Iran-Linked Handala Hack Expands Attacks to U.S. Firms with Destructive Wiper Operations

CyberDefender 17 mins0

Handala Hack, identified by Check Point Research as Void Manticore, is an Iranian cyber threat group known for conducting destructive cyber operations. Their attacks often combine data-wiping malware with “hack-and-leak” campaigns, where stolen information is publicly released to increase the psychological and political impact of the intrusion.

The group manages several online identities used to conduct and publicize operations. Among these personas, Homeland Justice has been active since mid-2022 and has carried out numerous attacks against government institutions, telecommunications providers, and other organizations in Albania. Another prominent persona, Handala Hack, has been responsible for multiple cyber intrusions in Israel and has recently expanded its targets to organizations in the United States, including medical technology company Stryker.

Between 2024 and 2026, the tactics, techniques, and procedures (TTPs) used by Void Manticore have remained largely consistent. The attackers primarily rely on manual “hands-on-keyboard” operations, using readily available wiping tools along with publicly accessible utilities for deleting or encrypting data. Previous research from early 2025 still accurately reflects the group’s methods. Over time, the attackers have combined custom malware, publicly available tools, and underground criminal services to gain initial access and deploy malicious payloads.

As their operations broadened—especially with recent incidents targeting U.S. organizations—security researchers have released new observations on the group’s activity, focusing on updated techniques and newly discovered indicators of compromise (IOCs). Because the attackers rely heavily on manual operations, many of their indicators are short-lived and typically involve commercial VPN services, open-source software, and common penetration-testing tools.

Source : Checkpoint

Background

The Handala Hack persona is believed to be operated by Void Manticore (also tracked as Red Sandstorm or Banished Kitten), a threat actor associated with Iran’s Ministry of Intelligence and Security (MOIS). The name and imagery appear to reference Handala, a well-known Palestinian cartoon character symbolizing resistance.

This online identity has been used extensively since late 2023 and represents one of the group’s main operational fronts. The other two personas include:

  • Karma, which appears to have been phased out and replaced by Handala.
  • Homeland Justice, still actively used in operations targeting Albania.

Analysis of incidents linked to these personas shows very similar attack techniques and shared code within their wiping malware, suggesting they are operated by the same organization.

Another common pattern is the cooperation between Void Manticore and a separate Iranian threat actor known as Scarred Manticore, particularly in campaigns involving the Karma and Homeland Justice personas.

In some cases, the attackers even used multiple identities during a single incident. For example, messages inside malware or ransom notes might attribute the attack to Karma, while the stolen data is eventually leaked through the Handala Hack persona.

One possible explanation is that Karma and Handala initially represented separate operational teams within the same organization, which later merged under the Handala identity. This theory aligns with Karma’s disappearance and Handala becoming the dominant public-facing persona.

Public reporting suggests that Void Manticore activity overlaps with operations connected to the MOIS Internal Security Deputy, particularly its Counter-Terrorism Division, reportedly overseen by Seyed Yahya Hosseini Panjaki. Panjaki was reportedly killed during the early phase of Israeli strikes on Iran in March 2026.

Initial Access

Supply Chain Targeting

A common strategy used by Handala involves targeting IT providers and service companies in order to obtain access credentials. The group frequently gains entry using compromised VPN accounts.

Researchers have observed hundreds of login attempts and brute-force attacks against VPN infrastructure linked to Handala-associated servers. These attempts typically originate from commercial VPN services and are often associated with Windows hostnames using default formats such as:

  • DESKTOP-XXXXXX
  • WIN-XXXXXX

Following Iran’s internet shutdown in January, similar activity began appearing from Starlink IP address ranges, and this pattern has continued. At the same time, the group’s operational security appeared to decline. In some cases, attackers connected directly from Iranian IP addresses, exposing their likely origin.

Earlier operations showed stronger operational discipline. For example, the group frequently routed traffic through commercial VPN infrastructure in the 169.150.227.X range when targeting Israeli organizations. Occasionally, VPN failures revealed communications from Iranian IP addresses or virtual private servers.

Since the outbreak of the conflict, however, the group has struggled to maintain this level of anonymity. In several instances, they attempted to route traffic through an Israeli VPN node (146.185.219.235), although this differed from their previously used infrastructure.

Activity Before the Attack

In one recently analyzed intrusion, the attackers appear to have obtained access months before the destructive phase began. This early access likely allowed them to establish persistence and eventually acquire Domain Administrator credentials needed for the final attack.

In the hours leading up to the destructive activity, the attackers appeared to validate their access and test compromised credentials.

During this stage, they performed several actions including:

  • Disabling Windows Defender protections
  • Conducting system reconnaissance
  • Attempting credential theft operations

The attacker also tried to download an additional payload from a command-and-control server located at:

107.189.19[.]52

Multiple credential-extraction techniques were used. These included dumping the LSASS process using the comsvcs.dll library through rundll32.exe, as well as exporting sensitive Windows registry data such as the HKLM hive.

In parallel, the attackers executed ADRecon, a PowerShell tool used to enumerate Active Directory environments. This process likely helped them obtain the Domain Admin credentials later used in the destructive stage of the attack.

Lateral Movement

Handala operators generally perform most actions manually, moving through compromised networks primarily using Remote Desktop Protocol (RDP).

To access systems that were not directly reachable from outside the network, the attackers deployed NetBird, a platform designed to create secure, private mesh networks using a zero-trust model.

The installation process was straightforward. After logging into compromised machines via RDP, the attackers used the system’s browser to download NetBird directly from its official website.

By installing NetBird across several machines, they created an internal communication channel that allowed them to move laterally across the network more efficiently. This also enabled the attackers to coordinate destructive operations from multiple internal footholds.

During the incident, investigators observed at least five attacker-controlled machines operating simultaneously within the compromised environment.

Destructive Wiping Operations

During the final stage of the attack, the threat actors deployed four different wiping methods simultaneously in order to maximize damage.

To distribute these tools across the network, they used Group Policy, ensuring the destructive payloads were automatically executed on multiple systems.

Handala Wiper

The first stage involved deploying a custom malware known as Handala Wiper, sometimes named handala.exe.

The malware was distributed using Group Policy logon scripts, which executed a batch file called handala.bat. This script launched two destructive components:

  • the main executable wiper
  • a supporting PowerShell script

Interestingly, the executable was launched remotely from the Domain Controller, meaning it did not need to be written to disk on the target machines.

The malware overwrites files across the system and also performs Master Boot Record (MBR) wiping, corrupting disk structures and causing extensive data loss.

PowerShell Wiper

The attackers also deployed a PowerShell-based wiping script during the final phase.

Like the main wiper, this script was distributed through Group Policy logon scripts, allowing it to execute automatically across multiple systems.

The script performs a simple but destructive action: it iterates through the C:\Users directory and deletes all files and folders. Based on its structure and comments, researchers believe the script may have been partially generated using AI assistance.

As a final step, the script copies a propaganda image called handala.gif across all logical drives to leave a visible marker of the attack.

Disk Encryption for Destruction

In addition to wiping tools, the attackers attempted to use VeraCrypt, a legitimate disk encryption program.

The attacker downloaded the software directly from the official website after connecting through RDP. By encrypting entire disks, the attackers introduced another layer of destruction.

Even if wiping operations fail or are incomplete, encrypted disks can remain inaccessible, making recovery far more difficult.

Manual Destruction

Beyond automated malware, Handala operators sometimes perform manual destructive actions.

Examples include:

  • Deleting virtual machines directly from virtualization platforms
  • Manually removing files from compromised systems

These actions typically involve logging in via RDP, selecting all files, and deleting them. Evidence of this behavior has been observed in incident investigations and even appears in videos and leaked materials released by the attackers themselves.

Summary

This report outlines the activities of Handala Hack, a persona linked to the Iranian threat actor Void Manticore, which has connections to the MOIS intelligence service.

The group operates multiple public identities and has carried out campaigns targeting organizations in Israel, Albania, and the United States.

Despite the sophistication of some operations, Handala’s techniques are often relatively straightforward. The attackers rely heavily on:

  • stolen credentials for initial access
  • RDP for lateral movement
  • tunneling tools such as NetBird
  • custom and public wiping utilities
  • manual destructive actions

Because their tactics have remained largely unchanged, strengthening defenses against these known techniques can significantly reduce the risk posed by this threat actor.

Defensive Recommendations

Organizations can reduce exposure to attacks like these by implementing several security measures:

1. Enforce Multi-Factor Authentication (MFA)
Especially for remote access systems and privileged accounts.

2. Monitor authentication activity
Watch for suspicious behavior such as:

  • logins from unusual countries
  • first-time access outside normal working hours
  • multiple failed logins followed by success
  • new device registrations
  • unusually large data transfers through VPN sessions
  • authentication from unfamiliar hosting providers

3. Restrict high-risk geographic access

If possible:

  • block inbound connections from Iran
  • restrict access from Starlink IP ranges, which have been abused in Iranian cyber operations

If blocking is not possible, implement conditional access policies and enhanced monitoring.

4. Limit remote access

Organizations may temporarily restrict VPN access to business-related countries only, with exceptions approved when necessary.

5. Harden RDP

  • Disable RDP where it is not required
  • Monitor connections from devices with default hostnames such as DESKTOP-XXXXXX or WIN-XXXXXX, particularly outside working hours.

6. Monitor potentially risky software

Track the use of tools such as:

  • remote monitoring software
  • VPN applications like NetBird
  • tunneling utilities such as SSH for Windows

CyberDefender