Handala Hack

Executive Summary

Intelligence Cut-off Date: 12-May-2026

Handala Hack is a destructive Iranian threat actor — assessed to operate as a public persona of MOIS-aligned Void Manticore — that combines hands-on hacking, custom wiper deployment, and high-volume hack-and-leak operations. After three years of sustained activity against Israeli targets, the group expanded into the US enterprise environment in March 2026 with a wiper attack on medical-technology giant Stryker that destroyed approximately 200,000 endpoints via abuse of the victim’s own Microsoft Intune console, and a parallel leak of 300+ emails from FBI Director Kash Patel’s personal Gmail account. [Source: KrebsOnSecurity reporting on Stryker, Rating: B2] [Source: DOJ press release, Rating: A1]

Overall Assessment: [Confidence: HIGH] — Multi-source convergence across MITRE ATT&CK, Check Point Research, Palo Alto Unit 42, FBI IC3, DOJ, and FDD. Specific MOIS unit-level sponsorship and operator identity remain assessed rather than confirmed.

Identity and Attribution

Handala Hack is the current primary persona of a longer-running Iranian threat cluster catalogued by MITRE ATT&CK as G1055 under the canonical name “Void Manticore.” Vendor naming conventions for the same activity cluster include: Void Manticore (Check Point Research), BANISHED KITTEN (CrowdStrike), COBALT MYSTIQUE (consulting/Microsoft community usage), Red Sandstorm (Microsoft taxonomy in MITRE references), and the persona names Homeland Justice (Albania operations, 2022), Karma and Karmabelow80 (earlier Israeli operations), and LinkByld (Albania-specific operational handle). [Source: MITRE ATT&CK G1055, Rating: A1]

Attribution to Iran’s Ministry of Intelligence and Security (MOIS) is the prevailing community assessment, supported by both vendor analysis and US government action. The DOJ announced the seizure of four domains used by MOIS in support of these operations, and the State Department’s Rewards for Justice program posted a $10 million reward for information on the operators behind Handala and related Iranian fronts. [Source: DOJ Press Release on MOIS Cyber-Enabled Operations, Rating: A1] Specific organizational sub-unit attribution within MOIS — equivalent to the unit-level naming achieved for IRGC-affiliated clusters — remains a [Data Gap]. [Confidence: HIGH on MOIS sponsorship; LOW on specific sub-unit]

The “Handala” persona launched in late 2023. The underlying operator cluster has been tracked since at least 2022 under the Void Manticore / Homeland Justice designations, with Albania attacks providing the earliest public confirmation. [Source: Check Point Research, Rating: B2]

Motive and Objective

Handala’s motive is disruption, sabotage, and influence — not financial gain. The group has never claimed nor demonstrated a ransomware monetization model. Every observed operation pairs a destructive technical effect with a public messaging arm: a leak portal, social media campaign, or media outreach push designed to amplify the operational impact. [Source: Check Point Research; FDD, Rating: B2]

Specific objectives include: (1) destroying data and disrupting operations in Israeli organizations as a coercive instrument of Iranian foreign policy; (2) coercing or embarrassing US and Western firms with business, political, or defense-related ties to Israel; (3) embarrassing US officials through personal-account leaks designed for maximum media salience; and (4) amplifying Iranian state narrative through a sustained leak-and-media cycle that converts technical intrusions into information operations. [Source: FDD “6 Things to Know About Handala,” Rating: B2] [Source: JISS analysis of influence operations disguised as cyber operations, Rating: C3]

The hacktivist branding (“Handala” is a Palestinian refugee cartoon figure) is best understood as cover — a legitimacy fig leaf over state-directed disruption operations. [Inference — supported by attribution to MOIS and the absence of authentic hacktivist organizational markers] [Confidence: MODERATE]

Victimology

Handala’s victim set is anchored on Israel and expanding into the United States, with peripheral activity against Albania (2022) and other Western organizations with Israel-aligned business or political ties.

Sectoral targeting. The group has demonstrated activity across healthcare/medical technology, government and law enforcement, defense and military-adjacent organizations, telecommunications and satellite communications, energy and utilities, financial services, manufacturing, information technology and ITES, and education. [Source: Cyble Handala Hack Team Profile, Rating: C3] [Source: SOCRadar Dark Web Profile, Rating: C3] Named, publicly disclosed victims include: Stryker Corporation (March 2026, ~200,000 devices wiped, 50TB exfiltration claimed) [Source: KrebsOnSecurity / Securonix coverage, Rating: B2]; FBI Director Kash Patel (March 2026, 300+ emails leaked from a personal Gmail account) [Source: FDD; broad media reporting, Rating: B2]; and a long tail of Israeli enterprises across 2024–2025 documented by Check Point Research [Source: Check Point Research, Rating: B2]. The 2022 Albanian government attack is attributed to the same cluster under the Homeland Justice persona [Source: MITRE G1055, Rating: A1].

Geographic targeting. Israel is the primary target geography and the organizing principle of the entire campaign. The United States has emerged in 2024–2026 as the secondary geography, with targeting prioritized against firms that have IL business ties, political alignment, or defense-related relationships. Albania remains a notable historical target. The group does not appear to follow the typical Russian-nexus CIS exclusion pattern.

Technology-stack targeting. Two observed patterns are particularly important: (1) Microsoft Intune and equivalent MDM/RMM platforms as a fan-out destruction vector — the Stryker attack appears to be the first publicly confirmed mass wiper distributed via a victim’s own mobile device management console [Source: KrebsOnSecurity, Rating: B2] [Single-source on Intune vector pending corroboration]; and (2) VPN concentrators as an initial-access target via credential brute force from commercial VPN egress nodes [Source: Check Point Research, Rating: B2]. The group also abuses Group Policy Objects for wiper distribution and RDP for lateral movement.

Sector Proximity Assessment:

• Global telecommunications: ADJACENT — Satellite communications and IT/ITES are in the published target taxonomy, and shared managed-service-provider relationships represent a credible supply-chain pivot, but no major telecom operator has been publicly named as a Handala victim to date.
• Defense technology / high-tech startups: DIRECT — Defense and military-adjacent organizations are an explicit target set, with elevated risk for firms maintaining IL R&D, supply, or political relationships.
• Venture capital / investment: ADJACENT — Portfolio companies in medical technology, defense, telecom, and energy face elevated exposure; investment firms themselves are not a known direct target.
• Government / think tanks: DIRECT — Government and LEA targeting is established (Albania 2022; FBI Director personal email March 2026). Think tanks with positions on Iran, Israel, or sanctions policy face plausible collection and influence-operation interest.
• Higher education / research institutions: ADJACENT — Education appears in Cyble’s published target taxonomy but no specific named university victims have been disclosed. [Data Gap]

Capability Assessment

Rating: High [Confidence: HIGH]

Handala operates at the upper bound of moderate capability and the lower bound of high capability — and given the consistent destructive impact achieved, the high rating is the more defensible. The evidence:

Custom destructive tooling. The group develops and maintains at least two named custom wipers: Handala Wiper, a Windows-based destructive payload that overwrites the Master Boot Record and deletes files across infected systems, designed for centralized deployment via scheduled tasks and Group Policy; and Hamsa Wiper, a Linux-focused destructive payload that masquerades as a legitimate software update and incorporates delayed execution and system profiling for detection evasion. [Source: Check Point Research, Rating: B2]

Hands-on operational tradecraft. Check Point characterizes the cluster as relying primarily on manual, hands-on operations rather than autonomous malware — a profile consistent with skilled human operators using a mix of custom tools, off-the-shelf wipers, and publicly available deletion utilities. [Source: Check Point Research, Rating: B2] Documented techniques include VPN brute force at scale, Active Directory enumeration via ADRecon, LSASS credential dumping via comsvcs.dll, RDP-based lateral movement, and GPO logon scripts for wiper distribution. [Source: Push Security analysis of Stryker / Handala TTPs, Rating: B2]

Strategic platform abuse. The Stryker incident demonstrates a meaningful capability uplift: rather than fan out malware via traditional lateral movement, Handala compromised the victim’s Microsoft Intune tenant and issued legitimate remote-wipe commands against approximately 200,000 enrolled devices. [Source: KrebsOnSecurity, Rating: B2] This is a capability profile consistent with — and arguably exceeding — many ransomware affiliates. [Single-source on Intune mechanism; corroboration pending broader vendor reporting]

Operational security limitations. Unlike top-tier espionage groups (e.g., Salt Typhoon), Handala does not prioritize stealth or long dwell times. The hack-and-leak monetization model intentionally surfaces the intrusion, which limits the value of OPSEC investment. Attribution evasion is therefore rated low, and zero-day usage is rated low — the group has historically relied on credential abuse, N-day exploitation, and supply chain access rather than novel vulnerability discovery.

State-level resourcing. Confirmed by DOJ domain seizures and State Department reward designations specific to MOIS-front operations, establishing direct state backing rather than purely inferred sponsorship. [Source: DOJ Press Release, Rating: A1]

Modus Operandi

Key Campaigns

Stryker Corporation wiper attack (March 11, 2026): Handala claimed to have wiped more than 200,000 servers, systems, and mobile devices and exfiltrated 50 terabytes of data from medical-technology giant Stryker. Reporting indicates Handala gained access to Stryker’s Microsoft Intune cloud-based device management platform and issued remote wipe commands against all connected devices. The campaign represents the first publicly confirmed mass-destruction use of an MDM console as a wiper distribution mechanism. [Source: KrebsOnSecurity / Securonix, Rating: B2] [Single-source on Intune vector]

FBI Director Patel email leak (March 2026): Handala published more than 300 emails from FBI Director Kash Patel’s personal Gmail account. The operation is best characterized as a counterintelligence-embarrassment and influence-operation campaign, paired with media outreach designed to amplify the disclosure. [Source: FDD analysis, Rating: B2]

Sustained Israeli operations (late 2023–2026): Following the launch of the Handala persona, the group has conducted continuous wiper and hack-and-leak campaigns against Israeli enterprises, government-adjacent organizations, and Western entities with IL ties. Check Point Research documents recurring patterns of VPN-credential abuse, AD enumeration, GPO-distributed wipers, and follow-on leak operations. [Source: Check Point Research, Rating: B2]

Albanian government attack (2022, under Homeland Justice persona): The earliest publicly confirmed operation of the underlying cluster. Disrupted Albanian government services and contributed to the diplomatic break between Albania and Iran. [Source: MITRE ATT&CK G1055, Rating: A1]

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1078	Valid Accounts	Stryker compromise leveraged valid Intune admin credentials
Initial Access	T1110	Brute Force	Hundreds of logon attempts from commercial VPN nodes
Initial Access	T1199	Trusted Relationship	Supply-chain compromise via managed service providers
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	LSASS dumping via comsvcs.dll
Discovery	T1018	Remote System Discovery	Active Directory enumeration
Discovery	T1087.002	Account Discovery: Domain Account	ADRecon for AD enumeration
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	Primary lateral movement method
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	Wiper invocation and AD enumeration
Execution	T1053.005	Scheduled Task/Job: Scheduled Task	Wiper deployment mechanism
Execution	T1072	Software Deployment Tools	Microsoft Intune abuse for fan-out wipe (Stryker)
Persistence	T1037.003	Boot or Logon Initialization Scripts: Network Logon Script	GPO logon scripts to push wipers
Impact	T1485	Data Destruction	Core impact across all wiper operations
Impact	T1561.002	Disk Wipe: Disk Structure Wipe	Handala Wiper overwrites MBR
Impact	T1490	Inhibit System Recovery	Shadow copy deletion paired with wipers
Exfiltration	T1567	Exfiltration Over Web Service	Bulk data exfiltration prior to wipe (Stryker: 50TB)

Tools and Malware

Handala Wiper — Custom Windows destructive payload. Overwrites the Master Boot Record and deletes files across infected systems. Designed for centralized distribution via scheduled tasks and GPO. [Source: Check Point Research, Rating: B2]

Hamsa Wiper — Custom Linux destructive payload. Masquerades as a legitimate software update. Incorporates delayed execution and system profiling before initiating destructive actions. [Source: Check Point Research, Rating: B2]

ADRecon — Open-source Active Directory enumeration toolkit used for environment discovery.

comsvcs.dll — Living-off-the-land binary used for LSASS process memory dumping.

Off-the-shelf wipers and public deletion/encryption utilities — Check Point characterizes the cluster as relying on a mix of custom and publicly available destructive tooling rather than maintaining a single proprietary kit. [Source: Check Point Research, Rating: B2]

Microsoft Intune (abused victim platform) — Not a Handala-owned tool, but a victim platform weaponized as a distribution channel in the Stryker attack.

Infrastructure Patterns

Initial-access operations originate from commercial VPN egress nodes, where the group conducts credential brute-force against victim VPN concentrators at scale. Internal operations rely on abuse of legitimate victim infrastructure — Group Policy Objects, RDP, scheduled tasks, and (in the Stryker case) the victim’s own MDM/Intune console — rather than dedicated attacker C2 fabric. The DOJ seized four domains assessed as MOIS-linked supporting infrastructure in 2026 [Source: DOJ Press Release, Rating: A1]; specific domain names are [Data Gap] in public reporting. The hack-and-leak portal serves as a public-facing infrastructure asset for influence operations.

Activity Timeline

Date	Event	Source	Rating
2026-Q1	DOJ seizes 4 MOIS-linked domains; State Department posts $10M reward for Handala operators	DOJ Press Release	A1
2026-03	Wiper attack on Stryker Corporation: ~200,000 devices wiped via Intune abuse, 50TB exfil claimed	KrebsOnSecurity / Securonix	B2
2026-03	Leak of 300+ emails from FBI Director Kash Patel’s personal Gmail account	FDD; media reporting	B2
2026-03	Check Point publishes “Handala Hack: Unveiling Group’s Modus Operandi”	Check Point Research	B2
2026-04	Unit 42 publishes Iran cyber threat brief covering Handala wiper escalation	Unit 42	B2
2025	Sustained Israeli enterprise wiper + hack-and-leak operations	Check Point Research	B2
2024	Sustained Israeli enterprise wiper + hack-and-leak operations	Check Point Research	B2
2023-Q4	”Handala” hacktivist persona launched	Check Point Research; FDD	B2
2022	Albanian government attack under Homeland Justice persona	MITRE ATT&CK G1055	A1
~2022	Underlying Void Manticore cluster first publicly tracked	MITRE ATT&CK G1055	A1

Forecast, Implications, and Recommendations

What Next (Forecast)

Continued exploitation of IT-management-plane infrastructure. [Confidence: MODERATE] The Stryker incident validates a high-leverage attack pattern: compromise a single MDM/RMM/Intune-class console, then weaponize it to issue legitimate remote-wipe commands across the enrolled fleet. Expect Handala — and likely emulators — to prioritize MDM consoles, EDR management planes, RMM platforms, and SaaS device-management tooling as initial-access targets over the next 12 months.

Expanding US targeting beyond Israel-linked firms. [Confidence: MODERATE] The Patel email leak extends Handala targeting beyond the IL-ties filter into pure US political symbolism. Expect targeting of US officials’ personal accounts, US firms with no IL connection but high media salience, and US infrastructure where disruption serves Iranian foreign-policy messaging — particularly during periods of US-Iran tension.

Low probability of pivot to ransomware monetization. [Confidence: HIGH] MOIS-aligned operations are state-funded; destruction and influence are the goal, not revenue. Unlike financially motivated groups, Handala has no incentive to negotiate, decrypt, or develop a ransom-payment infrastructure. Conditions that would change this forecast: a significant disruption to MOIS funding pipelines, a deliberate pivot toward false-flag criminal branding, or a splinter of operators leaving the cluster.

Conditions that would change the forecast: Major US-Iran de-escalation, successful DOJ/FBI operator indictments, or a meaningful disruption of MOIS cyber funding could reduce tempo. Conversely, kinetic escalation in the Middle East would likely accelerate operations.

So What (Implications)

Global telecommunications firms with IL-adjacent footprint face plausible wiper exposure. Satellite communications and IT/ITES are in the published target taxonomy, and shared MSP relationships create a credible supply-chain pivot. The risk model should treat Israeli partner, customer, and supplier relationships as potential lateral pivots — not just direct attack surface.

Defense-technology firms with IL R&D ties face elevated, named risk. Defense and military-adjacent organizations are explicit Handala targets. Venture-stage portfolios with exposure to Israeli defense or dual-use technology should treat Handala-class wiper risk as a material due-diligence input.

A single MDM/Intune compromise can wipe an entire device fleet. The Stryker incident is the practical proof-of-concept. Cyber strategy and architecture functions should now treat MDM consoles as Tier 0 identity infrastructure — equivalent in criticality to Active Directory domain controllers, identity providers, and PAM platforms. Treating them as standard SaaS administration is no longer defensible.

Personal-account leaks of officials are a coercion vector. Senior executives, board members, and government affiliates should expect personal-account targeting as part of a corporate-coercion campaign — not a separate threat model.

Now What (Recommendations)

1. Treat MDM/RMM/Intune as Tier 0 identity infrastructure — Apply phishing-resistant MFA (FIDO2/passkeys), administrative tiering, just-in-time access, hardware-bound admin workstations, and full audit logging to all device-management consoles. The Stryker incident demonstrates that a single MDM admin compromise enables fleet-wide destruction.

2. Hunt destructive-impact technique chains (T1485 / T1561.002 / T1490) — Build detections for disk-wipe behaviors, MBR write operations, shadow-copy deletion, recovery-environment tampering, and bulk file deletion patterns. Stryker-scale outcomes require pre-event detection — post-event response is moot.

3. Throttle and alert on VPN brute force from commercial VPN egress — Geo-fence VPN concentrators, enforce conditional access, alert on authentication attempts originating from known commercial VPN provider IP ranges, and rate-limit credential failures to defeat T1110-based initial access. Handala’s documented entry pattern is hundreds of logon attempts from commercial VPN nodes.

4. Audit GPO logon scripts and software-deployment payloads — Detect unsigned, recently created, or unexpectedly broad-scope GPO logon scripts (T1037.003), and alert on software-deployment jobs targeting unusually broad OUs. GPO-distributed wipers are a Handala signature.

5. Maintain immutable, offline-tested backups and tabletop a fleet-wipe scenario — Wipers nullify online resilience by design. Backup strategy must include immutability and offline air-gap. Cross-functional tabletops should rehearse a Stryker-class outcome (mass endpoint loss, MDM-driven, with parallel exfil and leak) across cyber, IT, legal, communications, and executive leadership.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
Malware Family	Handala Wiper (Windows MBR overwrite)	~2023	2026-03	HIGH
Malware Family	Hamsa Wiper (Linux)	~2024	2026	HIGH
Tool	ADRecon (Active Directory enumeration)	~2022	2026	HIGH
LOLBin	comsvcs.dll (LSASS dumping)	~2022	2026	HIGH
Technique	Microsoft Intune admin abuse for mass wipe	2026-03	2026-03	MODERATE
Technique	VPN credential brute force from commercial VPN egress	~2022	2026	HIGH
Technique	GPO logon scripts for wiper distribution	~2022	2026	HIGH
Persona	Handala Hack (current public persona)	2023-Q4	2026-05	HIGH
Persona	Homeland Justice (Albania 2022)	2022	2022	HIGH
Persona	Karma / Karmabelow80 (early Israeli ops)	~2022	~2023	HIGH
Infrastructure	MOIS-linked domains (4 seized by DOJ; names not publicly disclosed)	—	2026	HIGH

[Data Gap: Specific domain names, IP addresses, and file hashes for Handala/Hamsa wiper samples are sparsely published. Defenders should consult Check Point Research and Unit 42 advisories for sample IOCs as available.]

References

1. MITRE ATT&CK Group G1055 — Void Manticore / Handala Hack / BANISHED KITTEN / Homeland Justice (current). https://attack.mitre.org/groups/G1055/. Rating: A1
2. US Department of Justice — Justice Department Disrupts Iranian Cyber-Enabled Psychological Operations (2026). https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations. Rating: A1
3. FBI IC3 — FLASH-20260320-001 (TLP:CLEAR, March 2026). https://www.ic3.gov/CSA/2026/260320.pdf. Rating: A1
4. Check Point Research — “Handala Hack” Unveiling Group’s Modus Operandi (2026). https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/. Rating: B2
5. Palo Alto Networks Unit 42 — Threat Brief: Escalation of Cyber Risk Related to Iran (April 2026). https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/. Rating: B2
6. Palo Alto Networks Unit 42 — Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization. https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/. Rating: B2
7. Foundation for Defense of Democracies (FDD) — 6 Things to Know About Handala (April 2026). https://www.fdd.org/analysis/2026/04/01/6-things-to-know-about-handala-tehrans-hackers-making-front-page-news/. Rating: B2
8. Push Security — Analyzing Iran-nexus TTP evolution in 2026 (Stryker/Handala report). https://pushsecurity.com/blog/stryker-handala-report. Rating: B2
9. Picus Security — Handala Threat Group Tactics, Targets, and Attack Timeline. https://www.picussecurity.com/threat-database/handala-threat-group-tactics-targets-and-attack-timeline. Rating: B2
10. Securonix Community — Iran-backed Handala wiper attack devastates Stryker globally. https://connect.securonix.com/threat-research-intelligence-62/iran-backed-handala-wiper-attack-devastates-stryker-globally-230. Rating: B2
11. Cyble — Handala Hack Team: Iranian Cyber Threat Profile 2026. https://cyble.com/threat-actor-profiles/handala-hack-team/. Rating: C3
12. SOCRadar — Dark Web Profile: Handala Hack. https://socradar.io/blog/dark-web-profile-handala-hack/. Rating: C3
13. Fortinet FortiGuard Labs — Threat Actor: Handala. https://fortiguard.fortinet.com/threat-actor/6378/handala. Rating: C3
14. JISS — Davidi: Influence Operations Disguised as Cyber Operations. https://jiss.org.il/en/davidi-influence-operations-disguised-as-cyber-operations/. Rating: C3
15. Wikipedia — Handala Hack Team. https://en.wikipedia.org/wiki/Handala_Hack_Team. Rating: D4