virus logo Threat Actor

Handala

Description

Handala is a pro-Palestinian and pro-Iran hacktivist group that emerged in December 2023, shortly after the October 7 attacks and the subsequent Israeli military operations in Gaza. Also known as "Void Manticore" and "BANISHED KITTEN," Handala combines ideological motivation with professional grade cyber capabilities. Their operational model centers on destructive cyberattacks using custom wiper malware, tools designed to permanently destroy data.

Multiple cybersecurity firms and intelligence assessments link Handala to Iran's Ministry of Intelligence and Security (MOIS), positioning them within Iran's broader asymmetric warfare strategy. Their campaigns typically begin with targeted phishing attacks, followed by web shell deployment for persistence, data exfiltration, and wiper deployment for maximum damage. They communicate via Telegram and maintain a dedicated leak site to claim responsibility and amplify impact.

Their targeting patterns were focused on Israeli institutions, U.S. companies, and Gulf energy infrastructure . This aligns closely with Iranian strategic interests; most notably, in March 2026 they claimed a destructive attack on U.S. medical technology firm Stryker as retaliation for a reported U.S. strike on a girls' school in Tehran. Stryker had thousands of systems disrupted and the impact is still under investigation.

Aliases

  • Void Manticore
  • Handala Hack Team
  • BANISHED KITTEN

Targeted Industries

  • Government
  • Healthcare
  • Medical Devices
  • Military and Defense
  • Oil and Gas
  • Think Tanks

Objectives

Hacktivism

Known Tools Used

  • Cloud Hosting Services
  • Custom Wiper Malware
  • Data Exfiltration Tools
  • Phishing Payloads
  • Telegram Infrastructure
  • Web Shells

Known Infection Vectors

  • Credential Theft
  • Phishing Emails
  • Valid Accounts
  • Web Server Exploitation

References

Iranian State-Sponsored Cyber Activity (CISA)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a

Iranian Government-Sponsored APT Activity (CISA)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a

Iranian Cyber Actors Exploiting Known Vulnerabilities (CISA)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a

Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest

https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

Handala

ID

6378

Published

Apr 03, 2026

Threat Actor Type

Hacktivists

Tags

Iran-linked Cyber Attacks Threat Signal

Attacker Origins

  • Iran

Target Systems

  • Embedded Linux (medical and network devices)
  • Linux
  • VMware ESXi
  • Windows

Regions Targeted

  • Albania
  • Israel
  • Jordan
  • Saudi Arabia
  • United Arab Emirates
  • United States

Active CVEs