The report assesses that the Homeland Justice, Karma, and Handala personas are coordinated layers of a single MOIS-aligned cyber influence ecosystem that integrates intrusion, destructive tooling, surveillance, and narrative operations rather than representing independent hacktivist groups. The campaign evolved from 2022 Albania destructive intrusions into a modular hack-and-leak and Telegram-driven surveillance apparatus implicated in events including the Stryker Intune-based mass wipe and multiple targeted leak and doxxing operations. #Handala #MOIS
Keypoints
- Homeland Justice, Karma (KarmaBelow80), and Handala are assessed as a single, centrally coordinated operational ecosystem aligned with Iranâs Ministry of Intelligence and Security (MOIS), sharing infrastructure, tradecraft, and objectives.
- The campaignâs lifecycle follows repeatable phases: long-dwell access (exploitation, webshells), credential harvesting and lateral movement, data exfiltration, and then either destructive action or curated public leaks amplified via domains and Telegram.
- Tooling evolved from bespoke ransomware/wipers (GoXML, cl.exe, No-Justice Wiper, BiBi Wiper, handala.exe) to a hybrid model using living-off-the-land techniques, signed binaries, enterprise tooling (NetBird, ADRecon), and abuse of management planes (Microsoft Intune in the Stryker incident).
- Telegram is used dual-use: as covert command-and-control via the Bot API for exfiltration and control, and as an overt amplification channel (channels/handles and domain anchors) for influence, intimidation, and narrative shaping.
- Operational effects are primarily psychological and reputational (hack-and-leak influence), with selective but significant disruptive incidents (notably Stryker) and person-centric surveillance/doxxing targeting dissidents and officials.
- Domain rotation and persona rebranding (handala-hack[.]to/.tw/.ps, handala-redwanted, homelandjustice[.]org/info, karmabelow80) provide resilience, segmentation of narrative roles, and attribution obfuscation while preserving a persistent backend capability.
- The campaign demonstrates increasing sophistication and convergence: surveillance implants, Telegram-based C2, enterprise-control-plane abuse, and coordinated multi-vector destruction enable rapid, scalable impact aligned with state objectives.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application â Used for initial long-dwell access (e.g., âexploiting an internet-facing Microsoft SharePoint vulnerabilityâ) [âexploiting an internet-facing Microsoft SharePoint vulnerabilityâ]
- [T1059 ] Command and Scripting Interpreter â PowerShell and CLI used throughout for payload delivery and execution [âPowerShell-based propagation reflects a growing reliance on native system capabilitiesâ]
- [T1059.001 ] PowerShell â PowerShell scripts used for propagation, execution, and destructive actions [âPowerShell-based propagation reflects a growing reliance on native system capabilitiesâ]
- [T1505.003 ] Web Shell â Webshells deployed to maintain durable access on IIS/web servers [âWebshells were deployed on compromised servers, providing durable and low-friction accessâ]
- [T1078 ] Valid Accounts â Credential harvesting and reuse for lateral movement and privileged access [âobtained privileged credentials that enabled lateral movement and escalationâ]
- [T1070 ] Indicator Removal on Host â File deletion and other cleanup to evade detection [âfile deletionâ and defenses impaired during operations] [âfile deletionâ quoted as part of defense evasionâ]
- [T1003.001 ] LSASS Memory â Memory dumping to extract credentials for escalation and lateral movement [âdump LSASS memory and obtain plaintext credentials or hashesâ]
- [T1087 ] Account Discovery â Internal reconnaissance to enumerate accounts and trust relationships [âsystematic internal reconnaissance, enumerating network topology, identifying key systemsâ]
- [T1021.001 ] Remote Desktop Protocol (RDP) â RDP used for lateral movement and administrative access [âMovement across the environment was conducted using ⌠RDPâ]
- [T1021.002 ] Server Message Block (SMB) â SMB used for lateral movement and propagation [âMovement across the environment was conducted using ⌠SMBâ]
- [T1114.002 ] Remote Email Collection â Exchange compromises used to harvest mailboxes for intelligence and leak material [âThe compromise of Microsoft Exchange infrastructure ⌠access and manipulate mailboxesâ]
- [T1105 ] Ingress Tool Transfer â Tools and payloads staged and transferred into targets for execution [âFiles are typically staged locally, compressed, and transferredâ]
- [T1041 ] Exfiltration Over C2 â Data exfiltration over C2 channels including Telegram-based channels [âthe actors leverage Telegram-based exfiltration, using the platformâs API to transmit dataâ]
- [T1486 ] Data Encrypted for Impact â Ransomware-style encryption used as part of disruptive sequencing [âencryption and wiping components were deployed in sequenceâ]
- [T1561.001 ] Disk Wipe â Destructive wiping (No-Justice, BiBi Wiper, handala.exe) to prevent recovery [âdesigned for rapid and irreversible disruptionâ]
- [T1485 ] Data Destruction â Manual and scripted deletion and formatting to ensure sustained damage [âmanual file deletion and disk formatting to perform destructive actionsâ]
- [T1218 ] System Binary Proxy Execution â Abuse of signed/system binaries and rundll32 to evade defenses [âuse of signed binaries suggests an increased emphasis on evasion and trust abuseâ]
- [T1036 ] Masquerading â Trojanized apps and masqueraded binaries used as lures and persistence [âtrojanized applications masquerading as legitimate softwareâ]
- [T1490 ] Inhibit System Recovery â Techniques to prevent recovery, including boot corruption and wiping [âpreventing successful operating system bootâ and âInhibit Recoveryâ]
- [T1018 ] Remote System Discovery â Discovery of remote systems to map network and targets [âoperators conducted systematic internal reconnaissance, enumerating network topologyâ]
- [T1562 ] Impair Defenses â Actions to disable or impair endpoint defenses and evade detection [âDefense Evasion ⌠AV disableâ and âimpair defensesâ]
- [T1005 ] Data from Local System â Collection of files and email data from local systems for exfiltration [âData is typically staged locally, compressed, and transferredâ]
- [T1566 ] Phishing â Targeted lures and phishing for initial access in surveillance and person-centric operations [âInitial access is commonly achieved through trojanized applications⌠and phishingâ]
- [T1218.011 ] Rundll32 â Use of rundll32 for execution observed in Handala phase [âExecution ⌠T1218.011 Rundll32â]
- [T1547 ] Boot or Logon Autostart Execution â Registry/run keys and scheduled tasks used for persistence [âRegistry modifications and scheduled tasks are used to ensure execution at startupâ]
- [T1555 ] Credentials from Password Stores â Extraction from credential stores and browser stores for account access [âActors extract credentials from configuration files, email systems, and browser storesâ]
- [T1069 ] Permission Groups Discovery â Enumeration of groups and permissions to map actor access and targets [âAccount Discovery and Permission Groups referenced as discovery techniquesâ]
- [T1204 ] User Execution â Social engineering and user-executed trojans used as lures [âtrojanized applications tailored to the targetâs contextâ]
- [T1113 ] Screen Capture â Screen capture used by surveillance implants for continuous monitoring [âstaged malware chains that establish ⌠screen captureâ]
- [T1123 ] Audio Capture â Audio interception including conferencing platforms [âaudio interception (with specific capability to monitor conferencing platforms)â]
- [T1071.001 ] Web Protocols (Telegram API) â Telegram Bot API abused for encrypted C2 and exfiltration [âuse of the Telegram Bot API, which allows malware to communicate with operator-controlled botsâ]
- [T1583.001 ] Domains â Domain provisioning and rotation for narrative nodes and resilience [âCore domains such as Homeland Justice[.]org, handala-hack[.]to ⌠operate as visible nodesâ]
- [T1583.003 ] VPS â Use of VPS/back-end hosting to support alternate infrastructure and resilience [âadditional domains ⌠likely function as alternate or backend infrastructureâ]
- [T1585.001 ] Social Media Accounts â Establishment and use of Telegram/X accounts and channels for amplification [âTelegram channels ⌠distribute propaganda, operational claims, and references to leaked dataâ]
- [T1608 ] Stage Capabilities (Upload/Stage Data) â Staging and uploading stolen data to sites and channels for publication [âFiles are typically staged locally, compressed, and transferred using standard protocolsâ]
- [T1102 ] Web Service â Use of web services (Telegram as platform) for both C2 and public dissemination [âTelegram occupies a central and multifaceted role ⌠covert command-and-control and an overt platform for messagingâ]
Indicators of Compromise
- [Domain ] public-facing narrative and leak sites â handala-hack[.]tw, homelandjustice[.]org, and other registered domains such as handala-redwanted[.]cc and karmabelow80[.]org (and multiple additional handala/karma/homeland domains)
- [File Hash (MD5) ] destructive and payload artifacts â GoXML.exe (bbe983dba3bf319621b447618548b740), handala.exe (5986ab04dd6b3d259935249741d3eff2), and several other MD5 hashes (and 15+ other hashes across campaigns)
- [File Hash (SHA-256) ] signed wiper sample â Ptable.exe / NACL.exe (36cc72c55f572fe02836f25516d18fed1de768e7f29af7bdf469b52a3fe2531f)
- [Filenames / Tools ] known payloads and loaders â Telegram_Authenticator.exe, RuntimeSSH.exe, NetBird installer, and handala.exe (representative artifacts referenced across phases)
- [Telegram / Social Handles ] amplification and C2 channels â @HANDALA_INTEL, @HomelandJustice1 (channels used for publication and coordination) and api.telegram.org as abused C2 endpoint
- [Command-and-Control ] platform endpoints â api.telegram.org (Telegram Bot API used for C2 and exfiltration) and referenced bot-based control infrastructure