Handala Hack Destructive Intrusions Linked to Iran's MOIS
Handala Hack, a persona within the Void Manticore intrusion set also tracked as Red Sandstorm and Banished Kitten, has been conducting destructive cyberattacks against organizations in Israel, Albania, and the United States. The activity is attributed to Iran’s Ministry of Intelligence and Security (MOIS) and is characterized by operations designed to destroy data rather than collect intelligence. Check Point’s reporting says the group has operated through multiple personas, including Handala Hack, Karma, and Homeland Justice, with the latter previously used against Albanian government and telecom targets and Handala now appearing in more recent campaigns, including an intrusion affecting medical technology firm Stryker.
The intrusions typically begin with compromised VPN credentials, after which the attackers use RDP for remote access, NetBird for peer-to-peer tunneling inside victim environments, and multiple parallel wiping tools to maximize damage and hinder recovery. Researchers also observed an AI-assisted PowerShell script in the wiping toolkit and noted weaker operational security than in earlier activity, including connections traced directly to Iranian IP addresses instead of commercial VPN infrastructure. A separate podcast reference aligns with the same incident by describing the attack on Stryker as a network disruption that wiped more than 200,000 resources, reinforcing the destructive nature and scale of the campaign.
Sources
Related Stories
Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
**Handala Hack**, an online persona tied to **Void Manticore** and assessed by multiple researchers as linked to Iran’s **Ministry of Intelligence and Security (MOIS)**, is being tracked for destructive intrusions involving **wiper attacks** and related hack-and-leak activity against organizations in **Israel** and the **United States**. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through **Microsoft Intune**. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity. Technical reporting indicates the actor continues to favor **hands-on-keyboard** operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of **NetBird** for tunneling and an **AI-assisted PowerShell** script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as **Rclone**. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
4 days ago
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
Today
Stryker Global Network Disruption Claimed by Iran-Linked Handala Hacktivists
U.S. medical device manufacturer **Stryker** reported a severe, global disruption to its Microsoft/Windows environment following a cyberattack that left employees unable to access corporate systems. Staff reported corporate laptops and phones being wiped, widespread outages of work applications and email, and some login pages displaying the **Handala** logo; the company also routed calls to an automated message citing a “building emergency.” Stryker said it is experiencing a “global network disruption,” believes the incident is contained, and stated it has **no indication of ransomware** while working to restore operations using business continuity measures. A pro-Iran hacktivist group calling itself **Handala** publicly claimed responsibility, framing the attack as retaliation tied to the U.S.-Iran conflict and citing a reported U.S. strike on a girls’ school in Tehran. The group alleged it wiped large numbers of systems and exfiltrated significant data, and reporting indicated at least partial corroboration of system wiping and defacement across Stryker’s global environment. The incident appears to have caused broad operational impact across Stryker’s international footprint, with claims and employee reports indicating both destructive activity (device/server wiping) and potential data theft, though Stryker’s public statement did not confirm exfiltration.
Today