Handala Hack uses Starlink and AI, but still deletes files through the Recycle Bin.
The hacker group Handala Hack launches attacks without complex schemes or rare vulnerabilities. The attackers log into the network, move freely through the infrastructure, and then simply wipe everything. A new analysis of the group's activities shows that this straightforward approach is often very effective.
Handala Hack is the name of the cyber group Void Manticore , also known as Red Sandstorm and Banished Kitten. Its activities are linked to the Iranian Ministry of Intelligence and Security. The group operates under several public personas. In addition to Handala Hack, Karma and Homeland Justice have also been involved in operations. Homeland Justice carried out attacks on government agencies, telecommunications companies, and other organizations in Albania. Handala Hack focused primarily on Israel and has recently begun attacking American companies. Recent targets include the medical corporation Stryker .
The name Handala was taken from a popular Palestinian cartoon character. The group actively uses this image in propaganda and post-attack materials.
Void Manticore's tactics remain largely unchanged. The hackers prefer to operate manually, directly controlling activity within the victim's network. They use ready-made data-wiping utilities and publicly available file deletion or encryption tools. Sometimes, they use their own programs. Initial access is often purchased from criminal intermediaries or obtained through stolen accounts.
Most often, attackers target contractors and IT service providers. The goal is simple: to obtain credentials for virtual private networks. In recent months, hundreds of attempts to log in and brute-force passwords to corporate VPN gateways have been recorded . Most of these attempts were made through commercial VPN services. Attackers often used computers with standard Windows names like DESKTOP-XXXXXX or WIN-XXXXXX.
After the internet shutdown in Iran in January, experts noticed similar activity from addresses of the Starlink satellite network . At the same time, attackers became less efficient at concealing the origin of their traffic. In some cases, connections to the systems under attack originated directly from Iranian addresses.
Once in the network, Handala Hack operators operate calmly and methodically. Sometimes, they gain access several months before the destructive phase of the attack. During this time, the attackers gain a foothold in the infrastructure and gain domain administrator privileges. Before launching the main attack, they verify credentials and collect information about the network.
Several methods are used to steal passwords. For example, they bypass the LSASS process, which stores authentication data, and copy system registry keys. They also run the ADRecon utility, which collects information about the Active Directory domain structure .
The attackers primarily navigate the network via the Remote Desktop Protocol. If individual systems are inaccessible from the outside, they install NetBird. The program creates a secure internal network between computers. Using this, Handala Hack operators connect multiple infected machines and control the attack from multiple points within the infrastructure.
The main attack begins when attackers deploy data destruction tools . One attack utilized four different methods simultaneously. This combination increases the chance of completely disabling the system.
The first tool is a special program called Handala Wiper. It's distributed over the network via Windows Group Policy. The malicious file overwrites the contents of files and corrupts the disk's master boot record, rendering the data unreadable.
Additionally, they run a PowerShell script that deletes all files from user directories. The code structure and comments suggest that the script was likely created using artificial intelligence. After completing the deletion, the program copies the image "handala.gif" to disks—a kind of "signature" of the attack.
Sometimes attackers even use legitimate software. For example, in one attack, operators installed the VeraCrypt disk encryption software and encrypted system partitions. This tactic complicates data recovery, even if some of the malware failed.
In some cases, the attackers use even simpler tactics. They connect to the server via remote desktop, select files or virtual machines, and delete them manually. Such actions can even be seen in videos and materials the group itself publishes after the hacks.
An analysis of recent attacks shows that Handala Hack doesn't rely on sophisticated technology. The group relies on stolen credentials, remote access, and simple data destruction programs. This approach remains dangerous precisely because of its simplicity: if the attackers manage to penetrate a network and gain administrative privileges, restoring the infrastructure after the attack can take a very long time.
The hacker group Handala Hack launches attacks without complex schemes or rare vulnerabilities. The attackers log into the network, move freely through the infrastructure, and then simply wipe everything. A new analysis of the group's activities shows that this straightforward approach is often very effective.
Handala Hack is the name of the cyber group Void Manticore , also known as Red Sandstorm and Banished Kitten. Its activities are linked to the Iranian Ministry of Intelligence and Security. The group operates under several public personas. In addition to Handala Hack, Karma and Homeland Justice have also been involved in operations. Homeland Justice carried out attacks on government agencies, telecommunications companies, and other organizations in Albania. Handala Hack focused primarily on Israel and has recently begun attacking American companies. Recent targets include the medical corporation Stryker .
The name Handala was taken from a popular Palestinian cartoon character. The group actively uses this image in propaganda and post-attack materials.
Void Manticore's tactics remain largely unchanged. The hackers prefer to operate manually, directly controlling activity within the victim's network. They use ready-made data-wiping utilities and publicly available file deletion or encryption tools. Sometimes, they use their own programs. Initial access is often purchased from criminal intermediaries or obtained through stolen accounts.
Most often, attackers target contractors and IT service providers. The goal is simple: to obtain credentials for virtual private networks. In recent months, hundreds of attempts to log in and brute-force passwords to corporate VPN gateways have been recorded . Most of these attempts were made through commercial VPN services. Attackers often used computers with standard Windows names like DESKTOP-XXXXXX or WIN-XXXXXX.
After the internet shutdown in Iran in January, experts noticed similar activity from addresses of the Starlink satellite network . At the same time, attackers became less efficient at concealing the origin of their traffic. In some cases, connections to the systems under attack originated directly from Iranian addresses.
Once in the network, Handala Hack operators operate calmly and methodically. Sometimes, they gain access several months before the destructive phase of the attack. During this time, the attackers gain a foothold in the infrastructure and gain domain administrator privileges. Before launching the main attack, they verify credentials and collect information about the network.
Several methods are used to steal passwords. For example, they bypass the LSASS process, which stores authentication data, and copy system registry keys. They also run the ADRecon utility, which collects information about the Active Directory domain structure .
The attackers primarily navigate the network via the Remote Desktop Protocol. If individual systems are inaccessible from the outside, they install NetBird. The program creates a secure internal network between computers. Using this, Handala Hack operators connect multiple infected machines and control the attack from multiple points within the infrastructure.
The main attack begins when attackers deploy data destruction tools . One attack utilized four different methods simultaneously. This combination increases the chance of completely disabling the system.
The first tool is a special program called Handala Wiper. It's distributed over the network via Windows Group Policy. The malicious file overwrites the contents of files and corrupts the disk's master boot record, rendering the data unreadable.
Additionally, they run a PowerShell script that deletes all files from user directories. The code structure and comments suggest that the script was likely created using artificial intelligence. After completing the deletion, the program copies the image "handala.gif" to disks—a kind of "signature" of the attack.
Sometimes attackers even use legitimate software. For example, in one attack, operators installed the VeraCrypt disk encryption software and encrypted system partitions. This tactic complicates data recovery, even if some of the malware failed.
In some cases, the attackers use even simpler tactics. They connect to the server via remote desktop, select files or virtual machines, and delete them manually. Such actions can even be seen in videos and materials the group itself publishes after the hacks.
An analysis of recent attacks shows that Handala Hack doesn't rely on sophisticated technology. The group relies on stolen credentials, remote access, and simple data destruction programs. This approach remains dangerous precisely because of its simplicity: if the attackers manage to penetrate a network and gain administrative privileges, restoring the infrastructure after the attack can take a very long time.
