Handala Hack Team: Iranian APT Front

Classification: Open Source | For Advisory and Research Purposes

Border Cyber Group

EXECUTIVE SUMMARY

Handala is not a hacktivist collective. It is a front for Iran's Ministry of Intelligence and Security (MOIS), operated by the unit variously tracked as Void Manticore, Banished Kitten, Red Sandstorm, Dune, and Storm-0842 — designations assigned by Check Point, CrowdStrike, Microsoft, and Palo Alto respectively. The group is an Iranian threat actor known for multiple destructive wiping attacks combined with "hack and leak" operations. It first surfaced in December 2023, two months after October 7th, and has since evolved from a noisy regional nuisance into one of the most consequential destructive-operations actors targeting Western critical infrastructure. Check Point Research

The group has portrayed itself as a pro-Palestinian activist collective with only a vague connection to Iran, but changes to its familiar patterns of activity and multiple exposures have made clear that it works on behalf of the Iranian regime's interests. JISS

ORGANIZATIONAL ATTRIBUTION & COMMAND STRUCTURE

State Nexus

The FBI has stated that Handala is run by an MOIS unit responsible for "Justice Homeland" and "Karma Below," two other Iranian intelligence personas. Iran International has reported that Handala is linked to the MOIS Domestic Security Directorate and operations under the cyberunit "Banished Kitten." Wikipedia

Iran's offensive cyber capability is split between two rival intelligence bureaucracies. The MOIS runs groups like APT34, MuddyWater, Scarred Manticore, and Void Manticore (Handala), which tend toward long-dwell espionage and coordinated destructive operations, often using a documented dual-actor handoff model where Scarred Manticore conducts stealthy espionage before handing targets to Void Manticore (Handala) for destruction. The IRGC, by contrast, runs a wider set of groups including APT33/Peach Sandstorm, APT35/Charming Kitten, and CyberAv3ngers. Push Security

Personnel Exposure

The unit was led by Yahya Hosseini Panjkhi, whose identity was first revealed by Iran International's reporting. Panjaki was sanctioned by the US in 2024. According to the Irish Examiner, the group was forced to reorganize during the 2026 Iran war after two of its most prominent figures were killed. Additionally, Iran International later exposed Ali Bermoudeh — a close associate of Iran's cyber police (FATA) — as a key operator, and published details about Bermoudeh's private life. Committee to Protect Journalists + 2

Multi-Persona Architecture

The actor operates several online personas, with the most prominent being Homeland Justice (maintained from mid-2022 for attacks against Albania) and Handala Hack (responsible for multiple intrusions in Israel and, more recently, US-based enterprises). Based on observed intrusions, all three personas — Homeland Justice, Handala, and Karma — exhibit highly similar TTPs, as well as code overlaps in the wipers they deploy. Check Point Research

OPERATIONAL DOCTRINE & STRATEGIC OBJECTIVES

Handala operates according to a clear doctrine: pair technical damage with information warfare to maximize psychological effect. Its main operation relies on unsecured breaches, information leaks, and targeted dissemination of materials on social networks. Handala is characterized by a low to medium level of technological sophistication, but intensive activity and high focus on creating public and media effect. Israel Hayom

Through Handala, Iran preserves plausible deniability, wages information warfare against Israel and the Iranian opposition, and extracts a measured cost from Israel with relatively little risk. JISS

Strategically, the group serves three simultaneous masters:

  1. External pressure campaign against Israel, its allies, and Western critical infrastructure
  2. Transnational repression of Iranian dissidents and opposition media in exile
  3. Domestic legitimacy signaling within Iran — demonstrating regime cyber reach for home consumption

This shift reflects a gradual transition from a nominally "Palestinian" proxy persona to a more direct operational instrument of Iran. JISS

TACTICS, TECHNIQUES & PROCEDURES (TTPs)

Phase 1: Initial Access

Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access. Hundreds of logon and brute-force attempts against organizational VPN infrastructure have been linked to Handala-associated infrastructure. This activity typically originates from commercial VPN nodes and is frequently tied to default hostnames in the format DESKTOP-XXXXXX or WIN-XXXXXX. Check Point Research

For the Stryker attack — the most operationally significant to date — the vector evolved: initial access was likely achieved using a combination of older credentials harvested by infostealer malware and highly sophisticated Adversary-in-the-Middle (AiTM) phishing attacks, which intercept authenticated session tokens to completely bypass standard SMS or push-based MFA. Deepwatch

Specifically, Handala leveraged AiTM phishing frameworks such as Evilginx3 and commercial infostealer malware to silently capture authenticated session cookies from high-privileged IT administrators. Because these sessions had already successfully satisfied MFA requirements, capturing the session cookie allowed the attackers to bypass further identity verification entirely — they effectively "rode" an existing trusted session into the Microsoft Entra ID backend, importing the cookies into anti-detect browsers to mask their true infrastructure. TheHGTech

Phase 2: Pre-Positioning & Lateral Movement

This is where Handala's patience becomes dangerous. Check Point Research states that initial access is believed to have been established well before the destructive phase, with network access dating back several months. The Handala branding that appeared on screens before the wipe confirmed that the attackers had control well before they chose to use it. Stryker also had a prior breach in 2024 involving unauthorized access from May to June, with PII and medical records exfiltrated — not disclosed until December 2024. Lumos

Documented lateral movement methods in earlier campaigns included: RDP as the primary lateral movement method, ADRecon for Active Directory enumeration, LSASS credential dumping via comsvcs.dll, and GPO logon scripts for wiper distribution. Push Security

Newly observed TTPs include the deployment of NetBird to tunnel traffic into the network, as well as the use of an AI-assisted PowerShell script for wiping activity. Check Point Research

Phase 3: Destruction

This is where Handala's toolkit is most distinctive and most dangerous. During the destructive phase, Handala deploys four wiping techniques in parallel: a custom executable wiper (handala.exe) with MBR overwrite capability, a PowerShell-based wiper, Group Policy logon scripts distributing both components domain-wide, and — confirmed in the Stryker attack — abuse of Microsoft Intune MDM to issue remote wipe commands across enrolled devices. Earlier campaigns used an NSIS installer disguised as a legitimate update, with batch script obfuscation and time-based delays to evade sandbox analysis and bypass antivirus process checks. Critical Start

The Intune vector represented a qualitative shift in destructive capability:

There was no ransomware, no malware, and no exploit chain. The attacker simply logged into Microsoft Intune with compromised Global Administrator credentials, abused a legitimate feature, and wiped over 80,000 systems, servers, and mobile devices. If you had invested in detection logic around Handala's documented toolkit — BiBi Wiper file extensions, Cl Wiper's EldoS RawDisk driver calls, No-Justice partition table manipulation, Karma Shell's Base64-with-XOR web shell patterns — none of it would have fired. Push Security

Using automated PowerShell scripts interacting with the Microsoft Graph API, they issued approximately 80,000 individual wipe commands over a three-hour window. Because the destructive commands originated from Microsoft's trusted management plane and were processed natively by the devices, the activity completely bypassed traditional EDR inspection. Furthermore, the wiping of BYOD mobile phones resulted in the deletion of personal data and cellular eSIMs, critically delaying IT recovery. Deepwatch

Phase 4: Psychological Exploitation

Post-destruction actions are deliberate and calculated. Post-destruction, login pages are defaced with the Handala logo and stolen data is published to the group's Telegram channel and leak site. Critical Start

Hacked materials ranging from photos of government IDs to intimate content are first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. The Canadian government's Rapid Response Mechanism noted that this material was then amplified through AI chatbots, with the chatbots sometimes providing citations that included links to unreliable or state-linked sources. Global Affairs Canada

TARGETING PROFILE

Primary Targets (Israel)

  • Senior political officials and their associates (Netanyahu's close advisers, Naftali Bennett, Benny Gantz, Ehud Barak)
  • Intelligence and defense establishment (named Mossad operatives leaked, nuclear scientists at Soreq)
  • Critical civilian infrastructure — the group penetrated systems of Maagar-Tech and broadcast rocket sirens and messages in Arabic over public address systems of at least 20 kindergartens JISS
  • Israeli healthcare, energy, and IT service providers

Secondary Targets (Transnational Repression)

In summer 2025, Handala shifted focus briefly from Israel to hack Telegram accounts of journalists at Iran International, the London-based opposition television channel, releasing extensive personal information. The aim was to boost the regime's standing at home by striking a hostile exile outlet. JISS

Expansion to Western Critical Infrastructure

Handala's focus on the healthcare sector isn't new, but over the past year the group has expanded its targeting to include Gulf States, and cybersecurity experts expect further targeting of US firms, including companies with ties to Israel or Israeli supply chains. GovInfoSecurity

The Stryker attack — affecting a Fortune 500 company with $25 billion in revenue and roughly 56,000 employees globally, with devices embedded in hospital supply chains worldwide — represents the group's most significant US operation to date. Safestate

Crowdsourced Targeting Infrastructure

In October 2025, Handala launched the crowdsourced handala-redwanted.to platform, registered using a Tonga top-level domain, which offers bounties to individuals who deliver on cyberespionage targets. The portal details desired data for doxxing purposes, with a maximum reward of $50,000 for "tier one" high-value intelligence targets, including Israeli signals intelligence officers from Mossad. The bounty system creates a direct and credible threat of targeted violence, kidnapping, or assassination attempts against named individuals. GovInfoSecurity

SIGNIFICANT OPERATIONS CHRONOLOGY

  • Dec 2023 – 2024: Establishes presence; targets Israeli government, defense, critical infrastructure with wiper attacks and hack-and-leak operations
  • June 2024: Threatening messages broadcast through systems of the Ma'ale Yosef Regional Council in northern Israel
  • Nov 2024: Leaked photos allegedly seized from phones of senior Israeli officials, including Benny Gantz topless in bed; posted 30 images from Soreq nuclear facility and names of scientists working on its particle accelerator Wikipedia
  • Jan 2025: Maagar-Tech public address system hijack across at least 20 kindergartens
  • Mar 2025: Put a $250,000 bounty for the beheadings of Iranian-Canadian activist Goldie Ghamari and Iranian-American lawyer Elica Le Bon, claiming to have leaked their home addresses to the Jalisco New Generation Cartel Wikipedia
  • Summer 2025: Major operation against Iran International journalists
  • Mar 11, 2026: Stryker Corporation attack — 80,000–200,000 devices wiped via Microsoft Intune across 79 countries; described by multiple sources as the most severe Iranian wartime cyberattack against the US in history
  • Mar 19, 2026: FBI seizes Handala's primary website; Handala restores it the following day
  • Mar 27, 2026: Handala claims to have hacked the personal email of FBI director Kash Patel, publishing more than 300 emails, photos, and an alleged resume Wikipedia

INFRASTRUCTURE & OPERATIONAL SECURITY

The techniques, tactics, and procedures associated with Void Manticore intrusions remained largely consistent throughout 2024 to 2026, as the group continued to rely primarily on manual, hands-on operations, off-the-shelf wipers, and publicly available deletion and encryption tools. Check Point Research

Notable infrastructure observations:

  • Historically egressed through commercial VPN segment 169.150.227.X while operating against Israeli targets
  • Following Iran's internet shutdown in January 2026, similar activity originating from Starlink IP ranges has continued, in parallel with a decline in operational security — the group has also begun connecting directly to victims from Iranian IP addresses Check Point Research
  • Uses Telegram as primary C2 and public announcement channel
  • Maintains leak sites using obscure TLDs to evade seizure
  • Outsources at least some operations, including hack attacks and physical surveillance GovInfoSecurity

KNOWN VULNERABILITIES & EXPLOITABLE WEAKNESSES

This is where the briefing is most actionable for defenders — and most revealing about the group's structural limitations.

1. Declining OPSEC discipline. The shift to Starlink IPs and direct connections from Iranian IP ranges indicates operational pressure is degrading their tradecraft. This creates attribution opportunities.

2. Overclaiming. The group at times exaggerates the scope of its achievements and has claimed responsibility for attacks that cannot be independently verified. This creates analytical noise and erodes the credibility of their psychological campaign when it is called out publicly. JISS

3. Dependence on pre-positioned access. Their model requires long dwell time before destructive action. Aggressive network monitoring, anomaly detection on administrative account behavior, and regular credential rotation can detect and evict them before the destructive phase.

4. Personnel exposure. Two senior operators were killed during the 2026 Iran war, and the group's leadership has been publicly named, sanctioned, and in some cases eliminated. This is a significant structural disruption.

5. Identity-centric attack model is double-edged. Their pivot to credential theft and cloud platform abuse means they leave traces in cloud audit logs, not endpoint logs. The entire attack lived in cloud audit logs: Entra ID sign-in logs, Intune audit logs, and Azure AD activity logs. Detection must shift accordingly. Organizations that have already moved their detection stack to XDR with cloud log ingestion have meaningful visibility. Presidio

6. Supply chain dependency. Their consistent use of MSPs and IT vendors as initial access footholds means that hardening the vendor access surface — federated identity enforcement, JIT access, vendor network segmentation — directly degrades their primary access methodology.

7. FBI infrastructure disruption is effective. The March 2026 seizure of their primary website and associated infrastructure represents a successful counter-operation, even if temporary. Persistent domain and infrastructure disruption raises operational costs and forces reorganization.

DEFENSIVE RECOMMENDATIONS

For organizations in scope (any entity with Israeli business ties, US defense adjacency, or critical healthcare/energy infrastructure):

  • Replace push-based MFA immediately with FIDO2 hardware keys. AiTM phishing defeats TOTP and push — it cannot defeat hardware-bound authentication.
  • Enforce Multi-Admin Approval on all Intune destructive actions. A single compromised admin account should never be able to issue mass wipe commands without a second approval.
  • Implement Privileged Identity Management (PIM) with Just-in-Time activation for all Global Administrator and Intune Administrator roles.
  • Ingest Entra ID and Intune audit logs into your XDR. EDR will not catch this class of attack.
  • Audit and restrict third-party vendor access. Handala's supply chain targeting is documented and consistent — your MSP's security posture is your security posture.
  • Reduce BYOD enrollment scope or implement MAM-without-MDM to limit the blast radius on personal devices.
  • Hunt for default Windows hostnames (DESKTOP-XXXXXX, WIN-XXXXXX) on VPN authentication logs — a documented Handala infrastructure fingerprint.

ASSESSMENT

Handala represents a medium-sophistication, high-impact threat actor whose danger is amplified not by technical depth but by operational ruthlessness, geopolitical cover, and a willingness to hit civilian infrastructure without constraint. The Stryker attack demonstrated that the group has decisively crossed the threshold from regional nuisance to strategic threat against Western critical infrastructure. Their pivot to identity-based, cloud-native destruction — requiring no custom malware, no zero-days, and no traditional attack chain — means that organizations relying on signature-based detection and perimeter security are effectively blind to their primary methodology.

The group's intelligence handlers at MOIS are pragmatic: they will continue to evolve TTPs in response to detection, absorb personnel losses, and use geopolitical escalation events as cover and justification for retaliatory strikes. Expect the targeting envelope to continue expanding as long as the Iran-Israel-US conflict persists.

Jonathan Brown (A.A.Sc., B.Sc) writes about cybersecurity infrastructure, privacy systems, the politics of AI development and many other topics at bordercybergroup.com and aetheriumarcana.org. Border Cyber Group maintains a cybersecurity resource portal at borderelliptic.com . He works from a custom-built Linux platform (SableLinux) which is currently under development and fully documented at https://github.com/black-vajra/sablelinux.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support