Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
Handala Hack, an online persona tied to Void Manticore and assessed by multiple researchers as linked to Iran’s Ministry of Intelligence and Security (MOIS), is being tracked for destructive intrusions involving wiper attacks and related hack-and-leak activity against organizations in Israel and the United States. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through Microsoft Intune. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity.
Technical reporting indicates the actor continues to favor hands-on-keyboard operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of NetBird for tunneling and an AI-assisted PowerShell script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as Rclone. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Unit 42 warns of increased risk of Handala-linked wiper attacks
On March 12, Palo Alto Networks Unit 42 warned of an increased risk of destructive wiper attacks tied to the Iran-related conflict, citing multiple incidents affecting organizations in Israel and the United States. The report linked the activity to Handala Hack and described access methods including phishing, identity compromise, and abuse of Microsoft Intune administrative control, while recommending tighter Entra ID and Intune protections and monitoring for mass wipe actions.
Blackpoint issues advisory on elevated Iran-related cyber risk
Blackpoint Cyber published an advisory on March 12 warning that escalating Iran-Israel-U.S. tensions were likely to drive increased Iranian state-linked and aligned cyber activity in the coming days to weeks. The company said it had not yet observed related exploitation in its own client base at the time of writing, but warned of a likely progression from DDoS and nuisance activity to disruptive hack-and-leak and destructive campaigns.
Check Point attributes Handala persona to Void Manticore
Check Point Research reported that the Handala Hack persona is operated by Void Manticore, also known as Red Sandstorm and Banished Kitten, an Iranian MOIS-affiliated threat actor that also runs the Homeland Justice and Karma personas. The report detailed the group’s modus operandi, including NetBird tunneling, ADRecon, credential dumping, Group Policy-based wiper deployment, a custom Handala wiper, an AI-assisted PowerShell wiper, VeraCrypt encryption, and manual destruction of files and virtual machines.
Researchers identify new malware and IOCs tied to recent Iran-linked attacks
Recent attack reporting cited by Blackpoint described likely MuddyWater activity targeting U.S. organizations across multiple critical sectors and identified the Dindoor and FakeSet backdoors, along with related hashes and shared code-signing certificates. The reporting also noted common attacker tradecraft such as phishing, password spraying, exploitation of edge devices and VPNs, use of RMM tools and LOLBins, and Rclone for exfiltration.
Iran-linked Handala conducts destructive hack-and-leak campaigns
Handala Hack, later linked by multiple researchers to the Iranian MOIS-affiliated actor Void Manticore, carried out destructive intrusions primarily against organizations in Israel and Albania and more recently against U.S.-based organizations. The operations involved compromised VPN credentials, phishing, identity compromise, manual lateral movement, data theft, and destructive actions including wiping, encryption, and file deletion.
Israeli cyber authority warns of Iranian destructive intrusions
On March 6, Israel’s National Cyber Directorate warned that Iranian attackers had accessed corporate networks, sometimes using legitimate user credentials, and deleted servers and workstations to disrupt operations. The warning highlighted active destructive activity against organizations rather than a purely theoretical threat.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Insights: Increased Risk of Wiper Attacks
unit42.paloaltonetworks.com
Open sourceIntel Bulletin: Geopolitical Escalation and Cyber Risk Advisory - March 12, 2026 - Blackpoint
blackpointcyber.com
Open source“Handala Hack” - Unveiling Group's Modus Operandi - Check Point Research
research.checkpoint.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked **Handala Hack** to Iran’s Ministry of Intelligence and Security as part of the broader **Void Manticore** cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on **Stryker**, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity. Investigators said the intrusions commonly began with **compromised VPN credentials**, followed by hands-on-keyboard movement over **RDP**, use of **NetBird** for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom **Handala Wiper**, **PowerShell-based wiping**, **VeraCrypt** encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including **Homeland Justice** and **Karma**, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Jun 8, 2026
Iran-Linked Handala Brand Expands From Cyber Operations to Physical Threats
Recorded Future assesses that Iran’s Ministry of Intelligence (**MOIS**) is using the **Handala** name as a reusable operational brand spanning cyber, influence, espionage, and now physical threat activity. The report links **Handala Hack Team**, **Handala Popular Resistance Front (HPRF)**, **VIPEmployment**, **MOISIRAN**, and **Brave Israel** to a broader MOIS-associated cluster tied to **Void Manticore**, which has historically targeted Israel, Iranian opposition groups, and increasingly the United States. Handala Hack Team has been associated with hack-and-leak campaigns, wiper activity, and psychologically oriented ransomware operations. Newer Handala-linked personas are described as focusing on proxy recruitment, intimidation, surveillance, and claims of real-world attacks inside Israel. Recorded Future said Telegram channels and bots, including **VIPEmployment**, were used to solicit recruits for espionage, sabotage, and attacks against U.S. and Israeli interests, while **HPRF** claimed responsibility for a vehicle arson attack in Israel in April 2026, marking the first overt physical attack publicly claimed under the Handala banner. The firm warned that MOIS is likely to continue blending cyber and physical operations against Israeli and U.S. targets, viewing such activity as remaining below the threshold of armed conflict.
Jun 2, 2026
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
May 14, 2026