Executive Summary

Handala (also Handala Hack Team) is a relatively new Iran-linked hacktivist persona that first emerged in late 2023. Purporting to fight for a “Free Palestine” digital agenda, Handala has claimed dozens of cyberattacks — most targeting Israeli and Western organizations — while employing destructive wiper malware and hack-and-leak tactics. Threat intelligence firms and U.S. agencies assess Handala to be a front for Iran’s Ministry of Intelligence and Security (MOIS) rather than an independent grassroots group[1][2]. This report collates open-source intelligence to profile Handala’s aliases, timeline, victims, motives, tools, infrastructure, tactics (MITRE ATT&CK-mapped), and indicators (IoCs), with source citations. Key confirmed/suspected incidents include the March 2026 Stryker Corp. attack and the March 27, 2026 breach of FBI Director Kash Patel’s personal email[3][4]. Handala favors deceptive phishing lures, supply-chain and credential attacks (notably abusing Microsoft Intune) to deploy custom wiper payloads and exfiltration implants (often using Telegram bots for C2)[5][6]. Major security vendors (Unit42, Check Point, Palo Alto, Trellix, etc.) provide technical analyses of Handala’s TTPs, which include spearphishing (T1566), credential compromise (T1078), process injection (T1055), and data destruction (T1486/T1561) mapped to MITRE ATT&CK. The threat’s infrastructure (domains, IPs, hosting, registrants) and many IOCs (file hashes, C2 URLs, IPs) have been documented by researchers and law enforcement (e.g. FBI domain seizures)[7][8].

This report presents Handala’s timeline of activity (2010s–Mar 2026) and a comparison of major reports in tabular form. We detail known aliases and related actors, victimology (industries and geographies), motivations, and linking evidence to Iranian state agencies. Our TTPs section enumerates Handala’s techniques with MITRE IDs. We describe malware and tools (e.g. wipers Hamsa, Coolwipe, Chillwipe, Bibiwiper, HandalaWiper[5][9]; infostealers and loaders; use of AutoIT, NSIS, PowerShell, etc.) and outline a sample attack chain (the CrowdStrike-themed wiper campaign) with a mermaid diagram. The infrastructure section lists observed domains, IP ranges (notably Starlink/VPN), and hosting details. We compile an IOC table of relevant hashes, domains, and other artifacts[8]. Finally, we offer defense recommendations (e.g. phishing-resistant MFA, Intune hardening[10], network monitoring) and indicate confidence levels: attribution to Iran is assessed high-confidence (multiple consistent vendor analyses[1][2]), whereas some claimed hack impacts remain unverified/exaggerated (e.g. extent of leaked emails[11]). Missing details (e.g. identities of individual operators) are noted as unspecified due to lack of public information.

Known Aliases and Related Actors

Handala is often referred to as the “Handala Hack Team” (or simply Handala Hack) in its own communications and media reports[12][13]. It has been tracked by analysts as part of a larger cluster sometimes called Void Manticore (also “Storm-1084”/“0842”)[2][14]. Vendor reports and researchers list numerous alternate identifiers for this cluster: Homeland Justice (activity in 2022), Red Sandstorm, Cobalt Mystique, Storm-0842/1084, BANISHED KITTEN, Dune, and others[15][16]. For example, Microsoft attributed 2022 wiper attacks on Albanian agencies to “Homeland Justice,” later linked to Void Manticore[15]. Public sources sometimes personify Handala’s operators with names; BleepingComputer notes “Hatef” and “Hamsa” as alternative aliases[13], though these may also refer to malware names or slogans. In intelligence mapping, Check Point (March 2026) explicitly connects Handala to MOIS under its Void Manticore umbrella[17]. Notably, the FBI identifies Handala’s leadership as Iran-aligned and has tied it to previous MOIS malware campaigns[18][14].

Handala is part of a larger ecosystem of Iranian-linked hacktivist fronts. CheckPoint describes Handala as one of several pro-Iranian hacktivist personas (others include APT Iran, Cyber Islamic Resistance, Dark Storm Team, etc.) that emerged in early 2026 to attack Israel and the West[19]. SocRadar emphasizes that Handala’s branding is explicitly pro-Palestinian (named after the Palestinian cartoon figure Handala), but analysts stress it is a state-directed persona (MOIS-linked) rather than a grassroots movement[14].

Timeline of Activity

Handala’s public activity is concentrated in the period 2023–2026, though it builds on prior Iranian-state campaigns (see timeline table below). Its first public appearances were on Dec 18, 2023, when a “Handala_hack” social media account launched Telegram and X posts[20]. This followed the Oct 7, 2023 Hamas attacks, after which Handala aligned with pro-Palestinian rhetoric[21]. Through 2024 and 2025 the group claimed multiple Israeli targets (government, corporate, healthcare), often posting purported data dumps or defacements. Notably, on July 26, 2024 the group used a CrowdStrike-themed spearphish and wiper to target Israeli organizations (Technical details in case study below)[22]. In June 2025, CheckPoint reported Handala among Iranian hackers scanning internet-connected cameras for surveillance[23]. In mid-2025 Handala also professed to hack Iranian dissidents abroad (e.g. leaked Iranian-Canadian activists’ info) as part of broader MOIS targeting[24][25].

With the March 2026 Israel–Iran war escalation, Handala intensified disruptive attacks. On Mar 11, 2026 it publicly took credit for a destructive breach of Stryker Corp (US medical devices), claiming to have wiped ~12 PB of data across 200K systems[3][26]. Shortly after, U.S. authorities seized Handala’s leak sites. Then on Mar 27, 2026 Handala claimed to have breached FBI Director Kash Patel’s personal email[27][28]. (A DOJ official confirmed Patel’s Gmail was compromised, though extent of breach remains unverified[27][28].) These high-profile incidents mark Handala as a leading actor in Iran’s cyber “retaliation” campaign.

The timeline table below summarizes key events:

Date	Event / Claim	Victims / Notes	Source(s)
2022 (July)	“Homeland Justice” (MOIS persona) used wipers on Albania	Albanian government agencies (data-wipe wiper malware)	Microsoft/MSRCT (2023)
2023-12-18	Handala emerges on social media	Launch of Handala Telegram/X channels[20]	Trellix blog[20]
2024-07-26	CrowdStrike-themed wiper phishing attack	Israeli corporate targets[22] (Trojanized NSIS)	Trellix[22]
2025-07	Dissident hack-and-leak claims	Iranian dissidents in US/Canada[25]	FBI Flash (Mar2026)[25]
2026-03-11	Handala claims Stryker (medical) data-wiping attack	Stryker Corp. (US) – ~200K devices wiped[3][26]	Reuters[3]; CyberDaily[26]
2026-03-19	FBI seizes Handala domains	handala-redwanted.to, handala-hack.to (FBI seizure notice)[29]	BleepingComputer[29]
2026-03-24	Stryker reports malicious file found	Stryker (US) confirms Intune abuse; FBI links Handala to MOIS[4]	SecurityWeek[4]
2026-03-27	Handala claims breach of FBI Dir Kash Patel’s email	FBI Director (US) – Patel’s Gmail (emails dating 2010–2019)[27][28]	Reuters[27]; Axios[28]

timeline
Handala Activity Timeline
    2022-07-01 : MOIS “Homeland Justice” wiper attack in Albania (data destruction)
    2023-12-18 : Handala Hack Team appears on X/Telegram[20]
    2024-07-26 : CrowdStrike-themed wiper phishing to Israeli targets[22]
    2025-07-01 : Handala claims hack of Iranian dissidents abroad (MOIS-linked)[25]
    2026-03-11 : Stryker Corp data-wiping incident (Handala claims 12PB wiped)[3]
    2026-03-27 : FBI Dir Kash Patel email breach (Handala claims)[27]

Victims and Victimology

Handala’s claimed and suspected victims span Israeli government, military, healthcare and private sectors; Gulf nations allied with Israel; and U.S. entities. Confirmed targets include:
– Israeli organizations: multiple Israeli civilian agencies (healthcare, infrastructure, finance) have been cited. For example, Handala claimed (via Telegram/X) breaches of an Israeli energy company and healthcare systems, possibly aiming to pressure Israel’s home front[19]. In addition, Handala posted purported phone/email data of Israeli officials (e.g. aides to Netanyahu and Bennett)[30].
– International companies: In March 2026 Handala took credit for a cyberattack on Stryker Corp (US medical devices)[3][4], citing alleged “Zionist” ties (ownership of Orthospace, a military contract)[31]. Stryker’s systems were significantly disrupted, leading to an FBI domain seizure[29].
– U.S. government/law enforcement: The Mar 27, 2026 incident involved Hack on FBI Director Kash Patel’s Gmail[27]. A DOJ official confirmed Patel’s account was breached, though published excerpts are unverified[27][28]. This attack, if validated, would be an unprecedented breach of a senior U.S. law enforcement official’s personal communications.
– Diaspora/Influencers: Unit42 reports include Handala issuing death threats (via email/Telegram) to Iranian-Americans (influencers critical of Iran), even leaking addresses to “physical operatives”[24]. These appear aimed at silencing dissidents.
– Regional infrastructure: Handala (with allied hacktivist fronts) claimed breaches of Jordan’s fuel systems and payment networks, and Gulf/DUBAI infrastructure[19][32], likely to create regional pressure on Israel’s allies.

Victimology (sector/geography): Predominantly Israeli targets (government, military-adjacent, healthcare, tech firms)[5][13]. Secondary targets include U.S. strategic assets (e.g. Stryker, FBI) and Middle Eastern countries supporting Israel (Jordan, UAE). Victim sectors broadly cover healthcare/medical, energy/critical infrastructure, government/defense, and telecommunications. For example, Check Point lists Handala compromising Israeli IT service providers (supply-chain) and exfiltrating client data[33].

Confidence in victim claims varies. Many Handala statements are uncorroborated; Western analysts caution these groups exaggerate success[11][26]. For instance, while Handala released photos of Kash Patel, independent authentication is lacking[27][28]. By contrast, the Stryker incident has been confirmed (FBI involvement, media reporting)[3][4]. Where available, we rely on sources’ confirmations (e.g. DOJ official for Patel)[27]. Unknown victim details (e.g. exact data stolen) are noted as unspecified.

Motivations and Objectives

Handala’s declared motivation is retaliatory “retribution” for Israeli or U.S. actions against Iran and its proxies. Its propaganda is framed as avenging attacks on Iran (e.g. airstrikes on Iranian soil, Israeli actions in Gaza)[34]. The group’s statements often reference events like Israeli strikes on civilian sites, promising “only the beginning of a new era of cyber warfare”[35]. Experts view Handala as a tool for Iran to project power and sow chaos against adversaries (Israel, the West) while maintaining deniability. For example, Palo Alto and Check Point analysts call it a “cyber-retaliatory arm” combining hacktivist branding with destructive state-level tactics[1][2].

Strategically, Handala’s actions appear aimed at psychological impact and disruption rather than espionage. Threat researchers note its “noisy, chaotic playbook” is designed to maximize visibility and fear[36]. Activities such as website defacements, public data dumps (hack-and-leak), and shock-value wipers (named after Israeli leaders, e.g. “Bibiwiper”) suggest a focus on narrative and intimidation[5][9]. Check Point observes Handala executing opportunistic breaches of “low-hanging fruit” (supply-chain providers) to quickly publicize hacks[33]. The timing of attacks (coinciding with airstrikes, political events) indicates they serve Iran’s interests of retaliation and propaganda. We assess the group’s primary objectives as: disrupting adversary infrastructure, undermining public confidence, and signaling Iran’s ability to strike back (with some share of overstatement).

Attribution and Links to Other Actors

There is strong consensus that Handala is linked to the Iranian state, specifically MOIS. Sources agree it is not an independent hacktivist collective but “one of several personas used by Iranian government cyberintelligence units”[3]. Wired and security firms explicitly call Handala a front for MOIS[1][14]. Palo Alto’s Unit42 echoes this, noting Handala is assessed as state-directed[2]. Even Handala’s own communications (domain seizures) acknowledged the need for new infrastructure, implying continuity of operations beyond a single “team”[37].

Handala/ Void Manticore has technical and operational overlaps with other Iranian APTs. Check Point traces it to a MOIS-linked cluster active since 2022 (Void Manticore alias)[15]. Microsoft’s 2023 report on the Albanian hack attributes the parent group (Homeland Justice) to MOIS[15]. The SOCRadar profile notes industry tracking names it “Storm-0842”, “BANISHED KITTEN”, and links it with “Dune” (another Iranian hacktivist alias)[16]. While some Iranian hackers answer to the IRGC, analysts specifically attribute Handala to MOIS (in contrast to IRGC-affiliated groups like CyberAv3ngers)[38]. This distinction is important given MOIS’s focus on intelligence and destabilization.

Notably, Unit42 and Palo Alto both mention recent law-enforcement attributions: the FBI and other agencies officially link Handala to MOIS cyber units[4][18]. The FBI’s March 2026 alert confirms that MOIS actors (including those behind Handala) use Telegram bot C2s for multi-stage malware[39][40]. No direct Iran government admission exists; Iran typically portrays such groups as grassroots patriotic hackers[36]. We rate attribution confidence as high, due to the volume of consistent evidence from multiple intelligence and vendor sources.

Tactics, Techniques, and Procedures (TTPs)

Handala’s known TTPs span Phases from Reconnaissance through Impact. We map key behaviors to the MITRE ATT&CK framework (see table below) based on vendor analyses:

Reconnaissance: Handala gathers target information (e.g. victim identities, network info) via open-source intelligence and social engineering (T1589/T1590). For example, it phishes individuals to collect credentials (spearphishing)[41].
Initial Access: The group frequently uses spearphishing (emails with malicious attachments or links, T1566.001/.002)[41]. It also exploits stolen credentials (valid accounts, T1078) and occasionally public-facing vulnerabilities (T1190). Check Point notes Handala using Starlink/VPN IPs to probe externally-facing applications for weak points[33]. In the Stryker case, analysts believe Handala abused compromised Intune admin credentials to push a wipe command (Initial Access via cloud account, T1078.004).
Execution: Execution is often via malicious installers/scripts. The July 2024 attack used a benign NSIS installer (“CrowdStrike.exe”) that unpacked an AutoIT script[42]. AutoIT and PowerShell (T1059.010) are used for launching wipers. Handala also uses fraudulent updates or scripts (e.g. faked security updates).
Persistence/Evasion: Tools are sometimes disguised as legitimate apps (FBI alert: “masquerading malware” stage mimicking Pictory, KeePass, Telegram)[43][44]. The AutoIT loader unhooks ntdll in memory (process hollowing, T1055.012)[45]. Batch scripts and renamed executables evade AV checks[46]. We see heavy obfuscation (AutoIT string obfuscation, T1027) and sandbox checks (skipping execution on known security product processes)[47][48].
Privilege Escalation/Lateral Movement: Once on a target, Handala has used compromised domain/Global Admin accounts (Stryker: new Global Admin via AD) to escalate privilege. It also uses tunneling tools (NetBird) and possibly RDP (T1021.001). MITRE mappings indicate use of webshells (T1505.003) and credential theft tools like Mimikatz historically (as with other Iranian APTs).
Command & Control (C2): Strikingly, Handala’s implants call home via Telegram bots (HTTP to api.telegram.org) for C2[49][44]. The wiper exfiltration in July 2024 used Telegram API to post system info[50]. Network indicators include connections to *.telegram.org and usage of anonymizing infrastructure (Starlink, VPN ranges[8]).
Impact: The hallmark of Handala is data destruction. It deploys custom wiper malware to erase files/entire drives (T1485 “Data Destruction”)[5][51]. Examples include Coolwipe, Chillwipe, Hamsa, HandalaWiper, and BibiWiper (named after PM Netanyahu)[5][9]. Some publicly masquerade as ransomware (Disk structure wipes, T1561.002). In the Stryker attack, even legitimate device management (Intune wipe command) was abused to destroy 80K endpoints[52].

MITRE Technique Mappings: Based on the SOCRadar and other analyses[53][54], relevant MITRE IDs include:

Tactic	Technique (ID)	Description (Handala usage)
Reconnaissance	T1589, T1590	Open-source OSINT and victim profiling (gathering network info)
Initial Access	T1566.001/.002, T1566.003, T1190	Spearphishing attachments/links/SMS; web exploits
	T1078.004	Valid cloud accounts (Intune admin breach)
Execution	T1059.005 (NSIS), T1059.010 (AutoIT)	NSIS installer unpacking AutoIT script for wiper execution
Persistence/Evasion	T1027, T1497.003, T1055.012, T1218	Obfuscation, time-based evasion, process hollowing, LOLBins
Privilege Escalation	T1068 (known exploits)	Exploiting vulnerabilities for admin rights (AD/Intune)
Defense Evasion	T1090, T1090.011 (Proxy/Starlink)	Use of Starlink satellites and VPNs (T1090) to mask origin
Lateral Movement	T1021.001 (RDP), T1505.003 (webshell)	Using tunneling and possibly RDP; webshell on servers
C2	T1071.004 (Web service – Telegram)	Command/control via Telegram API bots
Data Exfiltration	T1020 (Automated Exfiltration)	Exfil via encrypted channels (Telegram, cloud storage)
Impact (Wipe)	T1485 (Data Destruction), T1561.002	Custom wiper malware overwriting/deleting files and drives[50]

These mappings summarize Handala’s modus operandi across the kill chain (detailed technique references are provided by SOCRadar[53][54] and vendor blogs[5][49]).

Malware and Tools

Handala leverages custom and repurposed malware. From technical reports:

Wipers: Coolwipe, Chillwipe, BibiWiper, Hamsa, HandalaWiper – these are custom disk-wiping payloads. Trellix’s analysis of the July 2024 attack revealed one such wiper (written in C/C++) that overwrote files with random data and used Telegram API for exfil[50][55]. SOCRadar lists hashes for a “Handala wiper used to erase files” (e.g. SHA256 5986ab04…) and “final destructive wiper payload” (2a5dd680…)[56]. The FBI and Palo Alto note similarly destructive tools, and Trellix reports the wiper asked victims’ consent (spoofing a CrowdStrike “update”) before executing[42][50].
Infostealers/Loaders: Handala has used a modified VeraCrypt installer (hash 3236facc…) during attacks[57], presumably to deliver payloads without detection. It also uses benign tunneling tools (e.g. NetBird) for persistence—SOCRadar notes NetBird installer and components in its campaigns[58]. In the CrowdStrike attack, the initial payload was an NSIS installer (CrowdStrike.exe) unpacking an AutoIT wiper payload[42].
Credential Harvesters: Past Handala (and related VOIDs) operations have used malware like Rhadamanthys (a commodity infostealer) to pilfer credentials for initial access[5]. Mimikatz and other known tools (juicy potato, etc.) are common in Iranian APT toolkits (see Trellix Iran blog) but specific usage by Handala is not well-documented.
Infrastructure Tools: The attackers use Telegram bots as C2. In analysis of the Stryker incident, FBI found Handala’s implants communicating with api.telegram.org (stage 2 C2)[49]. Researchers have also seen Handala using Starlink satellite IP ranges and commercial VPN networks to conduct scans[33][8]. Web-based file-hosting (Storjshare) was used to store malicious payloads (e.g. hxxps://link.storjshare.io/…/update.zip)[59].
Other Tools: As part of multifaceted campaigns, Handala-linked attacks may deploy public malware or ransomware to mask wipers. For example, some analyses report “ransomware-style extortion” posts and reuse of criminal malware for cover[5]. Tools for lateral movement (RDP, remote execution) and post-exploitation (e.g. PsExec, WMI) are likely, though specifics on Handala itself are sparse.

Technical Note: The July 2024 Trellix case study (see next section) provides an in-depth look: Handala’s payload chain started with an NSIS installer launching an AutoIT script, which performed process hollowing (injecting into RegAsm.exe)[45], and finally ran a custom wiper. The AutoIT script included various anti-analysis checks and wrote a unique computer name into the payload to avoid execution on non-target systems[60].

Infrastructure and IOCs

Handala’s supporting infrastructure (domains, IPs, hosting) has been tracked by analysts and disrupted by law enforcement. Key artifacts include:

Domains: Handala operated public-facing leak sites (e.g. handala-redwanted[.]to, handala-hack[.]to) which the FBI seized on Mar 19, 2026[29]. These domains bore seizure banners noting foreign-state support. The group’s posts also point to file-hosting links (Storjshare URLs as above[59]). Handala’s content has been mirrored on Telegram channels and defacement pages.
Hosting/IPs: SOCRadar lists several IP addresses linked to Handala: e.g. 82.25.35.25 (VPS for attacks), 31.57.35.223 (C2), 107.189.19.52 (staging)[8]. It also notes network ranges used in campaigns: Starlink IPs (e.g. 188.92.255.0/24, 209.198.131.0/24) and VPN providers (149.88.26.0/24, 169.150.227.0/24)[61]. These reflect Handala’s use of satellite and VPN traffic to obfuscate origin. (Check Point observed Handala activity from Starlink as well[33].)
Email Addresses: Public sources include few concrete addresses, except a “from: Hussain Ali” in a purported death threat email[62]. In one threat email, Handala’s sender address was “Hussain Ali” (likely fictitious). No verified operational email addresses are known; Handala primarily communicates via Telegram and defacement posts.
Other Forensic Indicators: The FBI’s flash highlights recurring use of Telegram C2 (hosted at api.telegram.org) and typical paths (bots). The CrowdStrike wiper case provides IoCs: SOCRadar documents multiple file hashes for payloads used by Handala[63]. We compile an IOC Table below with key indicators (IPs, domains, hashes) and descriptions. (Enterprises should monitor for these IOCs and similar patterns.)

Type	Indicator	Description (use/campaign)	Source
Domain	handala-hack.to, handala-redwanted.to	Handala hacktivist sites (FBI seized Mar 2026)	[29]
URL	link.storjshare.io/…/crowdstrikesupport/update.zip	Payload for CrowdStrike-themed phishing[59]	[59]
URL	link.storjshare.io/…/crowdstrikeisrael/update.zip	Alternate payload URL used by Handala[59]	[59]
IP	82.25.35.25	VPS used to stage attacks	[8]
IP	31.57.35.223	C&C server IP	[8]
IP	107.189.19.52	Staging infrastructure	[8]
IP Range	188.92.255.0/24	Starlink IP range (reconnaissance)	[64]
IP Range	209.198.131.0/24	Starlink infrastructure (operations)	[64]
Hash (SHA256)	2a5dd680c05b43d72365e8beb7e40088	Final destructive wiper binary	[58]
Hash (SHA256)	5986ab04dd6b3d259935249741d3eff2	“Handala wiper” erasing files	[65]
Hash (SHA256)	755c0350038daefb29b888b6f8739e81	CrowdStrike.exe NSIS loader (phishing payload)	[66]
Hash (SHA256)	9fab9f640db1f75fb8c18bfb50976abd	Carroll.cmd batch script (execution wrapper)	[66]
Hash (SHA256)	fca0910949d92dc3dd3dfcf0fb3d0408	AutoIT script loader (decodes & injects wiper)	[66]
C2	api.telegram.org	Telegram bot C2 endpoint (stage-2 implant)	[49][44]
Misc	Hussain Ali <…> (threat email)	Sender name on Handala threat emails to activists	[62]

Table: Selected Indicators of Compromise (IoCs) linked to Handala campaigns[29][8]. Hashes and IPs are samples from published research and should be treated as signature matches in defense systems.

(For brevity, not all IOC entries from [43] are listed; see source[8][66] for full details, and FBI FLASH[67] for campaign context.)

Case Study: CrowdStrike-Themed Wiper Attack

A representative Handala attack chain is the July 26, 2024 “CrowdStrike outage fix” phishing campaign analyzed by Trellix[22]. In this incident (targeting Israeli victims), Handala used a highly believable social engineering lure and staged a multi-step infection:

flow:
    Email[Phishing Email (CrowdStrike theme)] –> PDF[Embedded PDF (“CrowdStrike outage”)]
    PDF –> Link[Click link -> download “update.zip”]
    Link –> NSIS[Run NSIS installer “CrowdStrike.exe”]
    NSIS –> Batch[Extracts batch script “Carroll.cmd” and files]
    Batch –> AVCheck[Antivirus checks / sleep delays]
    AVCheck –> AutoIT[Creates & executes obfuscated AutoIT script]
    AutoIT –> Hollowing[Unhooks ntdll & Process Hollowing]
    Hollowing –> Wiper[Execute Wiper payload]
  Wiper –> Exfil[Collects machine info & sends to Telegram]

Initial Lure: Victims received an email about a (fake) CrowdStrike outage with an attached PDF. The PDF contained a link to download an “update”[68].
Installer: The downloaded ZIP (update.zip) contained an NSIS installer (CrowdStrike.exe). This benign-looking installer unpacked files silently to a temp folder[42].
Antivirus Avoidance: A batch script (“Carroll.cmd”) was executed to detect running AV processes (Webroot, Avast, Sophos, etc.); if found, it inserted delays to stall execution[69]. It also dynamically assembled the next-stage binary (AutoIT) from pieces, renaming them if AV was present[70].
Loader (AutoIT): The final AutoIT script (derived from files “Champion.pif” and “Ukraine” pieces) was launched[70]. This script performed environment checks (skipping execution in known sandboxes or if a special file C:\aaa_TouchMeNot_.txt was present)[48]. It then unhooked ntdll.dll in memory to evade user-mode hooks[71], and injected itself into a suspended RegAsm.exe process (process hollowing)[45].
Wiper Payload: The payload (dropped from script resources) is a custom wiper. It first decompresses itself in memory, then, upon user confirmation, iterates all drives and folders matching wipe criteria, overwriting files with random 4KB blocks[50][72]. Before wiping, the wiper gathers system info (IP via icanhazip.com, user/machine/domain names, free disk space) and sends updates to a Telegram channel controlled by the attackers[50]. Notably, the wiper code checks if the machine name equals “Gaza hackers Team Handala Machine” – likely to avoid killing the operators’ own system[73]. Once wiping completes, empty directories are removed[50].

Attack Flow: The above sequence illustrates Handala’s method of infiltrating a target and inflicting damage (wiping files). Key techniques include spearphishing (T1566), use of legitimate installers (T1059.005), script obfuscation (T1027), process injection (T1055.012), and coordinated exfiltration via Telegram (T1071.004).

The CrowdStrike case exemplifies Handala’s modus operandi: malicious bait → loader → evasive script → destructive payload. After that intrusion, local authorities (Israeli NCD) warned of Iranian wiper attacks in early 2026[74], underscoring that Handala (and similar actors) have wipers as their primary weapons.

Mitigations and Detection

To counter Handala’s tactics, multiple sources recommend robust identity and endpoint defenses. Palo Alto’s Unit42 and Check Point advise:

Harden Identity and Access: Eliminate standing administrative privileges (use JIT access) and enforce MFA for all admin roles[75]. Specifically, Lock down Microsoft Intune: use dedicated cloud-only break-glass admin accounts, require hardware MFA (FIDO2) for critical roles, and enable multi-admin approval for wipe/delete operations[76][77]. Restrict Global/Admin roles (limit to necessary personnel) and audit service principals used by Intune[77].
Email and Phishing Defenses: Train users to recognize suspicious attachments. Deploy phishing-resistant MFA (token-based) on email and VPN login[78][79]. Treat unexpected “CrowdStrike” or vendor update emails with skepticism; verify them out-of-band. Apply email security scanning (content filter for NSIS, AutoIT payloads).
Network Monitoring: Block outbound Telegram API calls on enterprise networks unless explicitly needed[49]. Monitor for anomalous HTTPS traffic to unusual domains (like storjshare.io, Telegram, CDN phish-links[59]). Watch for logins from known commercial VPN/Starlink IP ranges[64] and logon attempts using stale credentials. Apply geoblock or alerting on access from unexpected regions.
Endpoint Protection: Keep all systems patched (especially Windows/Intune agents). Employ EDR to detect unusual process injections or the use of legitimate binaries (RegAsm.exe, Rundll32) for execution. Monitor for the specific wiper IOCs (hashes above) in file-scanning. Use EDR to detect scripts launching NSIS/AutoIT payloads[69][45]. Enable behavior-based detection: mass file overwrites or deletion (Impact T1561/T1486) should trigger alerts.
Backup and Recovery: Ensure offline backups exist for critical data; Handala’s modus is destruction, so rapid restore is vital. Verify integrity of backups regularly.
Public Guidance: Follow Microsoft and CISA’s Intune hardening advisories released after Stryker[80]. Israel’s NCD and U.S. agencies have also issued alerts on Iranian tactics (e.g. use of Telegram C2)[74][49]. Stay updated on threat intel.

In summary, defenses should assume handala-type intrusions: phishing-first, credential-abuse, and wiper activation. The consensus is that strict identity hygiene (zero-standing privileges) and vigilant email filtering are top priorities[10][24].

Confidence and Conclusion

Our report synthesizes multiple open sources to characterize Handala. Attribution to Iran’s MOIS is made with high confidence, as it is consistently asserted by diverse vendors and U.S. agencies[1][2]. Victim attributions range from high to moderate confidence: some (FBI Patel, Stryker) have official corroboration[4][29]; others rely solely on Handala’s claims (flagged by analysts as potentially exaggerated)[11]. TTP and malware findings are well-substantiated by technical blogs and research (Trellix, SOCRadar, FBI)[50][63]. Key IOCs (hashes, IPs) come from reputable analyses, but these may evolve.

Where data is lacking (e.g. identities of operators, full victim impact), we note it as unspecified. Overall, the consensus narrative is: Handala is a cyber avatar for Iran to conduct loud, destructive cyberattacks under a hacktivist guise. The sources unanimously emphasize its hack-and-wipe playbook. This report compiles that information systematically: aliases, timeline, tactics, tools, infrastructure, IOCs, and mitigations, with inline citations to support each claim.

[1] [5] [15] [23] [30] [31] [34] [35] [36] How ‘Handala’ Became the Face of Iran’s Hacker Counterattacks | WIRED