TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Check Point Research

“Handala Hack” – Unveiling Group’s Modus Operandi

matthewsu · 2026-03-12 · Read original ↗

ATT&CK techniques detected

18 predictions
T1485Data Destruction
97%
“##ware overwrites file contents across the system and additionally leverages mbr - based wiping techniques to corrupt or destroy files on the system, contributing to significant data loss. handala powershell wiper as a final stage of the destructive operation, the attackers deplo…”
T1588.002Tool
96%
“, as well as handala hack, which has been responsible for multiple intrusions in israel and recently expanding its targeting to us - based enterprises such as medical technology giant stryker. the techniques, tactics, and procedures ( ttps ) associated with void manticore intrusi…”
T1486Data Encrypted for Impact
92%
“gif $ i + + } use of disk encryption for destruction in addition to the custom wiping tools, we observed the attackers attempting to leverage veracrypt, a legitimate and widely used disk encryption utility. in this case, the attacker connected to the compromised host via rdp and …”
T1485Data Destruction
91%
“subfolders ) inside c : \ users foreach ( $ item in $ items ) { try { remove - item - path $ item. fullname - recurse - force - erroraction stop } catch { write - host could not delete : $ ( $ item. fullname ) } } } $ sourcefile = \ \ [ redacted ] \ sysvol \ [ redacted ] \ script…”
T1133External Remote Services
90%
“followed by successnew device registrationsunusual data transfer volumes during vpn sessionsauthentication from new asn / hosting providersrestrict access from high - risk geographies and infrastructureblock inbound connections from iran at the perimeter and on remote access serv…”
T1078Valid Accounts
90%
““ handala hack ” persona and its links to void manticore, an actor affiliated with iran ’ s ministry of intelligence and security ( mois ). handala is not the only persona maintained by this actor, which operates several fronts in campaigns targeting the united states, israel, an…”
T1078Valid Accounts
88%
“, while the stolen data was ultimately leaked through handala. one possible explanation is that karma and handala initially represented two separate teams or operational efforts within the same organization, but later converged under a single brand. this would be consistent with …”
T1003.001LSASS Memory
87%
“this earlier activity likely provided the group with persistent access and the domain administrator credentials required to carry out the attack. in the hours leading up to the destructive activity, handala appeared to validate its access and test authentication using the comprom…”
T1003OS Credential Dumping
85%
“this earlier activity likely provided the group with persistent access and the domain administrator credentials required to carry out the attack. in the hours leading up to the destructive activity, handala appeared to validate its access and test authentication using the comprom…”
T1072Software Deployment Tools
77%
“##ala ” s wiping attack. wmic. exe / node : [ redacted _ hostname ] / user : [ redacted ] / password : [ redacted ] process call create " cmd. exe / c copy \ \? \ globalroot \ device \ harddiskvolumeshadowcopy1 \ windows \ system32 \ config \ system c : \ users \ public ” lateral…”
T1588.001Malware
76%
““ handala hack ” – unveiling group ’ s modus operandi key findings handala hack is an online persona operated by void manticore ( aka red sandstorm, banished kitten ), an actor affiliated with iranian ministry of intelligence and security ( mois ) additional personas associated w…”
T1021.001Remote Desktop Protocol
72%
“##ala ” s wiping attack. wmic. exe / node : [ redacted _ hostname ] / user : [ redacted ] / password : [ redacted ] process call create " cmd. exe / c copy \ \? \ globalroot \ device \ harddiskvolumeshadowcopy1 \ windows \ system32 \ config \ system c : \ users \ public ” lateral…”
T1003.004LSA Secrets
54%
“this earlier activity likely provided the group with persistent access and the domain administrator credentials required to carry out the attack. in the hours leading up to the destructive activity, handala appeared to validate its access and test authentication using the comprom…”
T1219Remote Access Tools
51%
“potentially unwanted software, including remote management and monitoring ( rmm ) tools, vpn applications such as netbird, and tunneling utilities such as ssh for windows iocs mitre att & ck breakdown the post “ handala hack ” – unveiling group ’ s modus operandi appeared first o…”
T1588.002Tool
48%
““ handala hack ” – unveiling group ’ s modus operandi key findings handala hack is an online persona operated by void manticore ( aka red sandstorm, banished kitten ), an actor affiliated with iranian ministry of intelligence and security ( mois ) additional personas associated w…”
T1561.001Disk Content Wipe
41%
“and operate more efficiently. this approach enabled them to accelerate destructive activity while maintaining control of the operation from multiple footholds inside the network. during the incident, we observed at least five distinct attacker - controlled machines operating simu…”
T1485Data Destruction
31%
“gif $ i + + } use of disk encryption for destruction in addition to the custom wiping tools, we observed the attackers attempting to leverage veracrypt, a legitimate and widely used disk encryption utility. in this case, the attacker connected to the compromised host via rdp and …”
T1059.001PowerShell
31%
“this earlier activity likely provided the group with persistent access and the domain administrator credentials required to carry out the attack. in the hours leading up to the destructive activity, handala appeared to validate its access and test authentication using the comprom…”

Summary

Key Findings Introduction Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks […]

The post “Handala Hack” – Unveiling Group’s Modus Operandi appeared first on Check Point Research.