An Iranian threat actor, operating under the moniker Handala Hack, has launched a series of destructive cyberattacks targeting organizations in Israel, Albania, and the United States. These sophisticated intrusions leverage Remote Desktop Protocol (RDP) for network traversal, NetBird for clandestine traffic tunneling, and a suite of parallel data-wiping tools, aiming for irreversible data destruction. This group is part of a broader entity known as Void Manticore, also identified as Red Sandstorm and Banished Kitten, which has direct links to Iran’s Ministry of Intelligence and Security (MOIS).
The Handala Hack group, named after the prominent Palestinian cartoon character, has been actively engaged in disruptive operations since late 2023. It publicly operates under three distinct personas: Handala Hack, Karma, and Homeland Justice. The Homeland Justice identity has been employed since mid-2022 against various sectors in Albania, including government agencies and telecommunication providers. While the Karma persona appears to have been gradually superseded by Handala, the group’s operational scope significantly expanded recently with attacks reaching the United States, impacting organizations such as the medical technology firm Stryker.
Researchers from Check Point have meticulously observed the evolving tactics, techniques, and procedures (TTPs) of Void Manticore across numerous intrusions. While the core attack methodologies have remained consistent since early 2024, recent campaigns have introduced novel tools. These include NetBird, a legitimate peer-to-peer networking utility repurposed for tunneling malicious traffic within compromised networks, and an AI-assisted PowerShell script that plays a crucial role in their data-wiping arsenal. A notable shift in operational security has also been identified, with recent activities traceable to direct Iranian IP addresses, a departure from their previous reliance on commercial VPN services.
The attack lifecycle for Handala Hack typically commences with the acquisition of compromised VPN credentials. These are often obtained through brute-force attacks or breaches within the supply chain of IT service providers. Once inside a target network, the attackers meticulously navigate between systems using Remote Desktop Protocol (RDP). Evidence suggests the simultaneous operation of at least five attacker-controlled machines within a single victim environment, underscoring the group’s objective to maximize the speed and breadth of its destructive impact.
Parallel Wiping Operations: A Multi-Layer Approach to Destruction
What distinguishes Handala Hack is its deliberate strategy to initiate data destruction from multiple vectors concurrently. This approach significantly diminishes an organization’s capacity for effective recovery. The group achieves this by deploying several wiper tools simultaneously, often orchestrated through Group Policy, ensuring rapid propagation across the compromised network. This coordinated, multi-pronged assault is designed for maximum impact.
The destructive phase of a Handala Hack intrusion involves the execution of four distinct wiping techniques in parallel. The primary tool is the custom Handala Wiper, disseminated via Group Policy logon scripts through a batch file named handala.bat. This wiper not only overwrites file contents but also corrupts the Master Boot Record (MBR), causing profound, low-level system damage. A key feature of this wiper is its remote execution from the Domain Controller, meaning it is never written to disk on the targeted machines, making detection by conventional security tools more challenging.
In parallel with its custom wiper, the attackers deploy an AI-assisted PowerShell wiper. This script systematically deletes all files within user directories and then floods every logical drive with a propaganda image file, identified as handala.gif. Furthermore, the group leverages VeraCrypt, a legitimate disk encryption utility, which is downloaded directly through the victim’s own web browser. This tool is used to encrypt drives, rendering data inaccessible and further hindering recovery efforts.
The final stage of the destruction process involves manual intervention by the operators. They utilize RDP to delete virtual machines and individual files directly. This deliberate, hands-on destruction method has been documented by the group itself through leaked operational videos, providing insights into their persistent destructive intent. The combination of automated wipers and manual deletion efforts presents a formidable challenge for incident response teams.
Defenders are strongly advised to implement multi-factor authentication (MFA) across all remote access and privileged accounts without exception. Security teams should remain vigilant for anomalous login patterns, including those originating from unfamiliar geographic locations, occurring at unusual hours, involving new device registrations, or exhibiting abnormal VPN data transfer volumes. Connections originating from Iranian IP addresses and known Starlink IP ranges should be proactively blocked at the network perimeter. Where not essential, RDP access should be disabled, particularly on machines with default Windows naming conventions such as DESKTOP-XXXXXX or WIN-XXXXXX. Close monitoring for the presence of tools like NetBird and other tunneling utilities is also crucial, as their deployment can signal unauthorized internal network activity, a hallmark of Handala Hack’s intrusion tactics.