threatintel
actor tracker
All actors

Handala

handala · primary source: Other · first observed 2023
IR · IranHacktivistModerate confidencelast cited Mar 10, 2026 · 2mo ago

Pro-Palestine hacktivist persona operated by the Iranian MOIS-affiliated **Void Manticore** cluster — see the parent actor entry for the full attribution chain. Named for the Naji al-Ali cartoon character; emerged December 2023; claims destructive intrusions and data leaks against Israeli organizations across defense, technology, infrastructure, hospitals, and universities. The March 2026 Stryker compromise (200,000+ devices wiped via abuse of the victim's Microsoft Intune tenant) was the persona's first claimed operation against a major U.S. multinational, expanding the target set beyond Israel. Sister personas operated by Void Manticore include Karma (Israel 2023) and Homeland Justice (Albania 2022).

Aliases

None tracked.

Motivations

disruptioninformation operations

Target sectors

defensetechnologyhealthcaregovernmenteducationmanufacturing

Target countries

ILUS

Lineage & relationships

full graph →
Subgroup ofHandalathis actorVoid ManticoreIRAPT
Subgroup of
Void Manticore

MOIS-affiliated parent operation

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Handala
  • Iran
  • disruption
  • information operations
Capability
Infrastructure
  • 82.25.35.25
Victim
  • defense
  • technology
  • healthcare
  • IL
  • US

MITRE ATT&CK techniques

T1486T1485T1561T1078

Timeline

1 event
  1. CompromiseCritical2026-03-11·Krebs on Security

    Handala wipes 200,000+ Stryker devices via Microsoft Intune abuse

    Stryker Corporation — one of the world's largest medical-device manufacturers — disclosed a destructive intrusion that disrupted global internal networks and Microsoft systems. Iran-aligned hacktivist persona Handala (assessed by Check Point and Palo Alto Unit 42 as a MOIS-operated front under the Void Manticore umbrella) claimed responsibility, calling the operation retaliation 'for the brutal attack on the Minab school.' Open-source reporting indicates the operators abused Stryker's Microsoft Intune tenant to issue a remote device-wipe command against enrolled endpoints — a novel TTP for the persona and an early data point in a class of MDM-abuse-as-wiper attacks. Stryker confirmed the incident materially impacted Q1 2026 earnings.

    wipermdm-abuseintunemedical-devicesiran

Indicators of compromise

3 indicators
csv
TypeValueFirst seenSource
MD5
5986ab04dd6b3d259935249741d3eff2
family · Handala Wiper
Handala Wiper executable ('handala.exe') MD5 published in Check Point Research's 2026 'Handala Hack - Unveiling Group's Modus Operandi' follow-up to the May 2024 'Bad Karma, No Justice' report. CPR explicitly attributes the Handala persona to Void Manticore (aka Red Sandstorm / Banished Kitten), affiliated with Iran's MOIS Counter-Terrorism Division.
Mar 31, 2024Check Point Research
IPv4
82[.]25[.]35[.]25
Handala-controlled VPS IP listed in Check Point Research's 2026 report. Used alongside 31.57.35.223 and 107.189.19.52 for hands-on-keyboard operations via RDP and NetBird remote access tooling during MOIS-attributed destructive intrusions in Israel.
Mar 31, 2024Check Point Research
MD5
3cb9dea916432ffb8784ac36d1f2d3cd
family · Handala Wiper
Handala PowerShell wiper component MD5 from Check Point Research's 2026 Handala Hack report. Distributed via Group Policy logon scripts as a scheduled task; the batch loader 'handala.bat' chains the executable and the PowerShell script to overwrite files and corrupt the MBR.
Mar 31, 2024Check Point Research

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). Handala — actor profile. Retrieved from https://threatintel.local/actors/handala

latest cited activity · 2026-03-11 · 3 cataloged indicators