ICNA

Iranian Cyber News Agency

    • Handala Hack

    ICNA Posted on

    List of names used by the industry:

    • Handala hack team
    • Hatef
    • Hamsa
    • Void Manticore

    Date founded:

    • Late 2023

    Affiliation:

    Affiliated with Iran, MOIS, Hezbollah and Hamas.

    Social media handles/websites:

    • Telegram – @Handala_hack, @Handala_backup, @Handala_Leak, @Handala_BREACH, @cyber_HANDALA (current account) @handala_redwant
    • X – x.com/Handala_Hack, x.com/Handala_X, x.com/hprred and x.com/rcybernews (current accounts)
    • Websites – handala[.]to, handala[.]cx, handala-hack-to, handala-hack.tw (current website) handala-redwanted.ps (website listing individuals and organizations that support Israel)

    Previous operations:

    • 2024 – Handala allegedly breached DRS RADA, one of the leading providers of radar systems for Israel’s defense sector, compromising the Iron Dome system.
    • 1 June 2024 – MyCity application false messages. Sent alarming SMS messages in Hebrew to residents of Ma’la Yosef regional council which containted a download link to MyCity mobile app, which offers crisis management solutions for local authorities. If the compromised version of the app was downloaded it would allow the group to further infiltrate the device.
    • 15 June 2024 – Handala claimed responsibility for a significant cyber attack on Ma’agan Michael Kibbutz, exfiltrating 22GB of data and sending over 5,000 warning SMS messages.
    • June 2024 – Handala claimed responsibility for a significant cyber attack against Zerto, a subsidary of Hewlett Packard Enterprise (HPE). Handala claimed exfiltration and subsequent deletion of 51TB of data.
    • September 2025 – Claimed to have extracted 379 GB of “sensitive information, including military, governmental, and security data” from Amos Spacecom Company.
    • October 2025 – Handala RedWanted “Saturday Files” – Established a weekly pattern of publishing personal details of Israelis connected to the military, defense industries, and occasionally the media. Cash rewards up to $30,000 were offered for information.
    • 28 December 2025 – Breached phones of Netanyahu associate and former PM Bennett. Published materials from the phone of Chief of Staff, Tzachi Braverman.
    • February 2026 – The group claimed responsibility for compromising an Israeli energy exploration company, targeting Israeli civilian healthcare systems, and breaching Jordan’s fuel systems.
    • 3 March 2026 – Following the wave of Israeli-US attacks on Iran, Handala posted a message on its new X account (Handala_X) stating: “we are unstoppable, and many surprises are on the way. Please introduce our new account to your friends.” Handala also published on their website stating that on the 2 March the group hacked Israel Opportunity Energy.
    • 3 March 2026 – The group posted that they had hacked one of the UAE’s largest oil giants, Sharjah National Oil Corporation and extracted 1.3TB of sensitive data including financial records, contracts and internal documents. On 3 March, Nariman Gharbi, reported that the group’s leader, Seyyed Yahya Hosseini Panjaki, had been killed during the Iran-Israel strikes.
    • 12 March 2026 – The threat actor claimed a massive wiper attack against U.S. medical device manufacturer Stryker in retaliation for the Minab school bombing in Iran.
    • 27 March 2026 – Handala claimed to have hacked the personal email of FBI Director Kash Patel, publishing more than 300 emails, alongside his photos and an alleged resume.
    • 31 March 2026 – Handala claimed to have hacked and taken over control of IranWire who they state is being operated under the support and guidance of the CIA. They posted several videos showing the hack of both IranWire’s Instagram account and its website.
    • 1 April 2026 – Handala Hack announced the hacking of the IT infrastructure of St Joseph County in the state of Indiana. Over 2 terabytes of sensitive information belonging to organizations such as the Prosecutor’s Office, Police and Health Centers were stolen. 12 terabytes of vital data was also wiped. Handala released over 2000 of these classified documents.
    • 2 April 2026 – Handala carried out a cyber attack on the networks of PSK WIND Technologies, the main designer and implementer of integrated command and control systems for Israel’s air defense. All sensitive data was extracted from their servers.
    • 9 April 2026 – The group claimed it had extracted over 19,000 confidential images and videos of General Herzi Halevi, the Israeli former Chief of Staff.
    • 10 April 2026 – The group posted an email address ([email protected]) and encouraged people to reach out via that email with any information or documents. On the same day, Handala released the full list of names, photos, and personal details of 80 senior officers from the “Iran Desk” of Israel’s top-secret Unit 8200.
    • 12 April 2026 – The group carried out an operation in which they stated 6 petabytes of data had been completely destroyed and 149 terabytes of the most classified documents had been extracted from three UAE organizations: Dubai Courts Department, Dubai Land Department and Dubai Roads and Transport Authority.
    • 13 April 2026 – The group claimed a hack on In a wide-scale and unprecedented cyber operation, the two steel giants Foulath and SULB, located in Bahrain and Saudi Arabia. The group stated these companies were completely compromised and forced out of operational status.
    • 16 April 2026 – The group hacked GNS Cloud, Israel’s Largest Cloud Company.
    • 25 April 2026 – Exposed details of 100 Senior Officers of the Israeli Maglan Unit.
    • 28 April 2026 – The group exposed partial details of 2379 U.S Marines who are currently stationed in the Middle East.

    Tactics/Techniques/Tradecraft/Procedures (TTP’s):

    • Presents as a pro-Palestine hacktivist organization. “Increasingly shifted from conventional cyber intrusions to targeted influence campaigns designed to erode morale, generate public pressure and drama, and project reach far beyond cyberspace.”
    • Primarily uses phishing, including SMS, as a means of gaining initial access for their attacks. The team takes advantage of major events and newly disclosed critical vulnerabilites to opportunistically create phishing campaigns using advanced social engineering techniques. Handala gains entry by sending deceptive phishing emails containing a malicious PDF attachment. This document lures the victim by masquerading as a utility to fix a widespread system crash or downtime issue. Once the user clicks the embedded link, a malicious ZIP archive is downloaded to ultimately deploy the wiper.

    Sources:

    ict.org.il/bibi-gate-handala-hack-team-a-mask-for-iranian-psychological-warfare/

    ict.org.il/wp-content/uploades/2025/12/image-11-1024×341

    cyberint.com/wp-content/uploads/2024/07

    cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/

    israelhayom.com/2025/12/28/handala-hackers-iranian-cyber-attacks-israeli-officials

    splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html

    ransomlook.io/group/handala

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts