Handala

Handala is an Iran-linked threat actor and hacktivist-branded persona assessed by the FBI, the U.S. Department of Justice, Recorded Future Insikt Group, and multiple commercial threat intelligence firms to be a front for Iran’s Ministry of Intelligence and Security (MOIS). It is also linked in the provided reporting to Void Manticore and tracked under aliases including Banished Kitten, Dune, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore. The content also describes Handala Hack Team as a Handala-branded persona and notes the self-referenced sub-brand Handala Popular Resistance Front (HPRF). The actor presents itself as an independent pro-Palestinian or hacktivist group, but the provided content consistently describes it as operating on behalf of Iranian state interests. Reporting states that MOIS has likely expanded the Handala brand beyond cyber operations to include influence, espionage, recruitment, and physical threat activity targeting U.S. and Israeli interests. Insikt Group links additional Handala-associated personas including HPRF, VIPEmployment, MOISIRAN, and Brave Israel to the broader MOIS-linked cluster. Targets mentioned in the content include Israeli leadership, government agencies, security institutions, police, technology companies, critical infrastructure, and nuclear-related entities; Iranian opposition groups in Albania through the Homeland Justice persona; U.S. government personnel and officials; and U.S. private-sector organizations including Stryker. The content also notes targeting of Albania’s government and parliamentary infrastructure, and claimed operations against county government infrastructure, FBI Director Kash Patel, U.S. Marine Corps personnel, Iran International, and senior Israeli officials. Observed and reported tactics in the content include hack-and-leak operations, destructive wiper attacks, psychologically oriented ransomware activity, data leaks, disinformation, recruitment of proxies via Telegram bots, surveillance claims, and solicitation of espionage and physical attacks for payment. Homeland Justice activity included long-term access before deployment of ransomware and disk-wiping malware, use of renamed ROADSWEEP and ZeroCleare binaries, modification and disabling of EDR components including Microsoft Defender Antivirus, and RDP for lateral movement. Handala-linked operations are described as using ransomware primarily to sow chaos rather than for extortion. A major operation directly attributed in the content is the March 11, 2026 attack on Stryker, a U.S. medical device manufacturer. In that incident, Handala allegedly penetrated Active Directory and abused Microsoft Intune through a compromised administrator account, created a new Global Administrator account, and issued remote wipe commands that erased thousands of devices and disrupted ordering, manufacturing, and shipping. The content states the attack was a significant wiper operation and that Handala claimed broader impact and data theft, though investigators reportedly found no evidence of exfiltration. The content also references Handala claims involving leaks of Israeli leaders’ personal data, Mossad agent identities, Israeli police databases, Soreq and Dimona nuclear facility data, and sensitive corporate information. The provided reporting further states that since late 2023 Handala has used pro-Palestinian symbolism and Axis of Resistance narratives as cover while preserving plausible deniability, and that since the beginning of the Iran war its claimed cyber operations against U.S. targets have surged. Insikt Group assesses that MOIS likely coordinates distinct cyber, influence, and physical personas under the Handala brand to amplify intimidation, recruitment, and psychological impact.