence by running the ransomware encryptor at system startup, and the other one changes the desktop background after the attack.

start /min C:\ProgramData\Microsoft\Windows\GoXml.exe 1 2 3 4 5 6 7

Example 1: Contents of "win.bat" used for persistence

Tactic: Persistence

  • T1505.003 Web Shell

HomeLand Justice threat actors use webshells that are named pickers.aspx, error4.aspx, and ClientBin.aspx to establish persistence in the victim's compromised hosts.

  • T1098 Account Manipulation

HomeLand Justice group used compromised credentials to access Microsoft Exchange accounts, including administrator accounts. This level of access allowed threat actors to create other accounts and add them to the "Organization Management" role group.

Tactic: Defense Evasion

  • T1112 Modify Registry

HomeLand Justice threat actors modify the following registry keys to disable Windows Defender.

Modified Registry Key

Modified Value

HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection


HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\StartupApproved\Run\SecurityHealth

03 00 00 00 5D 02 00 00 41 3B 47 9D

HKLM\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware



HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring


  • T1562:001 Impair Defenses: Disable or Modify Tools

HomeLand Justice group uses disable-defender.exe to disable Windows Defender. Also, the encryptor called GoXml.exe stops the services using the commands below

set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService YooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc

for %C in (%SrvLst%) do @net stop %C

set SrvLst=

set PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad

for %C in (%PrcLst%) do @taskkill /f /im "%C.exe"

set PrcLst=

Example 2: Commands in "GoXml.exe" that disable certain services

Tactic: Credential Access

  • T1003.001 OS Credential Dumping: LSASS Memory

HomeLand Justice threat actors use Mimikatz to dump LSASS memory which can be used to extract credentials stored in the compromised host.

Tactic: Discovery

  • T1046 Network Service Discovery

HomeLand Justice group used "Advanced Port Scanner" to discover open ports and services in the victim's environment.

Tactic: Lateral Movement

  • T1021.001 Remote Services: Remote Desktop Protocol

HomeLand Justice threat actors primarily used Remote Desktop Protocol (RDP) to move laterally in the victim's network.

  • T1021.001 Remote Services: SMB/Windows Admin Shares

HomeLand Justice threat actors also used SMB protocol to move laterally in the victim's network.

Tactic: Exfiltration

  • T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

HomeLand Justice threat actors were able to access administrator accounts of Microsoft Exchange service via compromised credentials. Using this access, they searched and exfiltrated emails and other sensitive data belonging to the victim.

Tactic: Impact

  • T1486 Data Encrypted for Impact

HomeLand Justice threat actors used an executable called Mellona.exe to spread GoXml.exe encryptor to internal assets in the victim's network. GoXml.exe encrypted all files in the infected hosts and left a ransom note named "How_To_Unlock_MyFiles.txt" in each folder that was encrypted.

  • T1490 Inhibit System Recovery

The encryptor GoXml.exe also deletes volume shadow copies to prevent the victim from recovering the encrypted files.

  • T1485 Data Destruction

HomeLand Justice threat actors used ZeroClear disk wiper malware to delete data via raw access to the hard drive.

How Picus Helps Simulate HomeLand Justice Cyber Attacks?

We also strongly suggest simulating HomeLand Justice cyber threats to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Control Validation Platform. You can test your defenses against HomeLand Justice threat actors and other Iranian state-sponsored APT threats such as MuddyWater, OilRig, and PHOSPHORUS within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for HomeLand Justice Threat Group

Threat ID

Action Name

Attack Module


HomeLand Justice Threat Group Campaign 2022



HomeLand Justice Threat Group Campaign Malware Download Threat

Network Infiltration


HomeLand Justice Threat Group Campaign Email Threat

Email Infiltration (Phishing)

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Control Validation Platform.

Indicators of Compromises










































Keep up to date with latest blog posts