Threat Research

Iran Expands Handala Brand to Physical Threats

RecordedFuture
Iran Expands Handala Brand to Physical Threats
Iran’s MOIS has likely expanded the Handala brand to unify cyber, physical, and influence personas, including Handala Hack Team, HPRF, VIPEmployment, MOISIRAN, and Brave Israel. These personas have been used to amplify hack-and-leak, surveillance, recruitment, arson, and sabotage efforts targeting US and Israeli interests, while leveraging the brand’s recognition to recruit proxies and intensify intimidation. #Handala Hack Team #HPRF #VIPEmployment #MOISIRAN #Brave Israel #Void Manticore

Keypoints

  • MOIS likely broadened the Handala brand beyond cyber operations to include physical threat and influence personas.
  • Handala Hack Team remains the main cyber-facing persona, while HPRF appears to focus on physical attacks and public claims of responsibility.
  • Insikt Group assesses VIPEmployment, MOISIRAN, and Brave Israel as likely MOIS-linked personas that recruit proxies and amplify Handala messaging.
  • The personas have solicited attacks, espionage, vandalism, arson, and sabotage against US- and Israeli-linked targets in exchange for money or cryptocurrency.
  • Cross-posting, reposting, shared bots, and repeated amplification between accounts suggest coordination across the Handala ecosystem.
  • Handala Hack Team has claimed hack-and-leak and wiper operations against Israeli and US targets, including government, security, tech, and critical infrastructure entities.
  • The report warns that combining cyber, physical, and influence operations under one brand increases the reach, credibility, and impact of MOIS activity.

MITRE Techniques

  • [T1586 ] Compromise Accounts – The actors likely used stolen or controlled accounts and Telegram personas to operate across networks and amplify claims (‘cross-posting of claims and content between Handala Hack Team and these four additional entities’).
  • [T1589 ] Gather Victim Identity Information – The groups collected and shared sensitive details about targets, including officials, personnel, and facilities (‘surveilled Israeli military and intelligence personnel’ and ‘shared traffic patterns and sensitive intelligence’).
  • [T1591 ] Gather Victim Org Information – The personas collected information about organizations and facilities for targeting and intimidation (‘data from Israel’s Soreq and Dimona nuclear facilities’ and ‘internal communications, blueprints’).
  • [T1595 ] Active Scanning – The reporting describes surveillance and reconnaissance of targets before attacks (‘conducted a “surveillance and tail operation”’ and ‘claimed to have surveilled’).
  • [T1657 ] Data Destruction – Handala-linked groups used wipers and destructive actions to damage systems or create chaos (‘deployed ransomware’ and ‘wiper attacks’).
  • [T1485 ] Data Destruction – Destructive malware and data leak operations were used to harm victims and publicize stolen information (‘destructive malware called the “BiBi wiper”’ and ‘publicly leaking information’).
  • [T1566 ] Phishing – The report notes credential abuse and spearphishing-driven access patterns associated with the broader threat activity (‘mitigating credential abuse and spearphishing-driven initial access’).
  • [T1090 ] Proxy – VIPEmployment recruited individuals outside Iran to act as proxies for physical attacks and espionage (‘soliciting proxies outside Iran to conduct attacks’).
  • [T1203 ] Exploitation for Client Execution – The mitigation section references active exploitation of vulnerabilities to gain access (‘counter exploitation of zero-days and supply-chain vulnerabilities’).
  • [T1027 ] Obfuscated Files or Information – The report notes obfuscated binaries as part of defensive detection concerns, reflecting the actors’ use of concealment in tooling (‘obfuscated binaries’).
  • [T1041 ] Exfiltration Over C2 Channel – The report describes encrypted command-and-control and unauthorized transmissions of sensitive information (‘inspect encrypted C2 traffic’ and ‘detect unauthorized transmissions of sensitive information’).
  • [T1110 ] Brute Force – Not explicitly described as an attack method, but the solicitation and bot-based recruitment infrastructure indicate broad attempts to gain access to assets and people; no direct quote in the article supports this as a confirmed technique.

Indicators of Compromise

  • [Domains ] Handala and related infrastructure – handala-hack[.]ps, handala-hack[.]tw, handala-redwanted[.]ps, and handala[.]red
  • [Telegram channels ] Handala Hack Team and associated persona channels – t[.]me/CYBER_HANDALA, t[.]me/HANDALA_INTEL, and t[.]me/HANDALA_BREACH
  • [Telegram channels ] HPRF and Handala-linked persona channels – t[.]me/HANDALA_PARTISAN, t[.]me/justice_homeland, and t[.]me/JusticeHomeland1
  • [Telegram bots and accounts ] VIPEmployment recruitment infrastructure – t[.]me/VIPEmployment_bot, t[.]me/@VIPEmployment02Bot, and t[.]me/@iranvipemployment_bot
  • [Telegram channels ] Intel Voice / VIPEmployment amplification channels – t[.]me/Ir_intel_voice, t[.]me/Ir_intel_voice_ar, and t[.]me/ir_intel_voice_ar_dis
  • [Telegram channels and accounts ] MOISIRAN and Brave Israel infrastructure – t[.]me/moisiran, t[.]me/@vipconnect_iran, t[.]me/brave_il, and t[.]me/@Brave_2025
  • [Social media ] Additional platform used by VIPEmployment – tiktok[.]com/@vipemployment
  • [Websites ] Brave Israel and Homeland Justice websites – justicehomeland[.]org, justicehomeland[.]info, and justicehomeland[.]ru
  • [Telegram channel ] Street Vendor persona – t[.]me/shitesirruges

Read more: https://www.recordedfuture.com/research/iran-handala-physical-threats

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint