Skip to main content

Impacket

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

  • Associated actor(s): Magic Hound; Void Manticore / Handala
  • Tool type(s): Python network protocol toolkit
  • Confidence level(s): Medium
  • Source ID(s): SRC-MITRE-G0059, SRC-MITRE-G1055

Behavior

ActorBehavior Summary
Magic HoundMITRE ATT&CK lists Impacket as software used by this actor; track it as SMB, credential, and lateral movement behavior.
Void Manticore / HandalaMITRE ATT&CK lists Impacket as software used by this actor; track it as SMB, credential, and lateral movement behavior.

Hash And IOC Status

ActorStatusReference
Magic HoundHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G0059
Void Manticore / HandalaHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G1055

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

ActorHunting Notes
Magic HoundHunt for Impacket execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.
Void Manticore / HandalaHunt for Impacket execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.

Handling Notes

ActorHandling Notes
Magic HoundCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.
Void Manticore / HandalaCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.

Mapped ATT&CK Techniques For Associated Actor(s)

ActorTechniqueTacticMapping QualitySource
Magic HoundT1566.002 Spearphishing LinkInitial AccessM2SRC-MITRE-G0059
Magic HoundT1583.001 Acquire DomainsResource DevelopmentM1SRC-MITRE-G0059
Void Manticore / HandalaT1566 PhishingInitial AccessM2SRC-AP-HANDALA
Void Manticore / HandalaT1204 User ExecutionExecutionM2SRC-AP-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1490 Inhibit System RecoveryImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1567 Exfiltration Over Web ServiceExfiltrationM2SRC-AP-HANDALA
Void Manticore / HandalaT1078.004 Valid Accounts: Cloud AccountsInitial AccessM3SRC-PUSH-STRYKER-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-PUSH-STRYKER-HANDALA

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

ActorDetectionRelease StatusDRLRule
Magic HoundDET-004 - Mail Click To Execution CorrelationHunt4detections/kql/mail-click-to-exec-correlation.kql
Void Manticore / HandalaDET-001 - Intune Bulk Device Wipe AnomalyHunt5detections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaDET-004 - Mail Click To Execution CorrelationHunt4detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

ActorHuntHypothesisQuery
Magic HoundHUNT-004If VIP phishing is active then mail click events will correlate to risky sign-in or executiondetections/kql/mail-click-to-exec-correlation.kql
Void Manticore / HandalaHUNT-001If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logsdetections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaHUNT-004If VIP phishing is active then mail click events will correlate to risky sign-in or executiondetections/kql/mail-click-to-exec-correlation.kql

Source Review

SourcePublisherDateReliabilityTypeLast Reviewed
SRC-MITRE-G0059MITRE ATT&CK2026-05-13AKnowledge base2026-05-14
SRC-MITRE-G1055MITRE ATT&CK2026-05-12AKnowledge base2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.