CTI & OSINT

INTELLIGENCE REPORT — HANDALA / HANDALA HACK TEAM

by  • 

TLP:CLEAR | General Public | Updated: March 2026

1. IDENTIFICATION & ATTRIBUTION

Naming (known aliases by vendor)

The group is tracked under the following names across vendors: Handala, Handala Hack, Handala Hack Team, Void Manticore (Check Point Research), Storm-0842 / Storm-842 (Microsoft), BANISHED KITTEN (CrowdStrike), Dune (other vendors) (1)(2). Associated operational personas include Karma (alias Karma Below) and Homeland Justice, used respectively against Israel and Albania (1).

Origin

Iran.

Presumed sponsor

Void Manticore is an actor affiliated with the Iranian Ministry of Intelligence and Security (MOIS). According to public sources, activity is linked to the MOIS Internal Security Deputy, specifically its Counter-Terrorism (CT) Division, operating under the supervision of Seyed Yahya Hosseini Panjaki (1)(2). Panjaki was sanctioned by the U.S. Treasury in September 2024, subsequently by the EU and the United Kingdom, and is listed on the FBI terrorism watchlist (2).

Sophistication level

Moderate to high. The group evolved from basic operations (phishing, DDoS) toward account compromise-based intrusions, privilege escalation, long-term persistence, and deployment of destructive wipers (8). Sophos X-Ops notes that Handala regularly overstates its capabilities; some alleged breaches involve recycled or outdated data (2).

Motivation

Destruction / sabotage — hack-and-leak operations with a strong psychological warfare and influence component. Geopolitical motivations aligned with Iranian state interests.

Targeted sectors

By documented frequency: technology, information technology, government and defense, critical infrastructure, energy, education, financial sector (2).

Geographic scope

Israel remains the primary target. Since late 2025 and the post-Operation Epic Fury escalation (U.S.-Israeli strikes on February 28, 2026), targeting has expanded to U.S. companies, Gulf states, and Western institutions (2)(6).

2. INFRASTRUCTURE & TTPs

C2 infrastructure

The group uses Telegram channels as C2 servers (3). Cloud storage platforms have been identified for data exfiltration: AWS S3 and Storj (8). The group primarily leverages commercial VPN nodes to conceal its origin, with characteristic default hostnames in the format DESKTOP-XXXXXX or WIN-XXXXXX. Since the Iranian internet blackout in January 2026, connections originating from Starlink IP ranges have been observed, alongside a degradation in operational security with direct connections from Iranian IP addresses (1).

MITRE ATT&CK TTP Table

PhaseTechniqueATT&CK ID
Initial AccessSpearphishing AttachmentT1566.001
Initial AccessSpearphishing via SMST1566.003
Initial AccessValid Accounts — VPN (credential stuffing / brute force)T1078
ExecutionUser Execution — malicious fileT1204.002
ExecutionNSIS installer abuseT1059
ExecutionAutoIT script executionT1059.010
ExecutionPowerShell (AI-assisted wiper script)T1059.001
Defense EvasionProcess Hollowing (RegAsm.exe)T1055.012
Defense EvasionBYOVD — Bring Your Own Vulnerable DriverT1068
Defense EvasionBatch script obfuscationT1027
Lateral MovementPropagation via Group Policy logon scriptsT1484.001
CollectionData Staged — exfiltration via cloud storage (Storj, AWS S3)T1074
Command & ControlApplication Layer Protocol — Telegram APIT1071.001
Command & ControlNetBird (VPN mesh tunnel)T1572
ImpactDisk Content Wipe (MBR + files)T1561.001
ImpactData DestructionT1485
ImpactInternal Defacement (handala.gif dropped on all drives)T1491.001

Sources: (1)(2)(3)(4)(15)

3. MALWARE & TOOLING

Handala Wiper (custom)

  • Name: Handala Wiper (handala.exe / handala.bat)
  • Type: Destructive wiper
  • Function: Overwrites file contents system-wide, performs MBR-based wiping, propagates via Group Policy logon scripts from the Domain Controller. The executable payload is launched remotely from the DC without being written to disk on affected machines. As a final step, drops a propaganda image handala.gif on all logical drives (1)(3).
  • C2 channel / technical specifics: Telegram API. Execution chain: NSIS installer → AutoIT loader → process hollowing into RegAsm.exe → BYOVD driver (3)(4).
  • Identifying campaign: CrowdStrike-themed phishing campaign, July 2024 (3).

PowerShell Wiper (AI-assisted)

  • Name: PowerShell script (no consolidated public name)
  • Type: Secondary wiper
  • Function: Enumerates and deletes all files within user directories. Code structure and detailed inline comments suggest probable AI-assisted development (1).
  • C2 channel: Group Policy logon scripts.
  • Identifying campaign: Void Manticore operations 2025-2026 (1).

senvarservice-DC.exe

  • Name: senvarservice-DC.exe
  • Type: Exfiltration malware
  • Function: Data exfiltration via Telegram and cloud storage platforms (AWS S3, Storj). Discovered through reverse engineering (8).
  • C2 channel: Telegram + cloud storage.
  • Identifying campaign: 2024-2025 campaigns (8).

Delphi-coded loader

  • Name: Second-stage loader (no consolidated public name)
  • Type: Loader
  • Function: Delphi-coded second-stage loader, component of a multi-stage loading process preceding wiper deployment (3)(10).
  • Identifying campaign: Documented by Malpedia / Cisco Talos (3)(10).

Third-party tools used

  • NetBird: VPN mesh tunnel for network pivoting (1)
  • NSIS (Nullsoft Scriptable Install System): payload staging (3)
  • AutoIT: payload injection into a Windows process (3)
  • Off-the-shelf wipers and publicly available deletion/encryption tools (1)
  • Commercial file-sharing platforms (Storj, Mega): malicious payload distribution (8)
  • Microsoft Intune: abuse of legitimate MDM infrastructure, Stryker case March 2026 (7)

4. CAMPAIGN HISTORY

PeriodCampaignTargetsVectorTooling
Dec. 2023Emergence — #OpIsraelVaried Israeli entitiesPhishing, defacementDDoS tools, defacement scripts (9)
2024 (ongoing)Data leak campaignsIsraeli defense contractorsPhishing, VPN credential stuffingHandala Wiper, cloud exfiltration (2)(9)
Jul. 2024CrowdStrike-themed phishing — exploitation of the global BSOD outage to distribute fake remediation toolsIsraeli organizationsPhishing (PDF + malicious archive)NSIS, AutoIT, Handala Wiper, BYOVD driver (2)(3)
Sep. 2024Soreq Nuclear Research Center — claimed exfiltration of ~197 GB of classified nuclear project data; assessed as psychological warfare by the Israeli INCDIsraeli nuclear research centerUndisclosedUnconfirmed (2)
Nov. 2024Silicom — claimed exfiltration and wiping of 40 TB of dataIsraeli tech firm SilicomUndisclosedWiper (8)
Jan. 2025Kindergarten PA Systems — compromise of Maagar-Tec emergency alert systems at 20+ schools; sirens activated, threatening messages broadcastIsraeli civilian alert systemsThird-party system compromiseEmergency system access (2)
Feb. 2025Israeli Police — claimed exfiltration of 2.1 TB including personnel records, weapons inventories, and psychological profiles; assessed as third-party vendor compromiseIsraeli National PoliceVendor compromiseUndisclosed (2)(8)
Dec. 2025Telegram account compromise of Israeli political officials — session hijacking and social engineering; compromise limited to Telegram accounts, not full device accessIsraeli political figuresSession hijacking, social engineeringSS7, Telegram configuration exploitation (5)
Mar. 2026Stryker Corporation — destructive attack via abuse of Microsoft Intune to issue remote wipe commands across the entire enterprise; ~56,000 employees across 61 countries impactedStryker Corp. (USA, global)Admin account compromise + MDM Intune abuseLiving-off-the-land via Intune (6)(7)

5. INDICATORS OF COMPROMISE (IOCs)

⚠️ Expiration warning: The IOCs listed below are sourced from public reporting dated 2024-2026. They have a limited validity period. Any use in a blocking or detection context must be preceded by a freshness verification against real-time CTI platforms. Do not use as a blocking basis without prior validation.

Characteristic network patterns

  • Outbound connections to the Telegram API for C2 (api.telegram.org) (1)(3)
  • Commercial VPN traffic originating from the 169.150.227.X segment historically associated with Handala operations (1)
  • Sessions initiated from default hostnames in the format DESKTOP-XXXXXX / WIN-XXXXXX (1)
  • Since January 2026: connections from Starlink IP ranges and direct Iranian IP addresses (1)
  • Connections to Storj, Mega, or AWS S3 preceding a destruction event (pre-wipe exfiltration) (8)

Historical domains (public sources)

  • handala[.]cx — original site, decommissioned
  • handala[.]to — active site since May 2024 (9)

Infrastructure is regularly rotated. Refer to real-time IOC feeds listed below.

Documented public hashes

Hashes associated with the wiper (July 2024 campaign) are available in sources (3)(4)(10)(14). Not reproduced in this report due to rapid expiration.

Abnormal User-Agents observed

No specific User-Agent consolidated in consulted public sources. The use of extension-less NSIS files constitutes an unconventional technique likely to generate atypical signatures in HTTP proxies (3).

Recommended real-time IOC sources

  • MITRE ATT&CK (groups) (15)
  • Malpedia — Handala actor card (10)
  • Splunk Threat Research — Handala Wiper story (4)
  • SOCRadar IOC Radar (2)
  • Unit 42 Threat Brief Iran 2026 (6)
  • Check Point Research — Void Manticore (1)

6. DETECTION & COUNTERMEASURES

Priority technique 1 — Phishing initial access (T1566.001 / T1566.003)

Detection logic (SIEM/EDR):

ALERT IF :
  email.attachment.extension IN [".pdf", ".zip", ".iso"]
  AND email.sender_domain NOT IN whitelist
  AND email.subject CONTAINS_ANY ["update", "fix", "remediation", "security", "alert"]
  AND process.name IN ["NSIS installer", "*.tmp", "AutoIT3.exe"]
  WITHIN 300s OF email.received

Recommended tools: YARA rules (Trellix/Splunk signatures), attachment analysis sandbox, SMTP filtering with behavioral analysis (3)(4)(14).

Priority technique 2 — Process Hollowing via RegAsm.exe (T1055.012)

Detection logic (EDR):

ALERT IF :
  process.name == "RegAsm.exe"
  AND process.parent NOT IN ["msbuild.exe", "devenv.exe", "legitimate_net_host"]
  AND process.has_network_connection == TRUE
  AND process.memory.injected == TRUE

Recommended tools: EDR with memory injection detection (CrowdStrike Falcon, SentinelOne), monitoring of legitimate .NET processes with abnormal network activity (3)(4).

Priority technique 3 — Wiper via Group Policy (T1484.001 + T1561.001)

Detection logic (SIEM):

ALERT IF :
  event.source == "GroupPolicy"
  AND gpo.logon_script.added == TRUE
  AND gpo.logon_script.content CONTAINS_ANY ["handala", ".bat", "wipe", "del /f /s /q"]
  AND modified_by NOT IN ["change_management_accounts"]

Recommended tools: GPO change monitoring (Microsoft Defender for Identity), logon script monitoring (1)(4).

Priority technique 4 — MDM / Microsoft Intune abuse (T1078 + T1485)

Detection logic (SIEM / CASB):

ALERT IF :
  source == "Intune"
  AND action IN ["device_wipe", "retire_device"]
  AND initiator.account NOT IN ["known_admin_accounts"]
  AND target.device_count > 5
  AND time NOT IN ["maintenance_windows"]

Recommended tools: CASB with cloud administration action monitoring, phishing-resistant MFA on M365/Intune admin accounts, alerting on bulk wipe commands (6)(7).

Organizational countermeasures

  • Deploy phishing-resistant MFA (FIDO2/passkey) on all VPN access and cloud administration accounts (2)(6)
  • Review MDM platform administrative rights with least-privilege principle; require dual approval for bulk wipe operations (7)
  • Monitor GPO changes: versioning and alerting on any logon script additions (1)(4)
  • Raise awareness of social engineering lures exploiting current cybersecurity events (3)
  • Wiper-oriented resilience: tested offline backups, documented system rebuild procedures, wiper-scenario disaster recovery exercises (8)
  • Network segmentation limiting lateral movement from the Domain Controller (1)
  • Block or strictly monitor outbound calls to api.telegram.org from endpoints and servers (3)
  • Monitor transfers to non-approved cloud platforms (Storj, Mega) via proxy/CASB (8)
  • Integrate Handala/Void Manticore public IOC feeds into SIEM/SOAR platforms with weekly freshness review (2)(4)

SOURCES

  1. Check Point Research — “Handala Hack” — Unveiling Group’s Modus Operandi (March 2026) : https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
  2. SOCRadar — Dark Web Profile: Handala Hack (March 2026) : https://socradar.io/blog/dark-web-profile-handala-hack/
  3. Splunk / Cisco Talos — Handala’s Wiper: Threat Analysis and Detections (July 2024) : https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
  4. Splunk Threat Research — Analytics Story: Handala Wiper (July 2024) : https://research.splunk.com/stories/handala_wiper/
  5. KELA Cyber Intelligence — Handala Hack: Telegram Breach of Israeli Officials (January 2026) : https://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/
  6. Unit 42 / Palo Alto Networks — Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (March 2026) : https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
  7. Securonix — Iran-backed Handala wiper attack devastates Stryker globally (March 2026) : https://connect.securonix.com/threat-research-intelligence-62/iran-backed-handala-wiper-attack-devastates-stryker-globally-230
  8. OP Innovate — Disrupting Handala: Did OP Innovate Help Silence a Major Cyber Threat? (May 2025) : https://op-c.net/blog/did-op-innovate-disrupt-handala-cyber-threat/
  9. Cyberint — Handala Hack: What We Know About the Rising Threat Actor (February 2025) : https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/
  10. Malpedia — Handala (Threat Actor) : https://malpedia.caad.fkie.fraunhofer.de/actor/handala
  11. Ransomlook — Handala details : https://www.ransomlook.io/group/handala
  12. Brandefense — Handala: The Rise Of A Decentralized Pro-Palestinian Hacktivist Collective (December 2025) : https://brandefense.io/blog/handala-apt-2025/
  13. Andrey Pautov / InfoSec Write-ups — CTI Research: Handala Hack Group (March 2026) : https://medium.com/@1200km/cti-research-handala-hack-group-aka-handala-hack-team-ddbdd294cfb8
  14. Trellix — Handala’s Wiper Targets Israel : https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/
  15. MITRE ATT&CK — Tactics and Techniques Reference : https://attack.mitre.org/

This report is produced on the basis of publicly available open sources (vendors, CERTs, independent researchers) consolidated as of March 16, 2026. It does not rely on any classified source. Attribution to MOIS/Void Manticore is based on convergence across five or more independent vendors and public government sources; it should be treated as a high-confidence cluster-level assessment, not as exclusive proof for every actor-branded incident. IOCs have a limited lifespan and must be validated before any operational use. This report is unrestricted (TLP:CLEAR).