Handala Hack is not an isolated group. According to researchers at Check Point Research, it is an online persona run by Void Manticore (also known as Red Sandstorm or Banished Kitten), a group that Iran’s MOIS, the Ministry of Intelligence and Security, directly operates.
Void Manticore actually maintains several distinct public facades. Besides Handala Hack, active since late 2023 and primarily targeting Israel, there is Homeland Justice, a persona the group has maintained since mid-2022 for assaults against government targets, telecommunications, and other sectors in Albania, as well as Karma, a persona that is now defunct and that Handala appears to have absorbed.
Researchers note that in some intrusions, the victim-facing communications (messages in the wipers, notes the attackers left in the compromised environments) appeared under the Karma name, while the stolen data subsequently flowed to Handala to be published.
The name and iconography of the group draw from the Palestinian comic character Handala. The entity has recently widened its operating scope to the United States, notably targeting the medical technology giant Stryker.
According to publicly cited sources in the report, Void Manticore would exhibit overlaps of activity with Iran’s MOIS Directorate of Internal Security, and more specifically its Terrorism Prevention Division led by Seyed Yahya Hosseini Panjakit, who was killed by Israeli strikes on Iran earlier this month.
Initial access gained through the IT supply chain
Handala systematically targets IT service providers to obtain access credentials. The group then uses these credentials to breach the VPN environments of the victim organizations.
The analysis reveals hundreds of login attempts and brute-force operations against VPN infrastructure, originating from commercial VPN nodes and frequently tied to default Windows hostnames such as DESKTOP-XXXXXX or WIN-XXXXXX.
A notable detail: after Iran’s internet shutdown in January, researchers observed this type of activity coming from Starlink IP ranges, a trend that continued thereafter.
In parallel, the group’s operational discipline deteriorated: analysts detected direct connections from Iranian IP addresses, whereas the group previously relied on commercial VPN nodes to mask its origin.
A discreet reconnaissance phase before the destruction
In at least one recent intrusion attributed to Handala, the group established its initial access several months before the destructive phase. During this latency period, it accumulated persistent access and domain administration credentials.
Observed pre-impact activities include:
- Disabling Windows Defender
- Reconnaissance and credential theft operations, including memory dumps of the LSASS process via
rundll32.exeandcomsvcs.dll - Export of sensitive registry hives (HKLM)
- Execution of ADRecon (
dra.ps1), an Active Directory discovery PowerShell framework enabling domain administrator credentials to be obtained
Lateral movement: RDP and tunneling via NetBird
The hallmark of Void Manticore is its hands-on, manual operation. Lateral movement is mainly accomplished through RDP (Remote Desktop Protocol). To reach hosts not directly accessible from the outside, the group now deploys NetBird, an open-source platform that enables private, zero-trust mesh networks.
Attackers deploy NetBird manually: they connect via RDP to compromised machines, then use the local web browser to download the software directly from the official site.
By installing NetBird on several machines, they establish internal connectivity among systems, accelerating the destructive activity. In one incident, researchers observed at least five separate machines under attacker control operating simultaneously within the environment.
Four destruction methods deployed simultaneously
The destructive phase constitutes Handala’s signature. The group deploys four wiping techniques in parallel, distributed through Group Policy Objects (GPOs) to maximize impact.
1. The Handala Wiper (custom executable)
A customized wiper, sometimes named handala.exe, is distributed by the group via GPO login scripts using a batch file (handala.bat). The attackers run it remotely from the domain controller without writing it to the target machines’ disks. It overwrites file contents and uses MBR-wiping techniques to corrupt or destroy data at the disk level.
2. The Handala PowerShell Wiper (AI-assisted)
A second wiper, this time in PowerShell, is also distributed via GPO. It enumerates and deletes all files in the C:Users directories. According to researchers, the code structure and the level of detail in the comments suggest the attackers developed this script with the help of AI. In the final step, the script drops a propaganda image named handala.gif onto all logical drives.
3. Disk encryption via VeraCrypt
To amplify destructive impact, the attackers download VeraCrypt, a legitimate disk-encryption tool, directly from its official site through the compromised machine’s browser. By encrypting the system disks, they make recovery even harder, even if other wiping components have only partially succeeded.
4. Manual deletion
In some cases, Handala operators manually delete virtual machines directly from the virtualization platform, or delete files by connecting via RDP and selecting and erasing them all. Handala itself has documented this behavior in videos and materials it distributes.
Stable TTPs, but a few notable evolutions
Researchers emphasize that Void Manticore’s TTPs remained largely stable from 2024 through 2026, anchored in manual operations, readily available wipers, and publicly available tools for deletion and encryption. Two recent evolutions warrant attention. First, the adoption of NetBird for traffic tunneling and internal access. Second, the use of AI to generate PowerShell wiping scripts.
