Full Report
Key Findings Introduction Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks […] The post “Handala Hack” – Unveiling Group’s Modus Operandi appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Handala Hack (Void Manticore)
## Attribution & Identity
* **Actor Identification:** Identified as **Void Manticore**, an Iranian threat actor affiliated with the **Ministry of Intelligence and Security (MOIS)**.
* **Known Aliases:** Red Sandstorm, Banished Kitten.
* **Associated Personas:**
* **Handala Hack:** Active since late 2023; current primary persona for Israel and US-based operations.
* **Homeland Justice:** Active since mid-2022; primarily used for operations in Albania.
* **Karma:** Earlier persona, likely now replaced by Handala.
## Activity Summary
The group is known for destructive "hack and leak" operations. While historically focused on regional Middle Eastern and Eastern European targets, recent campaigns (2025–2026) have expanded to include high-profile U.S. enterprises. Their operations typically involve quick, hands-on activity, often utilizing multiple wiping methods simultaneously to ensure maximum disruption.
## Tactics, Techniques & Procedures
* **Modus Operandi:** Hands-on-keyboard activity, often manual rather than automated. The group utilizes a mix of custom-built wipers and publicly available administrative/encryption tools.
* **Initial Access:** Leverages underground criminal services to purchase initial access or malware.
* **Evasion & Obfuscation:** Uses an AI-assisted PowerShell script for wiping activity and commercial VPNs to hide origin points.
* **Destructive Techniques:** Implements multi-stage wiping including file deletion, disk encryption, and MBR (Master Boot Record) corruption.
### MITRE ATT&CK IDs:
* **T1124 (System Time Discovery):** Used to check system hours/timezones.
* **T1105 (Ingress Tool Transfer):** Direct download of NetBird and VeraCrypt.
* **T1047 (Windows Management Instrumentation):** WMIC used for command execution.
* **T1484.001 (Group Policy Modification):** Distributing wipers via GPO.
* **T1037.003 (Network Logon Script):** Triggering destructive components during logon.
* **T1053.005 (Scheduled Task):** Launching wipers at specific times.
* **T1059.001 (PowerShell):** Execution of AI-assisted wiping scripts.
* **T1561.002 (Disk Structure Wipe):** Custom MBR-based wiping.
* **T1485 (Data Destruction):** Manual and automated file deletion.
* **T1486 (Data Encrypted for Impact):** Using VeraCrypt for disk encryption.
## Targeting
* **Sectors:** Government, Telecommunications, Medical Technology (MedTech), and Critical Infrastructure.
* **Geography:** Primarily Israel and Albania; recently expanded to the United States.
* **Victims:**
* Albanian government and telecom sectors (via Homeland Justice).
* Israeli organizations.
* **Stryker** (US-based medical technology giant).
## Tools & Infrastructure
* **Malware Families:** Custom Handala Wiper, various off-the-shelf wipers.
* **Encryption Tools:** VeraCrypt (used for malicious disk encryption).
* **Networking/Tunneling:** **NetBird** (used to tunnel traffic into victim networks).
* **Infrastructure:** Commercial VPN services, open-source offensive security tools.
* **C2/Downloads:** (Note: Specific defanged URLs/IPs were not provided in the snippet, but the report notes reliance on short-lived commercial infrastructure).
## Implications
The transition from regional targeting (Israel/Albania) to U.S.-based medical technology firms indicates a broadening of Iranian MOIS strategic objectives. The shift toward using AI-assisted scripts suggests an evolution in their payload development, aimed at increasing the efficiency and speed of destructive operations. The use of "hack and leak" alongside wiping ensures both operational paralysis and reputational damage.
## Mitigations
* **GPO Monitoring:** Rigorously audit and monitor Group Policy Object (GPO) changes to prevent mass distribution of unauthorized scripts or binaries.
* **Application Whitelisting:** Block or alert on unauthorized use of encryption tools like VeraCrypt and tunneling software like NetBird within corporate environments.
* **PowerShell Security:** Implement Constrained Language Mode and enhance logging (Script Block Logging) to detect AI-generated or obfuscated wiping scripts.
* **Initial Access Defense:** Focus on credential hygiene and MFA to mitigate the risk of "Access-as-a-Service" brokers selling entry points to MOIS-affiliated actors.