Threat Research

Dark Web Profile: Handala Hack

SocRadar
Dark Web Profile: Handala Hack

Handala presents itself as a grassroots pro-Palestinian hacktivist collective but is assessed with high confidence by multiple vendors to be a destructive cyber persona operated by Iran’s Ministry of Intelligence and Security (MOIS). Its campaigns since December 2023 have used custom wipers and multi-stage phishing and loader chains to cause large-scale disruption, most notably the March 2026 wipe at Stryker Corporation. #Handala #Stryker

Keypoints

  • Handala surfaced in December 2023 as a pro-Palestinian persona but is widely attributed to Iran’s MOIS (tracked by vendors as Void Manticore/Storm-0842/BANISHED KITTEN).
  • The group has claimed dozens of attacks against Israeli, Gulf, and Western targets and is linked to destructive wiper deployments against civilian infrastructure.
  • Operational tradecraft shows separation of roles: initial access by Scarred Manticore/APT34-like actors (e.g., SharePoint exploits) and destructive stages performed by Void Manticore/Handala.
  • Notable operations include a CrowdStrike-themed phishing wiper campaign (July 2024), alleged breaches of Israeli institutions, kindergarten PA system compromises, and the March 2026 Stryker global wipe.
  • Handala uses multi-stage delivery (NSIS installers, obfuscated scripts, AutoIT loaders), living-off-the-land abuse (RegAsm.exe), BYOVD kernel drivers, and Telegram-based C2/telemetry.
  • Mitigations emphasized: phishing-resistant MFA, script and LOLBin monitoring, blocking untrusted drivers, behavioral EDR, and immutable offline backups.

MITRE Techniques

  • [T1589 ] Gather Victim Identity Information – Used to collect target identities for tailored phishing and profiling (‘Gather Victim Identity Information’).
  • [T1590 ] Gather Victim Network Information – Reconnaissance of victim networks and exposed services to inform exploitation (‘Gather Victim Network Information’).
  • [T1566.001 ] Spear Phishing Attachment – Initial access via malicious attachments in targeted phishing lures (‘spear-phishing campaigns… victims were directed to download a malicious archive’).
  • [T1566.002 ] Spear Phishing Link – Use of phishing links to deliver staged payloads and lure victims (‘spear-phishing emails and links’).
  • [T1566.003 ] Spear Phishing via SMS – Abuse of SMS-based lures as part of social engineering vectors (‘Spear-Phishing via SMS’ listed among initial access methods).
  • [T1078.004 ] Valid Accounts: Cloud Accounts – Abuse of valid cloud/MDM accounts for lateral movement or deployment (suspected Microsoft Intune MDM abuse in Stryker incident) (‘Microsoft Intune MDM abuse was suspected as the delivery mechanism’).
  • [T1190 ] Exploit Public-Facing Application – Initial foothold via exploits against internet-facing apps such as SharePoint (CVE-2019-0604) (‘frequently establishes the initial foothold… through vulnerabilities such as CVE-2019-0604 in Microsoft SharePoint’).
  • [T1059 ] Command and Scripting Interpreter – Use of scripting frameworks to reconstruct and execute payloads (‘payload components are reconstructed at runtime and delivered through scripting frameworks’).
  • [T1059.010 ] Command and Scripting Interpreter: AutoHotKey & AutoIT – AutoIT loaders used as part of multi-stage execution chains (‘AutoIT loaders’ used before triggering the final wiper stage).
  • [T1204 ] User Execution – Reliance on user interaction to execute disguised installers or archives as part of phishing campaigns (‘victims were directed to download a malicious archive containing a disguised installer’).
  • [T1505.003 ] Server Software Component: Web Shell – Use of web shells to maintain access and harvest credentials post-exploitation (‘access obtained during this phase, including web shells and Domain Admin credentials’).
  • [T1068 ] Exploitation for Privilege Escalation – Exploitation techniques used to escalate privileges after initial access (‘privilege escalation’ observed in campaigns to ensure payload execution).
  • [T1027 ] Obfuscated Files or Information – Payload and script obfuscation to hinder analysis and detection (‘obfuscated batch scripts’ and payload obfuscation noted across campaigns).
  • [T1497.003 ] Time-Based Evasion – Use of timing or scheduled behaviors to evade detection (‘Time-Based Evasion’ listed among defense-evasion techniques).
  • [T1055.012 ] Process Hollowing – Process hollowing into legitimate binaries such as RegAsm.exe to execute malicious code stealthily (‘process hollowing into RegAsm.exe’).
  • [T1218 ] System Binary Proxy Execution – Abuse of signed system binaries (LOLBins) to proxy execution of malicious payloads (‘LOLBin abuse’ including RegAsm.exe identified).
  • [T1090 ] Proxy – Use of proxying techniques and intermediary channels for C2 and telemetry (‘Proxy’ and lightweight command channels cited; Telegram Bot API used as C2 and telemetry channel).
  • [T1021.001 ] Remote Desktop Protocol – Use of RDP for lateral movement or remote access in post-compromise activity (‘Remote Desktop Protocol’ listed under lateral movement).
  • [T1020 ] Automated Exfiltration – Use of automated pipelines to collect and transmit exfiltrated data prior to destructive activity (‘Automated Exfiltration’ listed under exfiltration techniques).
  • [T1561.002 ] Disk Structure Wipe – Deployment of wipers that overwrite disk structures to render systems unusable (multiple custom wipers used to wipe systems) (‘Disk Structure Wipe’ and custom wipers documented).
  • [T1485 ] Data Destruction – Destructive routines that overwrite or delete data as impact operations (custom wipers and destructive payloads reported) (‘Data Destruction’ observed across campaigns).
  • [T1491 ] Defacement – Public-facing defacement and propaganda postings, including claim websites and leak pages (‘defaced websites’ and claim-and-propaganda sites on clearnet and Tor).

Indicators of Compromise

  • [File names ] driver and binary names used in attacks – ListOpenedFileDrv_32.sys (BYOVD driver), RegAsm.exe (abused legitimate binary for process hollowing).
  • [Malware names ] documented custom destructive payloads – BiBi Wiper, Hatef, and 5 more variants (Hamsa, Cl Wiper, CoolWipe, ChillWipe, Handala Wiper).
  • [Platforms / Leak sites ] claim, C2, and disclosure infrastructure – Telegram channels, BreachForums, Tor hidden services (group’s claim-and-propaganda sites and C2/telemetry channels).
  • [Installers / Loaders ] staged payload components observed in campaigns – NSIS installers, AutoIT loaders (used in multi-stage reconstruction and execution chains).
  • [Services / Management platforms ] suspected delivery or abuse vectors – Microsoft Intune MDM (suspected vector in Stryker incident), exposed SharePoint instances (exploited CVE-2019-0604 used for initial access).

Read more: https://socradar.io/blog/dark-web-profile-handala-hack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint