Full Report
The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. [...]
Analysis Summary
# Threat Actor: Handala (and associated Iranian clusters)
## Attribution & Identity
* **Primary Name:** Handala (also known as Handala Hack Team)
* **Aliases:** Hatef, Hamsa, Homeland Justice, Karma Below.
* **Known Associations:**
* **Ministry of Intelligence and Security (MOIS):** Direct link cited by the FBI.
* **Islamic Revolutionary Guard Corps (IRGC):** Specifically linked through the *Homeland Justice* alias.
* **Persona:** Often presents as a "pro-Palestinian hacktivist" group to mask state-sponsored origins.
## Activity Summary
The group is currently engaged in high-impact operations involving data exfiltration, wiper attacks, and information operations. Recent highlight operations include a massive cyberattack on the U.S. medical giant **Stryker**, where the actors leveraged Administrative access to factory reset approximately 80,000 devices. In March 2026, the FBI seized several domains used by these clusters for leaking stolen data and coordinating attacks.
## Tactics, Techniques & Procedures
* **Command and Control (C2):** Abuse of Telegram’s infrastructure to manage malware and receive exfiltrated data.
* **Social Engineering:** Used as the primary delivery vector to infect targets with Windows-based malware.
* **Credential Abuse:** Compromising Windows domain administrator accounts to gain high-level privileges.
* **Endpoint Management Exploitation:** Use of Microsoft Intune's "wipe" command to perform mass-scale device destruction/reset.
* **Malware capabilities:**
* Screen capture (screenshots).
* File exfiltration.
* Data leaking via dedicated onion/clearnet sites.
## Targeting
* **Sectors:** Healthcare (Medical giants), Government, Media, Dissident groups.
* **Geography:** United States, Middle East (Israel-related context), and global targets criticizing the Iranian government.
* **Victims:**
* **Stryker** (U.S. medical corporation).
* Journalists, Iranian dissidents, and oppositional groups.
* High-intelligence-value individuals.
## Tools & Infrastructure
* **Malware Families:** Custom Windows-based malware capable of exfiltration; Microsoft Intune (abused for wiping).
* **Infrastructure (Defanged):**
* handala-redwanted[.]to (Seized)
* handala-hack[.]to (Seized)
* justicehomeland[.]org (Seized)
* karmabelow80[.]org (Seized)
* **Communications:** Telegram (API-based C2), Signal/WhatsApp (identified in broader intelligence context for phishing).
## Implications
These actors represent a shift from simple data theft to aggressive disruptive operations (e.g., mass device wiping via MDM tools). By operating under "hacktivist" personas like Handala, the MOIS and IRGC can achieve strategic goals—such as punishing critics or damaging Western infrastructure—while maintaining a degree of plausible deniability. The use of legitimate services like Telegram for C2 makes detection more difficult for standard network filtering tools.
## Mitigations
* **MDM Security:** Enforce Multi-Factor Authentication (MFA) for all Global Administrator and Domain Administrator roles, specifically for Microsoft Intune and Entra ID (formerly Azure AD).
* **Egress Filtering:** Monitor and potentially restrict network traffic to Telegram API domains if not required for business operations.
* **Credential Protection:** Implement Privileged Access Management (PAM) to prevent the lateral movement required to compromise Windows Domain Admin accounts.
* **User Awareness:** Train high-value targets (executives, journalists) against social engineering via instant messaging platforms.
* **Device Backups:** Maintain offline backups to recover from mass-wipe scenarios using MDM commands.