Threat Research

“Handala Hack” – Unveiling Group’s Modus Operandi

Checkpoint
“Handala Hack” – Unveiling Group’s Modus Operandi

Handala Hack is an online persona operated by Void Manticore, an Iranian MOIS‑affiliated actor responsible for multiple destructive wiping and hack‑and‑leak operations against targets in Israel, Albania, and the United States. The group conducts hands‑on intrusions using compromised VPN credentials, RDP and NetBird for lateral movement, and deploys multiple concurrent destructive techniques including a custom Handala wiper, an AI‑assisted PowerShell wiper, MBR corruption, and VeraCrypt disk encryption. #HandalaHack #VoidManticore

Keypoints

  • Handala Hack is a persona of Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iran’s MOIS, operating alongside other personas such as Karma and Homeland Justice.
  • The group favors rapid, manual “hands‑on” intrusions that rely on compromised credentials (often VPN accounts) and straightforward offensive tools rather than complex long‑term toolchains.
  • Initial access commonly stems from compromised VPN accounts and targeting of IT/service providers, with brute‑force attempts and default Windows hostnames observed during logon activity.
  • Lateral movement is performed primarily via RDP and the manual deployment of NetBird to create internal tunnels and a zero‑trust mesh for attacker connectivity.
  • Destructive activity used four parallel wiping methods distributed via Group Policy, including a custom Handala executable wiper, an AI‑assisted PowerShell wiper, MBR corruption, and VeraCrypt disk encryption, plus manual deletion of VMs and files.
  • Indicators are short‑lived and include commercial VPNs, Starlink IP ranges, specific VPS IPs, installer and wiper hashes, and many default Windows hostnames; defenders are advised to enforce MFA, restrict RDP, and monitor suspicious logins and tunneling tools.

MITRE Techniques

  • [T1133 ] External Remote Services – Use of compromised VPN access for entry into victim environments. (‘Use of compromised VPN access for entry into victim environments.’)
  • [T1078.002 ] Valid Accounts: Domain Accounts – Use of stolen or supplied credentials, including Domain Admin credentials, to operate within victim networks. (‘Use of stolen/supplied credentials, including Domain Admin credentials.’)
  • [T1199 ] Trusted Relationship – Targeting of IT and service providers to obtain credentials and persistent access. (‘Targeting of IT and service providers.’)
  • [T1110 ] Brute Force – Repeated logon and brute‑force attempts against organizational VPN infrastructure. (‘Repeated logon and brute-force attempts against VPN infrastructure.’)
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – LSASS dumping via rundll32 and comsvcs.dll to extract credentials. (‘LSASS dumping via rundll32 and comsvcs.dll.’)
  • [T1003.002 ] OS Credential Dumping: Security Account Manager – Export of sensitive registry hives (e.g., HKLM) for credential extraction. (‘Export of sensitive registry hives for credential extraction.’)
  • [T1087.002 ] Account Discovery: Domain Account – Use of ADRecon (dra.ps1) to enumerate Active Directory accounts and environment. (‘ADRecon used to enumerate the Active Directory environment.’)
  • [T1021.001 ] Remote Services: Remote Desktop Protocol – Extensive hands‑on lateral movement performed over RDP between compromised hosts. (‘Extensive hands-on lateral movement over RDP.’)
  • [T1572 ] Protocol Tunneling – Deployment of NetBird to tunnel traffic and reach internal hosts for lateral operations. (‘NetBird used to tunnel traffic and reach internal hosts.’)
  • [T1105 ] Ingress Tool Transfer – Downloading NetBird and VeraCrypt directly onto victim systems via browsers/RDP sessions. (‘NetBird and VeraCrypt downloaded directly onto victim systems.’)
  • [T1047 ] Windows Management Instrumentation – Use of WMIC to run remote commands during the intrusion. (‘WMIC was used to run commands.’)
  • [T1484.001 ] Group Policy Modification – Distribution of multiple wipers across the network using Group Policy. (‘Wipers distributed via GPO.’)
  • [T1037.003 ] Network Logon Script – Use of logon scripts to trigger destructive components and propagate wipers. (‘Logon scripts used to trigger destructive components.’)
  • [T1053.005 ] Scheduled Task – Launching the Handala wiper as a scheduled task for execution. (‘Handala wiper launched as a scheduled task.’)
  • [T1059.001 ] PowerShell – Deployment of an AI‑assisted PowerShell wiper to enumerate and delete user files. (‘AI-assisted PowerShell wiper used for destructive activity.’)
  • [T1561.002 ] Disk Structure Wipe – MBR‑based wiping techniques used by the custom Handala wiper to corrupt disk structures. (‘MBR-based wiping by the custom Handala wiper.’)
  • [T1485 ] Data Destruction – File deletion and manual removal of virtual machines/files observed as part of destructive cleanup. (‘File deletion, manual deletion, and destructive cleanup.’)
  • [T1486 ] Data Encrypted for Impact – Use of VeraCrypt to encrypt disk drives to impair recovery and increase operational impact. (‘VeraCrypt used to encrypt disks as part of the attack.’)

Indicators of Compromise

  • [File Hashes ] Wipers and installers observed in incidents – 5986ab04dd6b3d259935249741d3eff2 (Handala Wiper), 3cb9dea916432ffb8784ac36d1f2d3cd (Handala PowerShell Wiper), and 3 more hashes.
  • [Installer Hashes ] Legitimate tools abused/downloaded – 3236facc7a30df4ba4e57fddfba41ec5 (VeraCrypt installer), 3dfb151d082df7937b01e2bb6030fe4a (NetBird installer).
  • [IP Addresses ] C2, VPS and attacker hosts – 107.189.19[.]52 (additional payload/C2), 146.185.219[.]235 (VPN exit node observed), and other attacker VPS IPs (e.g., 82.25.35[.]25, 31.57.35[.]223).
  • [IP Ranges ] Egress and tunneling infrastructure – Starlink ranges 188.92.255.X and 209.198.131.X used for connectivity, and commercial VPN ranges 149.88.26.X and 169.150.227.X associated with actor activity.
  • [File Names ] Deployment and markers used by attackers – handala.exe (custom wiper), handala.bat (GPO logon script), handala.gif (propaganda image left on drives), and handala.rar (deployed payload archive).
  • [Hostnames ] Default Windows machine names used during brute‑force and access – examples include DESKTOP-FK1NPHFD and WIN-DS6S0HEU0CA, plus many other DESKTOP-*/WIN-* names.

Read more: https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint