Handala Hack Group Profile: From Hacktivist Branding to Cyber Warfare

EXECUTIVE SUMMARY

Handala Hack is an Iranian state-directed destructive cyber group operated by Void Manticore, a unit affiliated with Iran's Ministry of Intelligence and Security (MOIS). Despite presenting itself as a pro-Palestinian hacktivist collective, the group functions as a government-backed offensive cyber capability. Since emerging in December 2023, the group has conducted at least 131 documented attacks across Israel, the United States, the United Kingdom, and Gulf states, targeting sectors including technology, government, energy, healthcare, and financial services — with Israel accounting for over 84% of victims and the United States accounting for approximately 7%.

The group's operations have escalated sharply in 2026. On March 11, 2026, Handala executed its most destructive attack to date against Stryker Corporation — a Fortune 500 medical device company — wiping devices across 61+ countries and idling approximately 56,000 employees globally, without deploying a single piece of malware. The FBI seized four Handala domains on March 19, 2026, and announced a $10 million reward for information on the group's members. Within eight days, Handala retaliated by breaching the personal email of FBI Director Kash Patel and subsequently claimed a compromise of Lockheed Martin. Organizations with Israeli business ties, U.S. defense contracts, or cloud-managed device fleets face elevated and immediate risk.

GROUP OVERVIEW

Origins and Identity

Since first appearing in December 2023, Handala has conducted at least 131 documented or claimed attacks against Israeli, Western, and Gulf-state targets, with an accelerating operational tempo entering 2025 and 2026. The group's operations blend destructive wiper malware deployment, hack-and-leak campaigns, targeted doxxing, psychological operations, and — most recently — abuse of legitimate enterprise management tooling to achieve mass device destruction without deploying traditional malware.

The group's most significant operation to date occurred on March 11, 2026, when it executed a destructive wiper attack against Stryker Corporation, a Fortune 500 medical technology company with over 56,000 employees across 61+ countries. Rather than using malware, the attackers compromised administrator credentials and weaponized Microsoft Intune, Stryker's own mobile device management platform, to issue factory-reset commands to devices globally. Stryker confirmed the incident in a Form 8-K SEC filing, describing severe global disruption to its Microsoft environment. This attack is assessed by multiple security vendors as the first confirmed major destructive cyberattack against a U.S. Fortune 500 corporation by an Iran-linked threat actor.

On March 19, 2026, the FBI and U.S. Department of Justice seized four domains linked to Handala's infrastructure. On March 27, 2026 — just eight days after the domain seizures — Handala claimed to have breached the personal email account of FBI Director Kash Patel in retaliation, an act confirmed in part by the FBI, though the bureau stated the compromised material was historical in nature and contained no government information.

Handala Hack simultaneously created accounts on Telegram and X (formerly Twitter) on December 18, 2023, weeks after the Hamas-led attacks on Israel on October 7, 2023. Since it first appeared in December 2023, following the October 7 attacks on Israel, Handala has attacked dozens of Israeli and American targets.

The name itself carries deliberate symbolism. The group's primary online presence is a Telegram channel with over 3,500 subscribers, established on December 18, 2023. They also maintain a Twitter account, a backup Telegram channel, and a Telegram data leak channel set up on April 2, 2024. The name is drawn from the character Handala, a barefoot boy drawn by Palestinian cartoonist Naji al-Ali in 1969, which became a widely recognized symbol of Palestinian identity and resistance. The group appropriated this imagery wholesale across its branding.

Early channel posts referenced Hamas directly, with the group describing itself as "a small fighter" in the Hamas movement before pivoting to broader anti-Israel messaging.

Attribution and State Affiliation

The attribution picture for Handala has hardened considerably since the group's emergence. Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), a MOIS-affiliated threat actor, and appears to draw its name and imagery from the Palestinian cartoon character Handala.

Reporting across the sector converges on MOIS affiliation rather than IRGC, an important distinction that separates Handala from operations such as CyberAv3ngers.

The group operates multiple personas. The persona has been used extensively since late 2023 and represents one of the group's three primary operational fronts. The other two are Karma, which was likely completely replaced by Handala, and Homeland Justice, a persona the group continues to use in operations targeting Albania.

At the leadership level, elements of the group's leadership have also surfaced publicly. Iranian researcher Nariman Gharib connected the operation to a cyber unit inside the MOIS counter-terrorism division led by Yahya Hosseini Panjaki, a deputy minister sanctioned by the U.S. Treasury in September 2024, later by the EU and the UK, and listed on the FBI terrorism watch list. Panjaki was reportedly killed in the opening phase of Israel's strikes on Iran in early March 2026.

Operational Structure: The Two-Actor Handoff Model

A critical structural element distinguishing Handala from typical hacktivist groups is its documented division of labor with another MOIS-linked cluster. Operational reporting indicates a structured division of labor between two actor clusters. Scarred Manticore (linked to activity associated with APT34/OilRig) typically establishes the initial foothold, frequently through vulnerabilities such as CVE-2019-0604 in Microsoft SharePoint, and conducts a period of intelligence collection. Access obtained during this phase — including web shells and Domain Admin credentials — is then transferred to Void Manticore and Handala Hack, which carries out the disruptive or destructive stage of the campaign.

The group operates using a documented two-actor handoff: Scarred Manticore (Storm-0861) provides initial access via long-dwell operations, then hands off to Void Manticore (Storm-0842 / Handala) for destructive wiper deployment. This pattern was observed in both the 2022 Albania attacks and the 2023-2024 Israel campaigns.

Handala outsources at least some of its operations, including hack attacks as well as physical surveillance. In October 2025, FalconFeeds.io reported that the group launched the crowdsourced platform handala-redwanted.to, which offered bounties to individuals delivering on cyberespionage targets. The portal details desired data for doxxing purposes, as well as wanted targets — seeking their personal information — with a maximum reward of $50,000 as of January for "tier one" or "high-value intelligence targets," including Israeli signals intelligence officers from Mossad.

STATISTICS, VICTIMS, AND TIMELINE

Scale and Targeting Profile

Researchers documented at least 85 claimed attacks between February 2024 and February 2025. As of mid-March 2026, Handala Hack Team has conducted at least 131 documented attacks since December 2023, with an accelerating pace in 2026.

By sector, technology is the most frequently targeted industry, followed by information technology, government and defense, critical infrastructure, energy, education, and financial.

The top five targeted sectors are Technology (41.38%), Government (17.24%), Energy (15.52%), Healthcare (13.79%), and Public Sector (12.07%).

By country, Israel leads significantly at 84.34% of confirmed or claimed victims, followed by the United States (7.23%), Iran (3.61%), the United Kingdom (2.41%), and the United Arab Emirates (2.41%).

Additionally, over 100 confirmed or claimed companies have been claimed by the threat actor, targeting organizations in Israel, the United States, and beyond. Researches has tracked the threat actor showing interest in industries where disruption can create a significant impact, including IT and ITES, government and law enforcement, energy and utilities, healthcare, and manufacturing.

Victim Selection Logic

Handala's targeting is geopolitically driven rather than financially motivated. Notably, even indirect connections, such as partnerships or acquisitions involving Israeli firms, have been enough to bring organizations within Handala's scope of interest. The Stryker attack exemplifies this: the company was targeted in part because of its 2019 acquisition of Israeli medical technology firm OrthoSpace and its $450 million in U.S. Department of Defense contracts.

Key Operations Timeline

December 2023 — Establishment
Handala first created accounts on Telegram and X on December 18, 2023, weeks after the Hamas-led October 7 attacks on Israel and the ensuing Gaza war. The group first proclaimed itself "a small fighter" of Hamas, before shifting towards broader anti-Israeli messaging. It was behind HamsaUpdate, a wiper malware campaign targeting Israeli citizens using both Microsoft Windows and Linux systems.

Early 2024 — Escalation of Operations
In April, Handala claimed that it hacked Iron Dome and radar systems and sent 500,000 texts to Israelis. In February 2024, while Israel was preparing for the Rafah offensive, the group announced a defacement campaign targeting Israeli websites.

June 2024 — Ransomware and SMS Attacks
On June 15, the group conducted a ransomware attack on kibbutz Ma'agan Michael, seizing 22 gigabytes of data and sending 5,000 false SMS warning messages. In the same month, it also sent SMS messages to residents in Ma'ale Yosef Regional Council, along with a malware app disguised as MyCity that gave Handala further access to devices that downloaded it.

July 2024 — CrowdStrike Outage Exploitation
On July 20, in the wake of the CrowdStrike-related IT outages, Handala distributed emails containing wiper malware masked as a PDF file containing instructions on how to fix the issue. This campaign exploited the global disruption as a social engineering lure to target Israeli organizations.

September 2024 — Nuclear Research Center Claim
Handala claimed a breach and extraction of approximately 197 GB of classified nuclear project data from Soreq Nuclear Research Center. Israel's National Cyber Directorate assessed this as primarily psychological warfare. The claim generated global headlines, but actual compromise remains unconfirmed.

November 2024 — Intelligence Leaks
On November 12, Handala leaked photos allegedly seized from the phones of senior Israeli officials, including Benny Gantz and Natan Sharansky. On November 24, the group claimed that it seized documents containing the names of hundreds of Mossad operatives in response to the killing of Hamas leader Yahya Sinwar. By November, the group leaked 110,000 emails from former Israeli prime minister Ehud Barak and 60,000 emails from former IDF chief of staff Gadi Eisenkot.

January 2026 — Kindergarten PA Systems
Handala compromised Maagar-Tec emergency alert systems at over 20 kindergartens. Air raid sirens were activated and threatening Arabic messages were broadcast. This was one of the most psychologically impactful operations the group has conducted.

February 28, 2026 — Operation Epic Fury and Escalation
Following U.S.–Israeli military strikes on Iranian targets (Operation Epic Fury), Handala immediately escalated its operations, pivoting to target American entities. The group Handala Hack also reportedly targeted an Iranian-American and Iranian-Canadian influencer with direct death threats via email, claiming to have leaked their home addresses to physical operatives in their respective home locations.

March 11, 2026 — Stryker Corporation Attack
On March 11, 2026, the Iran-linked hacktivist group Handala executed a destructive wiper attack against Stryker Corporation, wiping devices and servers across the $25 billion medical technology company's global enterprise and idling approximately 56,000 employees in 61+ countries. The FBI affidavit disclosed that the attack disrupted hospital systems in Maryland. Healthcare providers suspended connections to Stryker tools used to analyze patient records and vital signs.

March 13, 2026 — Quds Day Threat
Handala posted a new message on X on March 13, 2026, warning of another imminent cyber operation tied to Quds Day. The post states that a 40TB data wipe is about to occur as part of a retaliatory campaign.

March 19, 2026 — FBI Domain Seizure
The contents of a website where Handala publicized its hacks, as well as another website that the group used to dox dozens of people over their alleged ties to the Israeli military and defense contractors, were replaced by a banner announcing the law enforcement action. Following the seizures, the FBI announced a $10 million reward for information leading to identification of Handala Hack Team members.

March 27, 2026 — FBI Director Email Breach
Just days after the domain seizures, Handala claimed to have compromised the personal email account of FBI Director Kash Patel. The FBI spokesperson confirmed the personal email had been targeted, stating the data involved was "historical in nature and included no government information." The trove of apparently stolen emails, reviewed by Axios, only came from Patel's personal Gmail account, not his official FBI inbox. The leaked conversations date back to the early 2010s and don't include any details about current FBI operations.

March 28, 2026 — Lockheed Martin Claim
Handala claimed that U.S. aerospace and defense company Lockheed Martin had been compromised. Lockheed Martin did not confirm that its systems had been compromised, stating it remained confident in its multi-layered information systems.

TECHNICAL OVERVIEW

General Approach

Handala's operations combine destructive malware, social engineering, and pragmatic intrusion techniques. The group's philosophy centers on maximizing operational and psychological impact rather than financial gain or long-term espionage. Threat intelligence has real value, but in the case of Stryker, an organisation with detections built around malware signatures, file system manipulation, and anomalous process execution would be unprepared for an attack with zero malware artifacts, where every action was a legitimate administrative command.

What sets Handala apart is its drive to destroy data from several angles at once, giving organizations almost no chance of meaningful recovery. The group achieves this by deploying multiple wipers simultaneously through Group Policy, ensuring rapid spread across the network.

Initial Access

Credential Compromise and VPN Brute Force
Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access. Throughout the last months, hundreds of logon and brute-force attempts against organizational VPN infrastructure linked to Handala-associated infrastructure were identified. This activity typically originates from commercial VPN nodes and is frequently tied to default hostnames in the format DESKTOP-XXXXXX or WIN-XXXXXX.

Infrastructure Obfuscation
After the internet shutdown in Iran in January 2026, similar activity was observed originating from Starlink IP ranges, and it has continued since. This has occurred in parallel with a decline in the actor's operational security, as the group has also begun connecting directly to victims from Iranian IP addresses.

Phishing Campaigns
Handala Hacking Team primarily uses phishing, including SMS, as a means of gaining initial access. Within the phishing messages, the hacktivist group masquerades as legitimate organizations offering support or solutions to known issues. The Handala Hacking Team takes advantage of major events and newly disclosed critical vulnerabilities to opportunistically create phishing campaigns using advanced social engineering techniques. Cisco Talos assesses with moderate confidence that at least one member of the group is fluent in Hebrew, due to the well-crafted emails and text messages used.

Pre-Positioning
In a recent intrusion attributed to Handala, initial access is believed to have been established well before the destructive phase, with network access dating back several months. This earlier activity likely provided the group with persistent access and the Domain Administrator credentials required to carry out the attack.

Credential Theft and Reconnaissance

The adversary proceeded with credential extraction using multiple techniques. These included dumping the LSASS process using comsvcs.dll via rundll32.exe, as well as exporting sensitive registry hives such as HKLM. In parallel, the attacker executed ADRecon (named dra.ps1), a PowerShell-based reconnaissance framework used to enumerate Active Directory environments.

Lateral Movement

Handala is known to operate primarily in a manual, hands-on manner, with lateral movement conducted largely through extensive use of RDP to move between systems within a compromised environment. To reach hosts that were not directly accessible from outside the network, the group was observed deploying NetBird, a platform designed to create secure, private zero-trust mesh networks. By installing NetBird on multiple machines within the environment, the attackers were able to establish internal connectivity between systems and operate more efficiently. During the incident, at least five distinct attacker-controlled machines were observed operating simultaneously within the environment.

Wiper Arsenal

Handala Wiper
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which executed a batch file named handala.bat. The malware overwrites file contents across the system and additionally leverages MBR-based wiping techniques to corrupt or destroy files on the system, contributing to significant data loss. Notably, the executable itself was launched remotely from the Domain Controller and was not written to disk on the affected machines.

Handala PowerShell Wiper
As a final stage of the destructive operation, the attackers deployed an additional custom PowerShell-based wiper. The PowerShell wiper performs a straightforward but effective operation: it enumerates all files within user directories and deletes them, further compounding the damage caused by the initial wiping activity. Based on the code structure and the detailed comments, it is likely that this PowerShell script was developed with AI assistance.

Hatef (Windows .NET Wiper)
A data destruction tool targeting critical system directories. It systematically removes files and reports execution metrics, such as system identity and deletion status, to operators in real time.

Hamsa (Linux Wiper)
A Linux-focused wiper that masquerades as legitimate software updates. It incorporates delayed execution and system profiling to evade detection before initiating destructive actions. The malware can also transmit operational data back to attacker-controlled channels via Telegram.

VeraCrypt for Destruction
In addition to the custom wiping tools, attackers were observed attempting to leverage VeraCrypt, a legitimate and widely used disk encryption utility. By encrypting the system drives using a legitimate tool, the attackers added an additional layer to the destructive process. This technique not only increases the operational impact but can also complicate recovery efforts, as encrypted disks may remain inaccessible even if other wiping components fail or are only partially successful.

Manual Deletion
In some cases, Handala Hack operators manually delete virtual machines directly from the virtualization platform or files from compromised machines. This straightforward process involves logging in via RDP, selecting all files, and deleting them.

The Stryker Attack: A Doctrinal Shift

The March 2026 Stryker attack represents a significant evolution in the group's methodology. The most consequential innovation of the Stryker campaign was not what the attackers deployed — it was what they didn't deploy. This was a "wiper attack without malware." By compromising Microsoft Intune — Stryker's Mobile Device Management (MDM) platform — Handala achieved mass destruction likely without triggering a single EDR alert. Every command issued was, from the platform's perspective, a legitimate administrative action.

The attack chain involved Adversary-in-the-Middle (AitM) phishing to capture authenticated Microsoft Entra session tokens, bypassing MFA without notifying the victim. Using the hijacked session, attackers escalated to Global Administrator or Intune Service Administrator roles and then issued bulk factory-reset commands to Stryker's entire global device fleet simultaneously, at cloud speed. No malware was involved. Stryker's SEC 8-K filing described "severe global disruption" but found "no indication of ransomware or malware."

TACTICS, TECHNIQUES, AND PROCEDURES (TTPs)

INDICATORS OF COMPROMISE (IOCs)

IP Addresses

Malware Hashes (SHA-256)

MITIGATIONS AND RECOMMENDATIONS

Identity and Access Management

Endpoint Management Platform Hardening

Network Defenses

Detection and Monitoring

Backup and Recovery

Threat Intelligence Integration

Organizational Posture