Skip to main content

ZeroCleare

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

  • Associated actor(s): OilRig; Void Manticore / Handala
  • Tool type(s): Wiper
  • Confidence level(s): Medium
  • Source ID(s): SRC-MITRE-G0049, SRC-MITRE-G1055

Behavior

ActorBehavior Summary
OilRigMITRE ATT&CK lists ZeroCleare as software used by this actor; track it as raw-disk destructive wipe behavior.
Void Manticore / HandalaMITRE ATT&CK lists ZeroCleare as software used by this actor; track it as raw-disk destructive wipe behavior.

Hash And IOC Status

ActorStatusReference
OilRigHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G0049
Void Manticore / HandalaHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G1055

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

ActorHunting Notes
OilRigHunt for ZeroCleare execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.
Void Manticore / HandalaHunt for ZeroCleare execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.

Handling Notes

ActorHandling Notes
OilRigCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.
Void Manticore / HandalaCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.

Mapped ATT&CK Techniques For Associated Actor(s)

ActorTechniqueTacticMapping QualitySource
OilRigT1505.003 Web ShellPersistenceM3SRC-MITRE-G0049
OilRigT1049 System Network Connections DiscoveryDiscoveryM1SRC-MITRE-G0049
Void Manticore / HandalaT1566 PhishingInitial AccessM2SRC-AP-HANDALA
Void Manticore / HandalaT1204 User ExecutionExecutionM2SRC-AP-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1490 Inhibit System RecoveryImpactM2SRC-AP-HANDALA
Void Manticore / HandalaT1567 Exfiltration Over Web ServiceExfiltrationM2SRC-AP-HANDALA
Void Manticore / HandalaT1078.004 Valid Accounts: Cloud AccountsInitial AccessM3SRC-PUSH-STRYKER-HANDALA
Void Manticore / HandalaT1485 Data DestructionImpactM2SRC-PUSH-STRYKER-HANDALA

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

ActorDetectionRelease StatusDRLRule
Void Manticore / HandalaDET-001 - Intune Bulk Device Wipe AnomalyHunt5detections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaDET-004 - Mail Click To Execution CorrelationHunt4detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

ActorHuntHypothesisQuery
Void Manticore / HandalaHUNT-001If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logsdetections/kql/intune-bulk-device-wipe-anomaly.kql
Void Manticore / HandalaHUNT-004If VIP phishing is active then mail click events will correlate to risky sign-in or executiondetections/kql/mail-click-to-exec-correlation.kql

Source Review

SourcePublisherDateReliabilityTypeLast Reviewed
SRC-MITRE-G0049MITRE ATT&CK2026-05-13AKnowledge base2026-05-14
SRC-MITRE-G1055MITRE ATT&CK2026-05-12AKnowledge base2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.