Handala Hack’s Parallel Wipers: MOIS‑Linked Intrusions Redefine Destruction

March 17, 2026 Faeem BLOGS 0

A destructive wave of cyberattacks attributed to Handala Hack, part of Iran’s Void Manticore (also tracked as Red Sandstorm and Banished Kitten), has struck organizations in Israel, Albania, and the United States. Unlike espionage‑driven campaigns, these intrusions are designed to obliterate data and cripple recovery efforts.

Attack Chain Overview

  • Initial access: Compromised VPN credentials via brute‑force or supply chain breaches.
  • Movement: Manual navigation through Remote Desktop Protocol (RDP).
  • Tunneling: Abuse of NetBird, a legitimate peer‑to‑peer networking tool, to move traffic inside victim networks.
  • Parallel wipers: Multiple destructive tools deployed simultaneously to maximize damage.
  • Operational footprint: At least five attacker‑controlled machines observed working in parallel within victim environments.

Destructive Toolkit

  1. Handala Wiper
    • Distributed via Group Policy logon scripts (handala.bat).
    • Overwrites files and corrupts the Master Boot Record (MBR).
    • Executes remotely from the Domain Controller, avoiding disk artifacts.
  2. AI‑Assisted PowerShell Wiper
    • Deletes user directories.
    • Floods logical drives with a propaganda image (handala.gif).
  3. VeraCrypt Abuse
    • Legitimate encryption utility downloaded via victim’s browser.
    • Locks drives to prevent recovery.
  4. Manual RDP Deletions
    • Operators manually delete files and virtual machines.
    • Documented in the group’s own leaked videos.

Distinctive Traits

  • Multi‑layer destruction: Running four wipers simultaneously ensures near‑total loss.
  • Reduced discipline: Activity traced directly to Iranian IPs, unlike earlier VPN masking.
  • Persona strategy: Operates under multiple banners — Handala Hack, Homeland Justice, Karma.
  • Expansion: Recent attacks extended to U.S. organizations, including medical technology firm Stryker.

Defensive Recommendations

  • Enforce MFA: Mandatory for all remote access and privileged accounts.
  • Monitor anomalies: Watch for logins from unusual geographies, hours, or devices.
  • Block risky IP ranges: Iranian IPs and known Starlink ranges should be filtered at the perimeter.
  • Disable RDP where unnecessary: Especially on default‑named Windows machines (e.g., DESKTOP‑XXXXXX).
  • Detect tunneling tools: NetBird or similar utilities inside networks may indicate compromise.

Final Thought

Handala Hack’s campaign demonstrates a shift from espionage to outright destruction, leveraging legitimate tools like RDP, NetBird, and VeraCrypt alongside custom wipers. By attacking from multiple angles at once, the group ensures victims face irreversible damage and prolonged recovery timelines. For defenders, the lesson is clear: identity, access, and tunneling detection are critical to stopping destructive intrusions before they spread.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.