EXECUTIVE SUMMARY

Handala is an Iranian threat actor aligned to the Ministry of Intelligence and Security (MIOS) that has executed numerous attacks since December 2023, deploying custom wiper malware against Israeli and Western targets with escalating global impact. Tracked under multiple designations across the threat intelligence community (Void Manticore, Storm-0842, BANISHED KITTEN), Handala fuses destructive cyber operations with psychological warfare stealing data, wiping systems, and weaponising public disclosure for maximum geopolitical effect.

The group emerged two months after the October 7, 2023 Hamas-Israel conflict. Its latest March 2026 wiper attack against US medical device giant Stryker Corporation - claiming 200,000+ systems destroyed across 79 countries, signals a dangerous expansion of targeting well beyond the Middle East. Organisations in defence, healthcare, energy, and technology sectors face elevated risk, particularly organisations with Israeli business connections or US government contracts.

Red Piranha’s Threat Intelligence team assesses Handala as a HIGH-priority threat actor requiring immediate attention across all monitored environments. For broader context on the Iranian state-sponsored and other state sponsored threats, APT group activity, ransomware trends, and EDR bypass techniques that inform Handala’s operational environment, security leaders should refer the Red Piranha Annual Threat Intelligence Report 2026 .This companion report provides the technical depth, IOCs, and MITRE ATT&CK mappings required for proactive threat hunting, detection engineering, and executive risk communication.

INTRODUCTION

Handala surfaced publicly in late 2023 as a pro Palestinian hacktivist brand with primary targeting against Israel and entities perceived as supporting Israeli interests.  Handala takes its name from the Palestinian cartoon character created by Naji al-Ali in 1969; a barefoot 10-year-old refugee boy drawn with his back turned to the viewer, symbolising Palestinian defiance. The group uses this symbol as its logo across all platforms and frames every operation as resistance against Israel.

HOW HANDALA OPERATES

The group’s first public activity appeared on 18–19 December 2023, with posts on X (Twitter) and a newly created Telegram channel. On 25 December 2023, Israel’s National Cyber Directorate issued an urgent warning about a phishing campaign by an unnamed Iranian group impersonating F5 Networks the malicious payload was named “handala.exe.” The group itself stated it began operations after the killing of IRGC General Seyed Reza Mousavi in an Israeli strike in Syria in December 2023, positioning itself within Iran’s “Axis of Resistance” framework.

Within weeks, Handala posted approximately 140 messages across BreachForums, Ramp, and Exploit underground forums, establishing an aggressive public presence. By February 2025, the International Institute for Counter-Terrorism (ICT) documented at least 85 attacks attributed to the group. Handala maintains presence on Telegram (primary channel, repeatedly suspended and recreated), X/Twitter (repeatedly banned), a dark web leak site at handala-hack[.]to, and as of March 2026, a targeting site called “RedWanted” that lists individuals and organisations deemed supportive of Israel.

The broader Iranian state-sponsored cyber ecosystem including the APT groups, attack methodologies, and defensive strategies organisations need to counter these threats is covered in depth in the Red Piranha Annual Threat Intelligence Report 2026. Understanding this wider landscape is essential for contextualising Handala's role.

TACTICS, TECHNIQUE & PROCEDURES

Handala’s primary access vector is spear-phishing emails of unusually high quality, often written in fluent Hebrew. Red Piranha’s analysis aligns with broader assessments that at least one member is a native or near-native Hebrew speaker. The group’s signature approach involves impersonating trusted cybersecurity vendors during moments of crisis:

The Kill Chain:

Phishing email → PDF with malicious link → NSIS installer → Delphi loader → AutoIT injector → wiper payload injected into RegAsm.exe.

The Delphi loader checks security products before concatenating split binary fragments. The AutoIT component performs architecture-aware shellcode injection using RtlDecompressFragment() to decompress the wiper payload into a suspended RegAsm.exe process, a living-off-the-land technique.

Handala also employs Rhadamanthys, a commercial infostealer sold on cybercrime forums, paired with custom wipers. Web shells include the custom Karma Shell (disguised as an error page, using base64 + one-byte XOR with key=23) and the publicly available reGeorg tunnelling shell. A BYOVD technique uses the legitimate ListOpenedFileDrv_32.sys driver for kernel-level access.

INDICATORS OF COMPROMISE

The following indicators have been identified in association with infrastructure used by the Handala threat group. These domains have been observed hosting victim data leaks and propaganda related to the group’s operations. Security teams should treat any communication or traffic to these domains as suspicious and investigate immediately.

Clearnet Leak Portals

•  handala-hack.to
•  handala.cx
•  handala.to
  
  

IP: 67.195.228.56

Tor Hidden Service:
vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrrnajbmpxqqd.onion

Telegram Channels & Bots:

•  t.me/Handala_Backup
•  Bot endpoints embedded in loader config

Alternative Channels:

•  Tox ID: 02C75E6021I314F4A69C323A3CE334D75C72CD8C742F3ED168447405C541DF057294365D6C1E
•  Twitter: twitter.com/Handala_Hack
•  https://t.me/Handala_hack
•  https://t.me/Handala_Channel
•  BreachForums: breachforums.cx/User-Handala

Sample Hashes

•  6f79c0e0e1aab63c3aba0b781e0e46c95b5798b2d4f7b6ecac474b5c40b840ad
•  96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8
•  fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2

MITRE ATT&CK MAPPING

Handala does not operate in isolation. It functions as the destructive arm of a layered MOIS operational structure. Red Piranha’s Threat Intelligence team has mapped Handala’s observed TTPs to the MITRE ATT&CK framework. Crystal Eye provides detection coverage across all mapped techniques.

Between 14 and 20 June 2025, the politically motivated Handala group deployed a hybrid ransomware-and-wiper toolkit in targeted “digital solidarity” attacks against Israeli infrastructure. Their malware operates in two phases:

By combining destructive wiping with strong encryption, Handala ensures that even if victims restore backups, any files not recovered prior to wiping remain permanently lost. This dual approach amplifies operational downtime, pressures victims to pay, and fuels public embarrassment through data leaks.

THE STRYKER COMPROMISE (MARCH 2026)

Based on Red Piranha’s analysis of available incident reporting, Stryker’s SEC Form 8-K filing, and Handala’s established TTPs, the Stryker compromise most likely followed a multi-phase intrusion chain beginning with the MOIS’s proven Scarred Manticore handoff model.

Initial access was almost certainly achieved through spear-phishing targeting privileged IT or identity administrators. This is consistent with Handala’s documented pattern of impersonating trusted vendors with high-quality, contextually appropriate lures. Once inside, the attackers escalated to Microsoft Entra ID (Azure AD) Global Administrator privileges, which is evidenced by three observable outcomes:

• The defacement of Stryker’s Entra login pages with the Handala logo across all global locations.
• The ability to issue mass device actions through Microsoft Intune (the enterprise Mobile Device Management platform).
• The simultaneous disruption of Stryker’s entire Microsoft environment as confirmed in the company’s SEC filing.
  
  

This represents a devastating weaponisation of the cloud management plane itself rather than deploying wiper malware endpoint-by-endpoint through traditional lateral movement.

Handala might have turned Stryker’s own MDM infrastructure into the delivery mechanism, issuing remote wipe commands to over 200,000 managed systems, servers, and mobile devices across 79 countries simultaneously. Employees in the United States, Ireland, Australia, India, and Costa Rica confirmed that corporate laptops, and critically, personal mobile phones enrolled with Intune work profiles, were remotely wiped within minutes; destroying personal data alongside corporate assets and demonstrating the psychological warfare dimension that distinguishes Handala from financially motivated threat actors.

HOW CRYSTAL EYE DETECTS AND DEFEATS THE HANDALA KILL CHAIN

Handala’s multi-stage kill chain; from spear-phishing and multi-stage wiper delivery to Telegram-based C2, lateral movement via stolen credentials, and irreversible data destruction is purpose-built to overwhelm organisations that rely on fragmented, siloed security stacks.

Crystal Eye eliminates precisely these gaps as a unified Threat Detection, Investigation and Response (TDIR), Network Detection and Response (NDR), and a fully managed SOC into a single operational pane.

Crystal Eye’s instant 10x increased visibility across the entire network leverages network behavioural analytics to correlate east-west traffic patterns, process injection events, and Telegram Bot API communications that individually appear benign but collectively reveal an APT intrusion.

This catches Handala’s living-off-the-land techniques (RegAsm.exe abuse, AutoIT execution) that signature-based tools routinely miss.

Crystal Eye’s in-line deployment model avoids major infrastructure changes, eliminating engineering overheads so defenders achieve full coverage rapidly when Handala pivots to new sectors, as the March 2026 Stryker attack demonstrated.

The 24/7 SOC monitoring and detection capability ensures APT-grade wiper deployments and C2 callouts are detected regardless of the deliberate time delays (90–180 second Windows pauses, 30-minute Linux sleeps) Handala uses to evade business-hours SOC staffing.

The platform’s fully operationalised and contextualised automated threat intelligence translates threat intelligence into enforcement by proactively blocking and monitoring file hashes, malicious domains, and Telegram-based command channels identified through bot tokens and YARA signatures with push-button efficiency across network sensors, endpoint agents, and firewall rules simultaneously. This enables automated actionable intelligence to protect, detect, and respond to all known Handala malware families (Hatef, Hamsa, BiBi, Cl Wiper, Rhadamanthys) and track evolving threat actor infrastructure with greater efficiency and lower TCO.

Crystal Eye’s proactive threat hunting capability addresses the Scarred Manticore handoff risk where pre-established access persists for 12+ months before destructive use by enabling retrospective hunts across historical telemetry for dormant Karma Shell web shells, reGeorg tunnelling artefacts, and anomalous RDP sessions from known Handala infrastructure, providing increased assurance that no silent presence is waiting to activate.

At the network layer, Crystal Eye analyses TLS session metadata, JA3 and JA3S fingerprints, and behavioural traffic patterns. This visibility exposes Handala activity such as Telegram-based command and control traffic, Storj payload staging, and AWS S3 data exfiltration that often bypasses traditional monitoring.

When a wiper begins executing, response time becomes critical. Crystal Eye accelerates investigation using an AI and machine learning driven human–machine teaming response model. This reduces false alerts while ensuring genuine Handala activity triggers immediate investigation.

If escalation is required, events can be pushed directly to Red Piranha’s managed SOC-as-a-Service. The SOC operates around the clock and monitors alerts in real time. Any activity matching Handala techniques is analysed by security experts who have direct access to Red Piranha’s threat intelligence on Iranian threat actor operations.

Crystal Eye’s True SOAR enables organisations to apply a Moving Target Defence strategy across their environment. Automated containment workflows isolate compromised systems, rotate credentials, and block malicious command and control infrastructure as soon as indicators are detected.

The platform also includes Integrated Vulnerability Management. Continuous scanning helps organisations identify and remediate the specific vulnerabilities frequently used for initial access. These include CVE-2019-0604 affecting Microsoft SharePoint and CVE-2021-34527 known as PrintNightmare. Addressing these weaknesses early prevents attackers from exploiting them during reconnaissance and initial intrusion stages.

Crystal Eye retains security data for more than eighteen months, supporting detailed forensic investigations and compliance audits. Integrated PCAP analysis provides packet level evidence of lateral movement and command and control communications. This allows analysts to reconstruct the full attack timeline and significantly reduce attacker dwell time.

Centralised dashboards combine metadata insights, event logging, and reporting into a single view. Multi cloud support ensures the platform protects on-premises systems, cloud workloads, and remote endpoints. Whether Handala targets SharePoint servers, cloud infrastructure, or distributed users, Crystal Eye delivers layered detection across network activity, endpoint behaviour, and identity signals.

Policy-as-Code enforcement and continuous auditing further strengthen resilience. Together, these capabilities allow organisations to detect, contain, and investigate Handala operations while maintaining compliance across regulated sectors such as healthcare, defence, energy, and financial services.