Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked Handala Hack to Iran’s Ministry of Intelligence and Security as part of the broader Void Manticore cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on Stryker, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity.
Investigators said the intrusions commonly began with compromised VPN credentials, followed by hands-on-keyboard movement over RDP, use of NetBird for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom Handala Wiper, PowerShell-based wiping, VeraCrypt encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including Homeland Justice and Karma, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
DOJ seizes four domains tied to the MOIS-linked operation
In March 2026, the U.S. Justice Department announced the seizure of four domains associated with the coordinated MOIS-linked campaign. The domains had allegedly been used to leak stolen data, claim attacks, and call for violence.
MOIS campaign rebrands toward Israeli targets
DomainTools-linked reporting says the broader MOIS operation shifted activity toward Israeli targets in late 2023 under personas including Handala. The campaign was assessed as a coordinated state operation using multiple hacker personas as fronts.
Handala conducts disruptive attack on Stryker
Multiple references describe a March 2026 destructive or disruptive intrusion affecting medical technology firm Stryker. Check Point says the operation was part of MOIS-linked Void Manticore activity using compromised VPN credentials, RDP movement, NetBird tunneling, and parallel wiping methods.
Handala compromises kindergarten emergency alert systems
SOCRadar reports that in January 2026 Handala conducted a compromise affecting kindergarten emergency alert systems. The incident is cited as a notable disruptive operation attributed to the group.
Handala runs CrowdStrike-themed phishing and wiper campaign
SOCRadar highlights a notable July 2024 campaign in which Handala used CrowdStrike-themed phishing as part of a disruptive and destructive operation involving wiper activity. The incident is presented as one of the group's notable operations.
Handala persona emerges and begins claiming attacks
SOCRadar says Handala emerged in December 2023 as a purported pro-Palestinian hacktivist persona and began claiming attacks against Israeli and Western targets. The report notes multiple vendors later assessed it with high confidence as an Iranian MOIS-linked cyber persona.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Researchers Say Iranian MOIS Uses Multiple Hacker Personas for One Coordinated Cyber Campaign - Cyber Security News
cybersecuritynews.com
Open sourceHandala Hack Uses RDP, NetBird, and Parallel Wipers in MOIS-Linked Destructive Intrusions
cybersecuritynews.com
Open sourceAnalytics Story: Void Manticore | Splunk Security Content
research.splunk.com
Open sourceDark Web Profile: Handala Hack
socradar.io
Open sourceCTI Research: Handala Hack Group (aka Handala Hack Team) | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
**Handala Hack**, an online persona tied to **Void Manticore** and assessed by multiple researchers as linked to Iran’s **Ministry of Intelligence and Security (MOIS)**, is being tracked for destructive intrusions involving **wiper attacks** and related hack-and-leak activity against organizations in **Israel** and the **United States**. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through **Microsoft Intune**. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity. Technical reporting indicates the actor continues to favor **hands-on-keyboard** operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of **NetBird** for tunneling and an **AI-assisted PowerShell** script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as **Rclone**. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
Mar 21, 2026
Iran-Linked Handala Brand Expands From Cyber Operations to Physical Threats
Recorded Future assesses that Iran’s Ministry of Intelligence (**MOIS**) is using the **Handala** name as a reusable operational brand spanning cyber, influence, espionage, and now physical threat activity. The report links **Handala Hack Team**, **Handala Popular Resistance Front (HPRF)**, **VIPEmployment**, **MOISIRAN**, and **Brave Israel** to a broader MOIS-associated cluster tied to **Void Manticore**, which has historically targeted Israel, Iranian opposition groups, and increasingly the United States. Handala Hack Team has been associated with hack-and-leak campaigns, wiper activity, and psychologically oriented ransomware operations. Newer Handala-linked personas are described as focusing on proxy recruitment, intimidation, surveillance, and claims of real-world attacks inside Israel. Recorded Future said Telegram channels and bots, including **VIPEmployment**, were used to solicit recruits for espionage, sabotage, and attacks against U.S. and Israeli interests, while **HPRF** claimed responsibility for a vehicle arson attack in Israel in April 2026, marking the first overt physical attack publicly claimed under the Handala banner. The firm warned that MOIS is likely to continue blending cyber and physical operations against Israeli and U.S. targets, viewing such activity as remaining below the threshold of armed conflict.
Jun 2, 2026
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
May 14, 2026