The Iranian state-sponsored threat group known as Handala Hack is intensifying its destructive cyber operations against international organizations.
Check Point Affiliated with Iran’s Ministry of Intelligence and Security (MOIS), the group relies heavily on manual hacking techniques, compromised credentials, and network tools like NetBird and Remote Desktop Protocol (RDP) to launch aggressive data-wiping attacks.
Threat Actor Profile and Tactics
Handala Hack, which cybersecurity researchers also track under the name Void Manticore, operates multiple online personas to carry out its campaigns.
These include Homeland Justice, a persona dedicated to targeting government and telecom sectors in Albania, and Karma.
Over time, Handala Hack has become the group’s most prominent public face, claiming responsibility for numerous intrusions in Israel and recently expanding its attacks to major U.S.-based enterprises like Stryker.
Unlike highly sophisticated advanced persistent threats that rely on complex automated malware, Handala Hack prefers hands-on, manual network intrusions. Hackers typically gain an initial foothold by exploiting compromised commercial VPN accounts.
They look for vulnerabilities in IT service providers to steal user credentials. Recently, researchers have observed the group connecting to victim networks using Starlink Internet Protocol (IP) addresses and even directly from Iranian IP addresses, indicating a shift in their operational security practices.
This legitimate zero-trust networking platform allows hackers to create a private, encrypted mesh network inside the victim’s infrastructure. By establishing multiple footholds, the group can operate more efficiently and accelerate its destructive activities.
Destructive Wiping and Defenses
The ultimate goal of Handala Hack is to cause maximum operational disruption through data destruction, often combined with hack-and-leak extortion tactics.
During Check Point final destructive phase of an intrusion, threat actors deploy up to four simultaneous wiping techniques. To ensure widespread damage, they leverage Windows Group Policy to distribute their malicious tools across the entire network.
The group’s coordinated wiping operations include:
- Custom Handala Wiper: The attackers deploy a custom executable that actively overwrites file contents. It also attacks the master boot record (MBR) of the system, corrupting the disk structure to cause irreversible data loss.
- AI-Assisted PowerShell Wiper: A malicious script, likely developed with the help of artificial intelligence, automatically scans and deletes all files within user directories. It then leaves a propaganda image behind on the wiped drives.
| Type | Indicator |
|---|---|
| Handala Wiper | 5986ab04dd6b3d259935249741d3eff2 |
| Handala Powershell Wiper | 3cb9dea916432ffb8784ac36d1f2d3cd |
| VeraCrypt Installer | 3236facc7a30df4ba4e57fddfba41ec5 |
| NetBird Installer | 3dfb151d082df7937b01e2bb6030fe4a |
| NetBird | e035c858c1969cffc1a4978b86e90a30 |
| Handala VPS | 82.25.35[.]25 |
Despite the severe impact of these attacks, the group’s reliance on relatively simple techniques provides defenders with clear opportunities to stop them. Organizations can protect themselves by focusing on credential hygiene and network monitoring.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
