Indra
Indra is a threat actor/hacktivist alias that has been linked in the provided reporting to disruptive operations against Iranian transportation and fuel infrastructure and to data-theft activity against commercial organizations. Check Point attributed a July 2021 Iranian rail-system attack to a group calling itself Indra; the same reporting says the group was named after the Hindu god of war, had previously targeted firms in Syria, and claimed to be an anti-government partisan resistance group. Related reporting also describes Indra as an anti-Iranian regime hacktivist group. The rail attack was later cited as resembling the October 2021 cyberattack on Iran’s fuel distribution system, including use of the message "cyberattack 64411," although separate reporting in the provided content says the fuel attack was claimed by Predatory Sparrow. In 2025–2026 reporting, an actor using the alias "Indra" claimed responsibility on BreachForums for the ManoMano breach, alleging theft of approximately 43 GB of data including 37.8 million user records, 935,000 support tickets, and 13,500 attachments. For the ManoMano incident, the reported access path was compromise of a third-party customer-support subcontractor’s Zendesk account, with no evidence of malware deployment, software-vulnerability exploitation, or compromise of ManoMano’s core infrastructure. ATT&CK techniques explicitly mapped in the provided content for that intrusion include Valid Accounts (T1078), External Remote Services (T1133), Data from Information Repositories (T1213), Exfiltration Over Web Service (T1567.002), and Data Leak (T1537). Known alias in the provided content: Indra.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Transportation
Where they target
Geographies tied to known operations.
- 🇮🇷 Iran
- 🇸🇾 Syria
Tradecraft
9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Claimed responsibility for the ManoMano breach, alleging theft of ~43 GB of data from a customer support environment (reportedly a Zendesk instance), including tens of millions of user-account records and support artifacts (tickets/attachments).
Financially motivated cybercriminal activity associated with a third-party/supply-chain compromise of a subcontractor’s Zendesk account to exfiltrate large volumes of ManoMano customer data, followed by advertising/selling/leaking the dataset on BreachForums.
Claimed responsibility for the ManoMano data breach, alleging theft/possession of ~37.8M user records including customer support ticket data, following compromise of a third-party service provider account.
Anti-regime hacktivist group claiming attacks impacting Iranian Railways and the Ministry of Roads and Urban Development systems (per Iranian authorities).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.