Dark Web Profile: Handala Hack

[Update] March 30, 2026: “FBI Director Personal Email Breach and Escalating Operations”, “Alleged Doxxing Campaign Targets Handala Members”

Not every hacktivist group is what it claims to be. Handala presents itself as a pro-Palestinian resistance collective, borrowing the name and imagery of a beloved political cartoon to position its operations as grassroots digital defiance. The reality, assessed with high confidence by multiple independent threat intelligence vendors, is considerably more serious: Handala is widely assessed to be a destructive cyber persona operated by Iran’s Ministry of Intelligence and Security (MOIS), not a spontaneous movement.

Since emerging in December 2023, the threat group has executed dozens of claimed attacks against Israeli and Western targets, deployed custom wiper malware against civilian infrastructure, and escalated to operations targeting U.S. corporations. Its most destructive claimed operation to date, a March 2026, Operation Epic Fury, attack on medical device company Stryker Corporation that reportedly wiped over 200,000 devices across 79 countries, signals a group that has moved well beyond the boundaries of conventional hacktivism.

Who Is Handala?

Handala (also stylized as Handala_hack) first appeared on December 18, 2023, launching both its Telegram channel and X/Twitter account simultaneously. The timing was deliberate: the group emerged weeks after the October 7, 2023 Hamas attack on Israel, positioning itself within the wave of pro-Palestinian hacktivist activity that followed. Its name references the iconic barefoot boy cartoon created by Palestinian political cartoonist Naji al-Ali in 1969, a symbol of steadfastness and resistance whose image has been appropriated wholesale across Handala’s branding, from defaced websites to Telegram propaganda.

Early channel posts referenced Hamas directly, with the group describing itself as “a small fighter” in the Hamas movement before pivoting to broader anti-Israel messaging. The branding is consistent and deliberate, designed to generate emotional resonance and establish credibility within the pro-Palestinian hacktivist ecosystem.

The attribution picture has hardened considerably over the past year. Check Point Research tracks the actor as Void Manticore, while other industry tracking systems identify the same activity cluster under names such as Storm-0842, BANISHED KITTEN, and Dune. Despite the different labels, reporting across the sector converges on MOIS affiliation rather than IRGC, an important distinction that separates Handala from operations such as CyberAv3ngers. Several analyses describe Handala as one of the most visible Iranian personas active in the current phase of the conflict, and independent investigations have repeatedly pointed to links with MOIS structures.

Who Operates Behind the Handala?

Elements of the group’s leadership have also surfaced publicly. Iranian researcher Nariman Gharib connected the operation to a cyber unit inside the MOIS counter-terrorism division led by Yahya Hosseini Panjaki, a deputy minister sanctioned by the U.S. Treasury in September 2024, later by the EU and the UK, and listed on the FBI terrorism watch list.

Operational reporting also indicates a structured division of labor between two actor clusters. Scarred Manticore (linked to activity associated with APT34/OilRig)typically establishes the initial foothold, frequently through vulnerabilities such as CVE-2019-0604 in Microsoft SharePoint, and conducts a period of intelligence collection. Access obtained during this phase, including web shells and Domain Admin credentials, is then transferred to Void Manticore and Handala Hack, which carries out the disruptive or destructive stage of the campaign. Comparable operational sequencing was observed during the 2022 cyberattacks on Albania conducted under the Homeland Justice persona, as well as in campaigns attributed to personas such as Karma and Handala.

This structure suggests a deliberate separation between access operations and the public-facing disruption campaigns. By presenting the latter through hacktivist-style online identities, destructive activity can be claimed and amplified for psychological impact while still preserving a layer of state deniability. The outward branding appears informal and ideological, but the operational tradecraft behind it reflects a far more organized capability.

What Are Handala’s Targets?

Handala’s targeting closely tracks geopolitical developments. While the majority of operations have focused on Israeli organizations, the scope has expanded since late 2025 to include U.S. companies, Gulf states, and Western institutions.

By sector, technology is the most frequently targeted industry, followed by information technology, government and defense, critical infrastructure, energy, education, and financial. Researchers at Reichman University documented at least 85 claimed attacks between February 2024 and February 2025.

Geographically, Israel remains the primary focus. However, following the February 28, 2026 U.S.–Israeli strikes on Iranian targets (Operation Epic Fury), the group expanded its targeting. Claimed victims have included Jordan’s fuel infrastructure, Bank of Jordan, Sharjah Airport, Riyadh Bank, Israeli energy firms, and the Academy of the Hebrew Language, while Western organizations in the United States and United Kingdom have also faced increasing exposure.

Analysts caution that many of the group’s claims are likely exaggerated. Sophos X-Ops notes that Handala frequently overstates its capabilities, and some alleged breaches involve recycled or outdated data. Former Israeli National Cyber Directorate deputy head Rafael Franco described the group as a “loud actor” focused primarily on psychological and media impact rather than advanced technical sophistication.

Notable Operations

• Alleged Doxxing Campaign Targets Handala Members

A post shared by a profile on X (formerly Twitter) claims to have identified 14 individuals allegedly involved in Handala’s operations, including hackers, operators, and a coordinating figure. The author states that they possess detailed dossiers containing real names, connections, and photographs.

The same post attempts to pressure the Federal Bureau of Investigation (FBI) to take action against alleged members of Conti and LockBit, linking the release of the Handala-related material to a demand for formal indictments in previously disclosed cases.

At the time of writing, the claims and identities referenced in the post remain unverified. No official attribution or legal action has been publicly confirmed in relation to the individuals named.

This type of disclosure aligns with a recurring pattern in cyber threat ecosystems, where third-party actors publish alleged identities or “exposés” to influence narratives, apply pressure on law enforcement, or build credibility within the threat intelligence and underground communities. Such content may contain a mix of accurate, outdated, or misleading information, and should be assessed with caution.

• CrowdStrike Outage Phishing Campaign (July 2024):
  Following the global CrowdStrike Windows sensor outage that caused widespread BSOD failures, attackers launched a phishing campaign targeting Israeli organizations with fake remediation tools. Victims were directed to download a malicious archive containing a disguised installer that deployed a destructive wiper payload. The campaign used a multi-stage execution chain involving an NSIS installer, obfuscated scripts, and AutoIT loaders before triggering the final wiper stage.
• Soreq Nuclear Research Center (September 2024): Handala claimed a breach and extraction of approximately 197 GB of classified nuclear project data. Israel’s National Cyber Directorate assessed this as primarily psychological warfare. The claim generated global headlines, but actual compromise remains unconfirmed.
• Israeli Police (February 2025): The group claimed exfiltration of 2.1 TB of data, including personnel records, weapons inventories, and psychological profiles of officers. Israeli police suggested a third-party vendor compromise. Published material was assessed as partially outdated.

• Kindergarten PA Systems (January 2026): Handala compromised Maagar-Tec emergency alert systems at over 20 kindergartens. Air raid sirens were activated and threatening Arabic messages were broadcast. This was one of the most psychologically impactful operations the group has conducted.

• Stryker Corporation (March 2026): Handala claimed it wiped over 200,000 systems and extracted 50 TB of data from the $25 billion medical device company, which holds $450 million in U.S. Department of Defense contracts. Stryker confirmed “severe, global disruption impacting all Stryker laptops and systems” in an SEC filing. Microsoft Intune MDM abuse was suspected as the delivery mechanism. This is the group’s most destructive operation to date.

• Verifone (March 2026): Handala claimed that it successfully hacked Verifone on March 11, 2026. The threat group alleged that it stole transaction and financial data and caused widespread disruptions across payment systems. They also shared several screenshots as proof of the intrusion.

• Handala Threatens New Wiper Attack for Quds Day (March 13, 2026): Following Handala’s claim of a large-scale destructive attack against Stryker, Handala posted a new message on X on March 13, 2026, warning of another imminent cyber operation tied to Quds Day. The post states that a 40TB data wipe is about to occur as part of a retaliatory campaign. At the time of writing, no confirmed victim has been publicly identified, and the claim remains unverified.

FBI Director Personal Email Breach and Escalating Operations

On March 27, 2026, Handala claimed it had compromised the personal Gmail account of Kash Patel, bringing the group into global focus. The actors published a dataset reportedly containing over 300 emails, along with personal photographs and a resume, as proof of access.

The Federal Bureau of Investigation (FBI) later confirmed that a personal email account belonging to Patel had been breached. However, officials stated that the exposed material was historical in nature and did not contain classified or government-related information. Most of the data appears to date back to 2010–2019, predating Patel’s tenure as FBI Director.

The timing of the incident suggests a retaliatory motive. On March 19, 2026, U.S. authorities seized multiple domains associated with Handala’s online infrastructure and announced a $10 million reward for information leading to the identification of individuals linked to the group. The breach was subsequently framed by Handala as a direct response to these actions, as well as broader geopolitical tensions.

What Techniques Does Handala Use?

Handala’s operations combine destructive malware, social engineering, and pragmatic intrusion techniques. Rather than relying on novel exploitation methods, the group integrates commercially available tools with custom payloads and living-off-the-land techniques to deliver destructive effects. This approach allows operators to maintain operational flexibility while supporting campaigns designed for disruption and psychological impact. The following attack chain is primarily derived from analysis of the July 2024 phishing campaign that exploited the global CrowdStrike outage, supplemented with observations from other Handala destructive operations between 2024 and 2026.

How Can Organizations Mitigate Handala Attacks?

• Phishing protection: Use phishing-resistant MFA and email filtering to block malicious attachments and links used for initial access.
• User awareness: Train employees to recognize phishing lures, especially those exploiting major events or technical incidents.
• Script monitoring: Detect abnormal execution of installers, batch scripts, and scripting tools such as AutoIT or PowerShell.
• LOLBin abuse detection: Monitor suspicious use of legitimate Windows utilities (e.g., RegAsm.exe) that may be abused for payload execution.
• Network monitoring: Inspect outbound connections and restrict unauthorized communication with messaging platforms used for C2 (e.g., Telegram APIs).
• Driver security controls: Enable vulnerable driver blocklists and prevent loading of unsigned or untrusted kernel drivers to mitigate BYOVD techniques.
• Endpoint protection: Deploy behavioral EDR detections for process hollowing, payload reconstruction, and destructive malware activity.
• Resilient backups: Maintain offline or immutable backups to enable recovery from destructive wiper attacks.

How Can SOCRadar Help?

Threat Actor Intelligence: SOCRadar provides continuous tracking of Handala and the broader MOIS ecosystem, including Scarred Manticore, MuddyWater, and affiliated personas. Campaign shifts, new wiper variants, and targeting changes are surfaced as they emerge.

Advanced Dark Web and Telegram Monitoring: SOCRadar monitors Handala’s Telegram channels, BreachForums account, TOR hidden services, and clearnet leak sites. Breach claims, doxxing activity, and “Saturday Files” releases are flagged in real time, giving security teams early warning before stolen data reaches wider circulation.

Attack Surface Management: Identifies exposed SharePoint instances, unpatched internet-facing applications, and misconfigured MDM platforms that Handala and its MOIS parent clusters target for initial access.

Iran-Israel Cyber Conflict Dashboard: SOCRadar’s dedicated conflict dashboard tracks the full spectrum of Iranian cyber activity, from state-sponsored APTs to hacktivist proxies like Handala. The dashboard provides analyst-vetted assessments rather than raw claims, separating verified intelligence from the noise of hundreds of daily Telegram posts.

What Are Handala’s Indicators of Compromise (IoCs)?

What Are Handala’s MITRE ATT&CK TTPs?

If you would like a more detailed report on Handala’s Stryker Attack, including IoCs, YARA rules; contact [email protected].