Handala Hack: Threat Actor Profile

Also Known As: Void Manticore, Red Sandstorm, Banished Kitten, Storm-842, Dune

Attribution: Iran Ministry of Intelligence and Security (MOIS)

First Observed: December 18, 2023

Primary Operations: Destructive wiper attacks, hack-and-leak campaigns, data exfiltration

Executive Summary

Handala Hack is an Iranian state-sponsored threat actor operating as a public-facing hacktivist persona for Void Manticore, a cyber unit within Iran’s Ministry of Intelligence and Security (MOIS). The group presents itself as pro-Palestinian digital vigilantes but is assessed with high confidence by multiple intelligence agencies and cybersecurity vendors to be a sophisticated state actor conducting destructive cyber operations in support of Iranian geopolitical objectives. Since emerging in late 2023, Handala has evolved from primarily targeting Israeli infrastructure to conducting high-profile attacks against United States organizations, including medical technology companies and United States government officials.

The United States Department of Justice has tied Handala directly to MOIS operations and offers a $10 million bounty for information leading to the identification or location of group members. The group operates with unprecedented boldness, combining traditional espionage tradecraft with aggressive hack-and-leak tactics and direct threats against individuals perceived as opposing Iranian interests.

Attribution and Organizational Structure

Multiple independent intelligence sources, including Check Point Research, Palo Alto Networks Unit 42, Microsoft, and the United States Justice Department, attribute Handala Hack to Void Manticore, a threat cluster operating under the supervision of Iran’s Ministry of Intelligence and Security. According to public reporting by Iranian researcher Nariman Gharib, Void Manticore overlaps with activity linked to the MOIS Internal Security Deputy, particularly its Counter-Terrorism Division, which was reportedly supervised by Seyed Yahya Hosseini Panjaki until his reported death in Israeli strikes on Iran in early March 2026.

Handala operates as one of several public-facing personas maintained by Void Manticore. Other confirmed personas include Homeland Justice (active mid-2022 to late 2023, primarily targeting Albania) and Karma (active 2023-2024, primarily targeting Israel). Analysis by Check Point Research revealed that intrusions linked to all three personas exhibit highly similar tactics, techniques, procedures, and code overlaps in their custom wiper malware. In some incidents, victim-facing messaging was attributed to Karma while stolen data was ultimately leaked through Handala channels, suggesting organizational overlap or transition between personas.

The group’s name and imagery are derived from Handala, a political cartoon character created by Palestinian cartoonist Naji al-Ali, representing Palestinian resistance. This symbolic appropriation is designed to position the group’s operations as grassroots activism rather than state-sponsored cyber warfare, a common tactic among Iranian cyber operations to maintain plausible deniability while conducting strategic attacks.

Operational Timeline and Evolution

December 18, 2023: Handala Hack emerges publicly with simultaneous launch of Telegram channel and X (formerly Twitter) account. Initial operations focus on Israeli targets.

Mid-2022 to Late 2023: Parent organization Void Manticore operates primarily under Homeland Justice persona, conducting destructive attacks against Albanian government and telecommunications infrastructure.

2024: Handala becomes the dominant public-facing persona for Void Manticore operations. Karma persona gradually phases out, with Handala taking over as primary brand for Israeli-focused campaigns. Group conducts multiple wiper attacks against Israeli critical infrastructure.

Late 2024 to Early 2025: Operational security begins to degrade as group increases attack tempo. Direct connections from Iranian IP addresses observed, replacing previous discipline of consistently egressing through commercial VPN infrastructure.

January 2026: Following internet shutdowns in Iran, group begins operating through Starlink IP ranges, marking significant shift in operational tradecraft.

March 11, 2026: Handala conducts one of the most severe Iranian wartime cyberattacks to date against Stryker Corporation, a Michigan-based medical technology company with more than 50,000 employees worldwide. The attack wiped approximately 200,000 devices and exfiltrated large volumes of sensitive data. Group claims attack was retaliation for suspected United States strikes that killed Iranian schoolchildren.

Mid-March 2026: United States Justice Department seizes multiple Handala internet domains and properties. Group quickly restores operations through new infrastructure.

March 27, 2026: Handala claims breach of FBI Director Kash Patel’s personal email account, publishing more than 300 emails spanning 2010 to 2019, along with personal photographs and sensitive communications from his time at the Justice Department, FBI, and National Security Council. The breach represents a dramatic escalation in targeting United States government officials and occurs just days after the domain seizures.

March 31, 2026: Group claims breach of IranWire, a United States-funded independent journalism organization covering Iran and the Middle East, potentially compromising journalist sources and communications.

Notable Victims and Targeting

Handala’s targeting has expanded significantly from its initial focus on Israeli infrastructure to include United States organizations, European entities, and organizations perceived as opposing Iranian interests:

High-Profile United States Targets:

• Stryker Corporation – Medical technology company, destructive wiper attack (March 2026)
• FBI Director Kash Patel – Personal email breach and document leak (March 2026)
• Maryland hospitals and medical services (alleged, under investigation)
• IranWire – United States-funded journalism organization (March 2026)

Israeli Targets:

• Multiple critical infrastructure sectors throughout 2024-2025
• Government entities
• Telecommunications providers
• Energy sector organizations

Albanian Targets (via Homeland Justice persona):

• Government agencies (2022-2023)
• Telecommunications infrastructure (2022-2023)

Additional Operations:

• Direct death threats against Iranian-American and Iranian-Canadian influencers
• Doxxing campaigns against individuals perceived as opposing Iranian regime
• Supply chain attacks targeting IT service providers for credential harvesting

Tactics, Techniques, and Procedures

Handala operates with a distinctive set of tactics that have remained largely consistent since 2023, though the group has incorporated some new techniques in 2026:

Initial Access:

The group relies heavily on compromised VPN credentials obtained through supply chain attacks targeting IT and managed service providers. Handala conducts extensive brute-force campaigns against organizational VPN infrastructure, typically originating from commercial VPN nodes with default Windows hostnames (DESKTOP-XXXXXX or WIN-XXXXXX format). Following internet restrictions in Iran, the group began leveraging Starlink IP ranges for operations, representing a significant operational shift. In many 2026 incidents, operational security has degraded substantially, with direct connections from Iranian IP addresses observed alongside or instead of VPN egress points.

Credential Access:

Once inside target networks, Handala deploys multiple credential harvesting techniques including LSASS memory dumping via rundll32.exe and comsvcs.dll, Security Account Manager registry hive exports, and Active Directory reconnaissance using tools like ADRecon. The group typically establishes access to networks well in advance of destructive operations, maintaining persistent access for weeks or months before striking. In the hours before launching wiper attacks, Handala validates compromised credentials and tests authentication to ensure operational success.

Lateral Movement:

Handala operates in a highly manual, hands-on manner, conducting lateral movement primarily through Remote Desktop Protocol sessions. The group demonstrates patience and methodical approach, manually connecting to systems via RDP and using web browsers on compromised hosts to download additional tools directly from official websites. In 2026, Handala began deploying NetBird, a zero-trust mesh networking platform, to create tunneled connections between compromised systems. By installing NetBird on multiple machines within victim environments, the group establishes robust internal connectivity that accelerates destructive operations. Security researchers observed at least five distinct attacker-controlled machines operating simultaneously within single victim networks during recent incidents.

Wiping Operations:

Handala’s destructive operations represent the group’s most distinctive characteristic. The threat actor deploys multiple wiping techniques simultaneously to maximize impact and ensure data destruction even if individual methods fail. Distribution typically occurs through Group Policy logon scripts, allowing rapid propagation across enterprise networks.

Custom Handala Wiper: A purpose-built executable that overwrites file contents and employs Master Boot Record corruption techniques. The wiper is distributed as a scheduled task via Group Policy and executes remotely from Domain Controllers without writing to disk on target systems, complicating forensic analysis.

AI-Assisted PowerShell Wiper: A PowerShell-based component distributed through Group Policy that enumerates user directories and systematically deletes files. Code structure and detailed comments suggest the script was developed with artificial intelligence assistance. The wiper also attempts to fill remaining disk space by repeatedly copying a GIF file until storage capacity is exhausted.

Legitimate Tool Abuse: Handala operators manually download and deploy VeraCrypt disk encryption software from official sources, using it to encrypt system drives and further complicate recovery efforts. This technique adds redundancy to destructive operations while leveraging trusted software to potentially evade security controls.

Manual Deletion: In many cases, Handala operators simply connect via RDP and manually delete files, virtual machines, or entire directory structures. This straightforward approach has proven effective and is documented in the group’s own leaked operational videos.

Anti-Forensic Techniques:

Handala implements sophisticated cleanup procedures designed to impede incident response and forensic investigation. After deploying malicious payloads, the group removes postinstall scripts from package directories, deletes package.json files referencing malicious hooks, and renames clean backup manifests to replace compromised files. This manifest-swapping technique ensures that post-incident inspection reveals no obvious indicators of compromise, significantly complicating attribution and technical analysis efforts.

Infrastructure and Operational Security

Handala’s infrastructure profile has evolved significantly throughout its operational history, reflecting both tactical adaptation and degrading operational security discipline:

2023-2024 Infrastructure:

• Consistent egress through commercial VPN segment 169.150.227.X when targeting Israeli organizations
• Israeli VPN node 146.185.219.235 used as secondary egress point
• Dedicated command and control servers (e.g., 82.25.35.25, 31.57.35.223, 107.189.19.52)
• Strong operational discipline with rare direct connections from Iranian IP space

2026 Infrastructure:

• Starlink IP ranges (188.92.255.X, 209.198.131.X) following Iranian internet restrictions
• Commercial VPN ranges (149.88.26.X, 169.150.227.X) remain in use but less consistent
• Increased direct connections from Iranian IP addresses
• Multiple domain seizures by United States authorities with rapid reconstitution
• Default Windows machine naming conventions (DESKTOP-FK1NPHF, WIN-P1B7V100IIS)

Communications Platforms:

• Primary Telegram channel (3,500+ subscribers)
• Backup Telegram channels
• Dedicated Telegram data leak channel
• X/Twitter presence (established December 2023)
• Multiple leak sites accessible via Tor (handala-hack.to, handala-redwanted.to)

The degradation in operational security throughout 2026 likely reflects multiple factors including increased operational tempo, resource constraints from ongoing conflicts, personnel changes following the reported death of MOIS leadership, and pressure from international law enforcement actions.

Motivation and Strategic Context

While Handala presents itself as an independent pro-Palestinian hacktivist collective, the group’s targeting, timing, and sophistication clearly align with Iranian state interests. Operations consistently correlate with geopolitical events and Iranian government messaging, particularly regarding:

• Retaliation for kinetic military strikes against Iranian assets or personnel
• Psychological operations aimed at demonstrating Iranian cyber capabilities
• Disruption of critical infrastructure in nations allied with Israel or the United States
• Intelligence collection against diaspora journalists and human rights organizations
• Intimidation campaigns against individuals critical of the Iranian regime

The March 2026 Stryker attack was explicitly framed as retaliation for alleged United States involvement in strikes killing Iranian schoolchildren, while the FBI Director breach occurred days after United States seizure of Handala domains. This pattern of rapid retaliation and escalation represents a significant shift from traditional Iranian cyber operations, which historically prioritized stealth and deniability over public attribution and messaging.

Collaboration with Other Iranian Threat Actors

Handala operations frequently involve collaboration with Scarred Manticore, a separate MOIS-affiliated threat actor. In documented incidents, Scarred Manticore conducts initial espionage and reconnaissance operations before handing access to Void Manticore (Handala) for destructive finishing operations. This dual-actor handoff model allows for extended dwell time, comprehensive intelligence collection, and calculated timing of destructive impacts.

Handala operates separately from Islamic Revolutionary Guard Corps (IRGC) cyber units such as APT33, APT35, APT42, and CyberAv3ngers, representing a distinct operational line under MOIS rather than IRGC command. This organizational distinction is analytically significant as it reflects different strategic priorities, targeting methodologies, and operational approval chains within Iranian intelligence apparatus.

Current Threat Assessment

As of March 2026, Handala Hack represents one of the most active and dangerous Iranian state-sponsored cyber threats, particularly to United States critical infrastructure, healthcare sector, and government entities. The group’s expansion from Israeli-focused operations to aggressive targeting of United States organizations marks a significant escalation in Iranian cyber warfare posture.

Key Risk Factors:

• Demonstrated willingness to conduct destructive attacks against healthcare and critical infrastructure during active conflict
• Degrading operational security may lead to more aggressive or reckless operations
• Successful breaches of high-profile United States officials may embolden further escalation
• Direct death threats against diaspora individuals indicates potential for kinetic follow-through
• Use of AI-assisted tool development may accelerate capability enhancement
• Rapid reconstitution after law enforcement actions demonstrates resilience

Likelihood of Future Activity:

High confidence assessment that Handala will continue aggressive operations throughout 2026, with probable expansion of United States targeting and potential for additional attacks against government officials, critical infrastructure, and organizations perceived as supporting Israel or opposing Iranian interests. The reported death of MOIS Counter-Terrorism Division leadership may temporarily disrupt operations but is unlikely to significantly degrade long-term capabilities given the institutional nature of Void Manticore.

Defensive Recommendations

Organizations identified as potential Handala targets should implement comprehensive defensive measures addressing the group’s documented tactics:

Access Control and Authentication:

• Enforce multi-factor authentication for all remote access and privileged accounts
• Implement conditional access policies restricting VPN connectivity from high-risk geographies
• Monitor for authentication from Starlink IP ranges (188.92.255.X, 209.198.131.X)
• Flag new device registrations and first-time logins from unusual ASNs or hosting providers
• Restrict or eliminate use of long-lived access tokens in favor of time-limited credentials

Network Segmentation and Lateral Movement Prevention:

• Restrict Remote Desktop Protocol access across enterprise environment
• Monitor for RDP connections from machines with default Windows naming conventions
• Detect and restrict deployment of remote management tools including NetBird, AnyDesk, TeamViewer
• Implement network segmentation preventing lateral movement from compromised endpoints
• Monitor for unusual tunneling or mesh networking software installations

Credential Protection:

• Enable Credential Guard and other credential isolation technologies
• Monitor for LSASS dumping attempts via comsvcs.dll or similar techniques
• Restrict registry access to sensitive hives including SAM database
• Deploy deception credentials to detect credential harvesting activity

Wiper Protection:

• Monitor Group Policy modifications, particularly logon script changes
• Restrict scheduled task creation to authorized personnel and systems
• Detect bulk file deletion or disk space exhaustion patterns
• Monitor for VeraCrypt or other encryption software installed outside approved processes
• Implement offline backup systems not accessible from production networks

Threat Intelligence Integration:

• Block known Handala IP ranges and command and control infrastructure
• Monitor for connections to Iranian IP space (particularly during off-hours)
• Subscribe to threat intelligence feeds tracking Iranian APT activity
• Implement indicators of compromise from recent Handala incidents

Indicators of Compromise

Network Infrastructure:

• 82.25.35.25 (Handala VPS)
• 31.57.35.223 (Handala VPS)
• 107.189.19.52 (Handala VPS)
• 146.185.219.235 (VPN exit node)
• 188.92.255.X (Starlink IP range)
• 209.198.131.X (Starlink IP range)
• 149.88.26.X (Commercial VPN range)
• 169.150.227.X (Commercial VPN range)

Malware Hashes:

• 5986ab04dd6b3d259935249741d3eff2 (Handala Wiper)
• 3cb9dea916432ffb8784ac36d1f2d3cd (Handala PowerShell Wiper)
• 3236facc7a30df4ba4e57fddfba41ec5 (VeraCrypt Installer)
• 3dfb151d082df7937b01e2bb6030fe4a (NetBird Installer)
• e035c858c1969cffc1a4978b86e90a30 (NetBird)

Machine Names:

• WIN-P1B7V100IIS
• DESKTOP-FK1NPHF
• DESKTOP-R1FMLQP
• WIN-DS6S0HEU0CA
• DESKTOP-T3SOB36
• WIN-GPPA5GI4QQJ
• VULTR-GUEST
• DESKTOP-HU45M79
• DESKTOP-TNFP4JF

Attribution Confidence

Very High: Multiple independent intelligence sources including United States Department of Justice, Check Point Research, Palo Alto Networks Unit 42, Microsoft, Recorded Future, Canadian government intelligence, and others assess with high confidence that Handala Hack is a persona operated by Void Manticore on behalf of Iran’s Ministry of Intelligence and Security. Attribution is based on infrastructure overlaps, code similarities between Handala and previous MOIS operations, timing correlation with Iranian geopolitical events, operational tradecraft consistent with Iranian intelligence practices, and direct statements from United States law enforcement agencies.

Sources: Check Point Research, Palo Alto Networks Unit 42, SOCRadar, Cyble, United States Department of Justice, Reuters, multiple open-source intelligence reports