Iran-Linked Handala Brand Expands From Cyber Operations to Physical Threats
Recorded Future assesses that Iran’s Ministry of Intelligence (MOIS) is using the Handala name as a reusable operational brand spanning cyber, influence, espionage, and now physical threat activity. The report links Handala Hack Team, Handala Popular Resistance Front (HPRF), VIPEmployment, MOISIRAN, and Brave Israel to a broader MOIS-associated cluster tied to Void Manticore, which has historically targeted Israel, Iranian opposition groups, and increasingly the United States. Handala Hack Team has been associated with hack-and-leak campaigns, wiper activity, and psychologically oriented ransomware operations.
Newer Handala-linked personas are described as focusing on proxy recruitment, intimidation, surveillance, and claims of real-world attacks inside Israel. Recorded Future said Telegram channels and bots, including VIPEmployment, were used to solicit recruits for espionage, sabotage, and attacks against U.S. and Israeli interests, while HPRF claimed responsibility for a vehicle arson attack in Israel in April 2026, marking the first overt physical attack publicly claimed under the Handala banner. The firm warned that MOIS is likely to continue blending cyber and physical operations against Israeli and U.S. targets, viewing such activity as remaining below the threshold of armed conflict.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Recorded Future links Handala personas to broader MOIS cluster
Recorded Future's Insikt Group assessed that Handala Hack Team, HPRF, VIPEmployment, MOISIRAN, and Brave Israel are part of a broader MOIS-linked cluster associated with Void Manticore. The report says Iran is using the Handala brand across cyber, influence, espionage, and physical threat operations.
HPRF claims vehicle arson attack in Israel under Handala brand
The Handala Popular Resistance Front (HPRF) claimed a vehicle arson attack in Israel in April 2026. The report describes this as the first overt physical attack claimed under the Handala name.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Handala Used VPN Access, RDP, NetBird, and Wipers in Destructive Campaign
Researchers linked **Handala Hack** to Iran’s Ministry of Intelligence and Security as part of the broader **Void Manticore** cluster, describing a coordinated campaign that targeted organizations in Israel, Albania, and the United States with disruptive and destructive intrusions. Reported victims and incidents included attacks on **Stryker**, compromises affecting kindergarten emergency alert systems, and a personal Gmail breach publicly attributed to FBI Director Kash Patel that the FBI said involved historical, non-classified data. U.S. authorities also seized four domains allegedly used by the operation to leak stolen data, publicize attacks, and support influence activity. Investigators said the intrusions commonly began with **compromised VPN credentials**, followed by hands-on-keyboard movement over **RDP**, use of **NetBird** for tunneling, credential theft, Active Directory reconnaissance, and staged malware delivery. The destructive phase combined multiple methods at once, including a custom **Handala Wiper**, **PowerShell-based wiping**, **VeraCrypt** encryption, manual deletion of files and virtual machines, and tooling tied to webshell persistence, Telegram-linked data exfiltration, driver-assisted disk access, and attempts to disable endpoint defenses. Analysts also tied Handala to other MOIS personas including **Homeland Justice** and **Karma**, saying the fronts shared infrastructure, domain patterns, Telegram-based communications, and overlapping tradecraft in a single coordinated state-backed campaign.
Jun 8, 2026
Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
**Handala Hack**, an online persona tied to **Void Manticore** and assessed by multiple researchers as linked to Iran’s **Ministry of Intelligence and Security (MOIS)**, is being tracked for destructive intrusions involving **wiper attacks** and related hack-and-leak activity against organizations in **Israel** and the **United States**. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through **Microsoft Intune**. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity. Technical reporting indicates the actor continues to favor **hands-on-keyboard** operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of **NetBird** for tunneling and an **AI-assisted PowerShell** script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as **Rclone**. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
Mar 21, 2026
Handala’s Israeli Radar Disruption Claim Appears Unverified
The Iranian-linked **Handala** group claimed it had disrupted Israeli radar systems and placed the Kfar Yona municipality under a “cyber siege” amid renewed Iran-Israel hostilities. Reporting on the incident found that the evidence released by the group does **not** substantiate a radar intrusion: the screenshots and access shown appear to match a **Tadiran Telecom Aeonix** IVR/VoIP administration panel, suggesting compromise of a municipal or organizational phone system rather than military radar infrastructure. Researchers said the operation fits a broader pattern in which cyber activity is used to amplify battlefield messaging during escalating regional conflict involving Hezbollah fire, Israeli strikes in Beirut, IRGC missile launches, and Israeli retaliatory strikes on Tehran, Tabriz, and Isfahan. While the specific radar-disruption claim bears the hallmarks of propaganda and remains uncorroborated by independent evidence or official acknowledgment, Handala is described as a real state-affiliated threat actor with documented capabilities including credential theft, abuse of legitimate enterprise tools, wiper malware, and hack-and-leak operations, raising the likelihood of further disruptive attacks and inflated claims.
Jun 10, 2026