Handala Hack: Threat Actor Profile

Also Known As: Void Manticore, Red Sandstorm, Banished Kitten, Storm-842

Attribution: Iran Ministry of Intelligence and Security (MOIS)

First Observed: 2023

Primary Operations: Destructive cyberattacks, data leaks, espionage, psychological operations

Handala Hack is a state-linked cyber threat actor operating as a public-facing persona for a broader Iranian intelligence operation widely tracked as Void Manticore. While the group presents itself as a hacktivist collective, multiple intelligence assessments attribute its activity to Iran’s Ministry of Intelligence and Security (MOIS), positioning Handala as part of a coordinated state cyber campaign rather than an independent group.

Since emerging in late 2023, Handala has evolved from regionally focused operations into a more aggressive actor targeting United States organizations, government-linked individuals, and critical infrastructure. Its operations blend data breaches, destructive attacks, and direct psychological messaging.

From Regional Actor to Global Escalation

Handala initially focused on Israeli targets but rapidly expanded its scope through 2025 and 2026, aligning attacks with broader geopolitical tensions. The group has demonstrated a willingness to target high-profile individuals and organizations while publicly amplifying its activity to maximize psychological impact.

Recent BreachNews reporting includes:

• Cyberattack claim targeting Fujairah Port with alleged data exposure
• Exposure of 2,379 U.S. Marines accompanied by surveillance-related claims
• Claims of 18-month persistent access to Israeli cloud infrastructure
• Alleged 22TB destructive campaign impacting multiple organizations
• Breach claim involving an Israeli defense contractor
• Destructive attack claim targeting U.S. local government systems
• Breach claim involving independent media platform IranWire

Collectively, these incidents highlight a shift toward high-visibility operations that combine alleged data exposure with destructive activity and coordinated messaging designed to amplify psychological impact.

Operational Model: Breach, Destroy, Intimidate

Handala’s operations differ from financially motivated actors. The group does not rely on ransom demands as a primary objective. Instead, it combines three core elements:

• Data exposure: Publishing or claiming access to sensitive datasets to demonstrate reach
• Destructive attacks: Deploying wipers and disruptive techniques to damage systems
• Psychological pressure: Issuing threats and messaging designed to intimidate targets

This hybrid model allows the group to generate both operational impact and narrative control, often framing attacks as retaliation or warnings tied to geopolitical events.

How Handala Gains and Expands Access

Handala relies heavily on credential-based access and long-term persistence rather than rapid smash-and-grab attacks.

• Initial access: Compromised VPN credentials, often linked to supply chain or service providers
• Persistence: Maintaining access for extended periods before taking action
• Credential harvesting: Extracting additional access once inside networks

The group has demonstrated patience, often staging operations weeks or months in advance before executing disruptive or public-facing actions.

Inside the Network: Hands-On Intrusions

Once inside a target environment, Handala operates in a manual, operator-driven manner rather than relying entirely on automated tooling.

• RDP-based movement: Using remote desktop sessions to move laterally
• Internal tooling: Downloading tools directly onto compromised systems
• Tunneled access: Leveraging networking tools to maintain internal connectivity

This approach allows the group to adapt in real time and maintain control across multiple systems simultaneously.

Destructive Capabilities and Wiper Usage

Handala is one of the more aggressive actors currently deploying destructive cyber techniques. Its operations often include multiple overlapping methods designed to maximize impact.

• Custom wipers: Tools designed to overwrite or destroy data
• Script-based deletion: Automated file removal across systems
• Encryption overlap: Use of legitimate encryption tools to complicate recovery
• Manual destruction: Direct deletion of files and systems by operators

These attacks frequently target enterprise environments and can result in widespread system disruption rather than isolated data loss.

Infrastructure and Tradecraft Shifts

Handala’s infrastructure has evolved alongside its operations. Earlier activity showed stronger operational discipline, while recent campaigns indicate more aggressive and visible behavior.

• VPN usage: Continued reliance on commercial VPN infrastructure
• Starlink IP activity: Observed use of satellite internet ranges in 2026
• Direct connections: Increased exposure through less obfuscated access patterns
• Rapid rebuilds: Infrastructure restored quickly after takedowns

This shift suggests a tradeoff between stealth and speed as the group increases its operational tempo.

Messaging, Threats, and Psychological Operations

Handala consistently pairs technical activity with aggressive public messaging. Statements often include direct threats, geopolitical references, and claims of ongoing surveillance.

Recent campaigns targeting United States personnel illustrate this approach, where alleged data exposure is framed as a warning rather than a financial demand. The goal appears to be intimidation and narrative influence as much as technical impact.

Targeting Trends

Handala’s targeting has expanded significantly:

• United States: Government-linked individuals, healthcare, and infrastructure
• Israel: Critical infrastructure, telecom, and public sector organizations
• Europe and others: Select strategic or symbolic targets

The group prioritizes targets that align with Iranian geopolitical interests, particularly those connected to military, intelligence, or public influence.

Current Threat Assessment

Handala represents a high-risk threat actor due to its combination of state backing, destructive capability, and willingness to publicly escalate. Unlike traditional ransomware groups, its operations are not constrained by financial incentives, allowing for more aggressive and unpredictable behavior.

The group’s continued focus on United States targets, combined with increasingly direct messaging and claims involving military personnel, indicates a sustained escalation pattern heading through 2026.

Key Risks

• Destructive attacks against enterprise and critical infrastructure environments
• Exposure or fabrication of sensitive personnel data for intimidation
• Long-term undetected access leading to coordinated attacks
• Blending of cyber operations with geopolitical messaging

Notes

All breach and exposure claims attributed to Handala should be treated as unverified unless confirmed by affected organizations or independently validated. However, the group’s demonstrated capability and escalation pattern indicate that its claims warrant close attention.