[CS-SA-26-0303] The Threat – Handala Hack Team

Executive Summary

Handala Hack Team is a pro-Palestinian, anti-Israel hacktivist persona associated with destructive cyber operations that combine wiper malware, hands-on-keyboard intrusion, and hack-and-leak messaging. The group frequently frames attacks as retaliation against Israel and its allies, including the United States. In March 2026, the group claimed responsibility for a disruptive incident affecting Stryker. The company reported widespread operational disruption and stated it had no indication of ransomware and believed the incident was contained, while reporting indicated some devices appeared to have been wiped.

Security researchers have linked Handala activity to destructive campaigns since late 2023, including phishing-delivered wipers and the use of Telegram infrastructure. Check Point Research assesses the persona as connected to Void Manticore, which it associates with Iran's Ministry of Intelligence and Security (MOIS). Reported activity emphasizes credential compromise, RDP-based lateral movement, and domain-wide distribution of destructive payloads. Handala's operations appear to support Iranian strategic objectives while maintaining plausible deniability through a hacktivist front. Several operations have occurred during periods of geopolitical tension involving Iran, Israel, and the United States, suggesting potential retaliatory signaling or opportunistic timing.

Key Findings for Defenders

• Handala conducts manual, hands-on intrusions using custom and publicly available tools, with a deliberate focus on maximum destructive impact rather than long-term espionage.
• Initial access relies primarily on VPN credential abuse, phishing (including SMS phishing), and supply-chain compromise of IT/MSP providers.
• Wiping operations employ at least four simultaneous destruction techniques distributed via Group Policy, designed to overwhelm partial defenses and prevent recovery.
• A new, high-impact TTP confirmed in the Stryker attack involves abuse of Microsoft Intune MDM to issue authenticated mass remote device wipes, bypassing endpoint security software entirely.
• The group's targeting has expanded from exclusively Israeli organizations to U.S. entities with Israeli business ties or U.S. Department of Defense contracts.
• Handala's operational security has degraded since early 2026; the group has been observed connecting directly from Iranian IP addresses and Starlink IP ranges.

Threat Actor Operational Characteristics

Handala is distinguished from many nation-state actors by its preference for manual, hands-on intrusions rather than fully automated attack chains. The group typically establishes access and conducts reconnaissance weeks or months before executing the destructive phase. When the destructive phase begins, it is rapid and multi-vector, designed to inflict maximum damage before defenders can respond. The group publicizes attacks on Telegram and at handala-hack[.]to, typically with manifestos framing operations in terms of political retaliation.

Defenders should note that Handala has a documented history of exaggerating the scale of attacks. At least one organization previously denied Handala's claimed compromise. Claimed metrics (e.g., number of systems wiped, data exfiltrated) should be treated as potentially inflated, while confirmed TTPs and IOCs must be taken seriously.

Tactics, Techniques, and Procedures (TTPs)

Handala's intrusions begin with credential-based initial access, primarily through brute-force and credential abuse against organizational VPN infrastructure, originating from commercial VPN nodes. The group also uses spearphishing via email and SMS, with at least one member assessed as fluent in Hebrew based on the quality of lures. IT and service providers are deliberately targeted as supply-chain footholds to reach downstream victims.

Once inside, lateral movement is conducted manually via RDP. In recent intrusions, the group deployed NetBird, a legitimate open-source zero-trust mesh VPN tool, by connecting to compromised hosts via RDP and downloading it directly from the official NetBird website using the local browser. At least five attacker-controlled machines were observed operating simultaneously within one victim environment using this method. Credential theft runs in parallel: LSASS is dumped via comsvcs.dll through rundll32.exe, sensitive registry hives are exported via wmic.exe, and ADRecon (renamed dra.ps1) is used for Active Directory enumeration. Initial access in at least one confirmed intrusion was established months before the destructive phase.

During the destructive phase, Handala deploys four wiping techniques in parallel: a custom executable wiper (handala.exe) with MBR overwrite capability, a PowerShell-based wiper, Group Policy logon scripts distributing both components domain-wide, and confirmed in the Stryker attack, abuse of Microsoft Intune MDM to issue remote wipe commands across enrolled devices. In the Stryker incident, employees with Microsoft Outlook configured on personal devices had those devices wiped as well. Earlier campaigns used an NSIS installer disguised as a legitimate update, with batch script obfuscation and time-based delays to evade sandbox analysis and bypass antivirus process checks. Post-destruction, login pages are defaced with the Handala logo and stolen data is published to the group's Telegram channel and leak site.

Appendix B contains a table that maps observed Handala behaviors to the MITRE ATT&CK framework. Entries are derived from published research. Behaviors from prior operations that remain likely to recur are included.

Consolidated Industry Overview of Handala Targets

Based on Handala Hack Team's claimed victims in H2 2025, targeted entities fall across several broad sectors not limited to:

Implications for Organization

Handala's expanding targeting scope makes this threat relevant well beyond Israeli organizations. Any organization that is publicly affiliated with Israel, conducts business with Israeli companies, has acquired Israeli subsidiaries, holds U.S. Department of Defense contracts, or is perceived as opposing Iranian or Palestinian interests should consider itself a potential target. Handala has explicitly cited Stryker's 2019 acquisition of Israeli medical technology company OrthoSpace and Stryker's U.S. military contracts as justification for the attack. Organizations in healthcare, defense supply chain, critical infrastructure, financial technology, and IT services with any of these affiliations should move to a heightened alert posture immediately.

The group's recent expansion to U.S.-based enterprises, combined with a documented decline in operational security including direct connections from Iranian IP addresses, suggests an acceleration in operational tempo rather than restraint. The Stryker attack occurred just two days after the White House released its Cyber Strategy for America framework and follows a pattern of Iranian cyber activity timed to kinetic military escalation. Organizations should treat the current geopolitical environment as an active threat condition, not a watch-and-wait situation.

The Intune MDM abuse confirmed in the Stryker attack represents a category shift in destructive capability. A single compromised cloud administrator credential can now result in the simultaneous, irreversible destruction of an organization's entire global device fleet with no malware required on endpoints. Traditional endpoint detection will not catch this. Defenders must prioritize identity and cloud management plane security with the same urgency previously reserved for perimeter defenses.

Organizational Mitigation Strategies

In light of the elevated threat environment following Operation Epic Fury and Handala's confirmed expansion to U.S. targets, organizations should implement or validate the following controls, prioritized by recommended timeframe.

24 to 48 Hours

• Audit Azure AD and Intune administrator role assignments. Remove any accounts with Global Administrator or Intune Device Administrator privileges that are not actively required. Enable Privileged Identity Management (PIM) for just-in-time elevation on all remaining admin accounts.
• Review Microsoft Intune audit logs for any bulk device wipe commands or anomalous admin activity. Correlate against Azure AD sign-in logs for the same accounts.
• Send employee awareness communications specifically addressing conflict-themed phishing lures, including SMS-based phishing impersonating IT vendors, security firms, and device manufacturers.
• Validate that MFA is enforced on all VPN, remote access, and Microsoft 365 admin accounts. Disable legacy authentication protocols that bypass MFA enforcement.
• Block or alert on authentication attempts to enterprise VPN gateways originating from commercial VPN provider IP ranges, including the 169.150.227.x and 149.88.26.x segments, and from Starlink IP ranges (188.92.255.x, 209.198.131.x), which have been confirmed in Handala egress activity.

1 Week

• Audit and restrict Group Policy Object modification rights. Alert on any new GPO logon scripts or scheduled task additions created outside of your change management process, as these are Handala's primary domain-wide wiper distribution mechanism.
• Hunt across EDR telemetry for the IOCs listed in this advisory: handala.exe, handala.bat, dra.ps1, NetBird installation artifacts, and LSASS dump activity via comsvcs.dll through rundll32.exe.
• Audit all RMM tools and remote access utilities (AnyDesk, Atera, ScreenConnect) for unauthorized instances. Validate that only approved tools are present and that access logs are being collected.
• Block or alert on installation of peer-to-peer mesh VPN tools (NetBird, Tailscale, ZeroTier) on endpoints not in an approved software inventory. Outbound connections to netbird.io from internal hosts should be flagged immediately.
• Validate email security controls (DMARC, DKIM, SPF) and confirm that macro-enabled attachments and NSIS installer packages arriving via email are sandboxed or blocked.

30 Days

• Test offline backup recoverability end-to-end. Handala deploys at least four simultaneous wiping mechanisms specifically designed to defeat partial backup strategies. Confirm that at least one backup copy is fully air-gapped and that recovery time has been validated under a simulated total-wipe scenario.
• Review and enforce network segmentation to ensure domain controllers are not reachable via RDP from general user network segments. Implement RDP gateway controls with session logging.
• Develop or update incident response playbooks for a simultaneous enterprise-wide device wipe, including out-of-band communication procedures that do not depend on the Microsoft tenant.
• Conduct a tabletop exercise simulating full Microsoft environment compromise. Key questions: can the organization operate for 72 hours with no corporate email, no Teams, no Intune-managed devices, and no Azure AD authentication.
• Review third-party vendor and MSP access, specifically any delegated Azure AD or Intune administrator permissions. Require hardware MFA for all vendor accounts and validate that access is scoped to the minimum necessary.

What Critical Start Is Doing

The Critical Start Cyber Research Unit is actively monitoring Handala and the broader Iranian threat actor ecosystem. If you are a Critical Start MDR customer, our SOC is positioned to hunt for Handala IOCs across your environment, validate your Intune and Azure AD administrator controls, identify exposure to confirmed Handala network indicators, and provide tailored briefings for your security leadership or board.

For an overview of the Cyberattack on Stryker by Handala Hack Team as reported, visit Critical Start's Intel Hub. If you are not yet a Critical Start customer and want to understand your exposure, reach us at criticalstart.com.

Conclusion

Handala Hack Team has been an active and persistent threat since late 2023, conducting sustained wiper attacks and hack-and-leak operations across Israeli government, healthcare, critical infrastructure, and private sector targets throughout 2024 and into 2026. The March 2026 Stryker attack was not an emergence but an escalation, marking the group's most consequential operation to date and confirming its expansion to large U.S. enterprises.

There is no indication the group is slowing down. The current geopolitical environment, marked by active military conflict between Israel, the U.S., and Iran, continues to provide both the motivation and the political cover for further operations. Handala has shown a consistent pattern of timing attacks to kinetic escalation events, and with that conflict ongoing, additional retaliatory operations should be expected. The group's TTPs are well-documented and largely consistent, which means defenders have clear, actionable detection and hardening opportunities. Organizations with any visible affiliation to Israel, U.S. defense interests, or industries perceived as opposing Iranian or Palestinian interests should treat Handala as an active and credible threat, not a regional concern to monitor from a distance.

Further Reading

1. Check Point Research: Handala Hack -- Unveiling Group's Modus Operandi
2. Splunk Threat Research Team / Cisco Talos, "Handala's Wiper: Threat Analysis and Detections"
3. Intezer - Operation HamsaUpdate: Wipers Put Israeli Infrastructure at Risk
4. Trellix Advanced Research Center - Handala's Wiper Targets Israel
5. KrebsOnSecurity - Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
6. The Record (Recorded Future News) - Medical Device Giant Stryker Confirms Cyberattack
7. Help Net Security - War Spreads into Cyberspace after Iran-Linked Hackers Hit Stryker
8. Nextgov/FCW - CISA Launches Investigation into Stryker Cyberattack
9. HackRead - Iran-Linked Handala Hackers Claim Major Hacks on Stryker and Verifone
10. DataBreaches.net - Clalit Probes Suspected Cyberattack after Iranian-Linked Hackers Leak Patient Files
11. Tenable - Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
12. Security Boulevard - Operation Epic Fury: Potential Iranian Cyber Counteroffensive
13. CISA Advisory AA22-264A - Iranian Government-Sponsored APT Actors Compromise Albanian Government

Appendix A: Named CVEs Referenced

The following CVEs are referenced in reporting on Handala / Void Manticore operations or the broader MOIS threat actor ecosystem. CVEs exploited by related MOIS actors (Scarred Manticore, MuddyWater) are included given documented collaboration within the MOIS offensive cyber apparatus.

Appendix B: Tactics, Techniques, and Procedures (TTPs)

The following tactics, techniques, and procedures (TTPs) are referenced in reporting on Handala / Void Manticore operations and associated activity across the broader Iranian Ministry of Intelligence and Security (MOIS) cyber ecosystem.

Appendix C: Indicators of Compromise (IOCs)

These indicators may be ingested into SIEM, EDR, and threat hunting platforms. Network-layer IOCs (IP addresses) associated with Handala are short-lived due to the group's use of commercial VPN infrastructure. Behavioral indicators and file-based IOCs are more durable. All IP addresses should be defanged before ingestion into production blocking systems.