Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
Threat Brief: Handala Hack Team
JUMP TO: EXECUTIVE SUMMARY | DEFENSIVE RECOMMENDATIONS | STRYKER ATTACK | TTPs | IOAs | IOCs | OPERATIONAL CHARACTERISTICS | SOURCES
Threat Brief: Handala Hack Team
The Handala Hack Team recently made major news with their attack on medical device manufacturer Stryker.
First observed in late 2023, Handala is a pro-Palestinian hacktivist group that targets Israeli government, critical infrastructure and organizations perceived as aligned with Israel.
While they present themselves as an independent collective, analysts have identified probable links to Iranian cyber operations. What makes them particularly notable is their combination of destructive attacks, data theft and psychological messaging — a hybrid approach designed for both operational damage and media impact.
The Stryker incident, which unfolded on March 11, 2026, is a case in point. The attack wiped thousands of employee devices, locked workers out of systems and disrupted manufacturing operations globally.
With this in mind, we've put together a detailed threat brief covering Handala's known tactics, techniques and procedures (TTPs), indicators of compromise (IOCs) and defensive recommendations to help security teams assess their exposure and strengthen their defenses.
Read the full Handala Hack Team Threat Brief below.
Executive Summary
Handala Hack Team is a pro-Palestinian hacktivist group that emerged publicly in December 2023. The group conducts politically motivated cyber operations primarily targeting Israeli government, critical infrastructure, technology companies, and organizations perceived as supporting Israel.
Although the group presents itself as an independent hacktivist collective, multiple analysts believe it may have links to or alignment with Iranian cyber operations, potentially operating as a proxy or influence group.
Handala operations combine hacktivism, cyber-espionage, and information operations, including data leaks and psychological messaging designed to create political impact.
| First Observed | 2023 |
| Motivation | Ideological / political (anti-Israel, pro-Palestinian narrative) |
| Capability | Moderate (increasing sophistication) |
| Intent | High (ideologically motivated) |
| Operational Style | Hybrid hacktivism + destructive cyber operations |
Organizations may face elevated risk if they:
- Support Israeli organizations or infrastructure
- Operate in defense, healthcare, or technology sectors
- Are visible in geopolitical conflicts
Defensive Recommendations
Secure and monitor Microsoft Intune and endpoint management platforms.
Handala operations appear to leverage centralized management systems to deploy destructive actions across many endpoints, making strict access controls and monitoring critical.- Harden Microsoft 365 and Entra ID administrative access.
Because attacks may begin with identity compromise, organizations should enforce strong MFA, restrict administrative roles, and monitor for new privileged accounts or suspicious logins. - Strengthen defenses against targeted phishing campaigns.
Handala commonly uses spear phishing and socially engineered emails tied to current events to obtain credentials or deliver malware. - Detect early signs of destructive activity.
Security teams should alert on commands or behaviors associated with wiping systems or disabling recovery features. - Monitor for large-scale data exfiltration prior to disruption.
Handala frequently combines disruption with “hack-and-leak” operations, making unusual downloads or exports from cloud storage and collaboration platforms a key warning indicator. - Ensure rapid recovery from large-scale system disruption.
Since Handala attacks may focus on operational disruption rather than ransom, organizations should maintain tested recovery procedures and protected backups to quickly restore affected systems.
Latest Activity – Stryker Attack
Overview
On March 11, 2026, news reports indicated that medical device manufacturer Stryker experienced a large-scale cyberattack that disrupted its global IT environment. The attack caused outages across company systems and impacted employees and operations worldwide. Handala claimed responsibility for the operation via social media and Telegram channels. Employee posts on Reddit also appeared to confirm the disruption.
Key Impact
| Impact Area | Details |
|---|---|
| Global IT Outage | Company systems and services disrupted worldwide |
| Endpoint Wipes | Thousands of employee devices wiped, including Windows laptops and phones connected through Microsoft Intune |
| Access Loss | Employees locked out of systems, email, and internal applications |
| Operational Disruption | Manufacturing and office operations affected, including major facilities such as Cork, Ireland |
| Workforce Impact | Thousands of workers reportedly sent home due to outages |
Reports suggest the attack began shortly after midnight U.S. Eastern time.
Attack Characteristics
| Characteristic | Observed Activity |
|---|---|
| Destructive Behavior | Wiper-style activity rather than ransomware |
| Endpoint Impact | Data erased from endpoints using Microsoft Intune |
| Mobile Impact | Cell phones with Intune client wiped |
| Defacement | Login page defacement with Handala logo |
| Messaging | Propaganda-style message displayed after wipe |
This pattern aligns with destructive hacktivist or state-aligned influence operations, not financially motivated attacks.
Data Theft Claims
Handala claimed the operation included large-scale data exfiltration, stating they obtained 50 TB of data and wiped hundreds of thousands of systems. These claims have not been independently verified.
Known Tactics, Techniques, and Procedures (TTPs)
Initial Access
- Exploitation of public-facing vulnerabilities (unpatched web apps and infrastructure)
- Credential theft / use of previously breached credentials
- Phishing campaigns impersonating legitimate organizations or leveraging current events
- Telecom-based account takeover, possible via SIM-swapping
- Credential access against messaging platforms such as Telegram
- Trusted-channel abuse (supplier, CRM pathways, etc.)
Execution / Persistence
- Multi-stage malware deployment
- Loader frameworks written in Delphi and AutoIT
- Delivery of custom destructive malware targeting both Windows and Linux systems
- Living-off-the-land techniques, such as using Intune
- Webshell usage
Impact / Post-Compromise Activity
- RDP/SMB internal pivoting
- Data exfiltration and hack-and-leak operations
- Destructive attacks using disk-wiping malware
- Website defacement and DDoS campaigns
- Public doxing of employees and executives
- Psychological messaging and propaganda amplification via social media
Known Malware / Tools
| Malware / Tool | Description |
|---|---|
| Hamsa Wiper | Destructive malware used in the “Operation HamsaUpdate” campaign targeting Israeli infrastructure |
| Hatef Wiper | Custom wiper used in destructive attacks against targeted systems |
| Handala Malware / Loader | Multi-stage loader chain using Delphi-based loader and AutoIT injector to deploy destructive payloads |
Infrastructure & Communication Channels
- Telegram primary and backup channels
- t[.]me/HANDALA_RSS
- t[.]me/handala_backup_357
- Twitter / X accounts including x[.]com/hprnew and x[.]com/handala_rss (both reported suspended)
- Tox messaging
- Leak sites including www[.]handala-hack[.]to, handala[.]cx, and handala[.]to
Indicators of Activity (IOAs)
Potential Behavioral Indicators
| Category | Indicator |
|---|---|
| Network / Account Activity | Large volumes of Telegram login attempts or session hijacking |
| Network / Account Activity | SIM swap or unusual telecom events preceding account compromise |
| Network / Account Activity | Abnormal Telegram API enumeration activity for C2 |
| Network / Account Activity | Large data exfiltration followed by leak site publication |
| System Activity | Execution of AutoIT-based loaders |
| System Activity | Suspicious Delphi binaries executing staged payloads |
| System Activity | Disk-wipe behavior shortly after compromise |
| System Activity | Use of remote management tools such as NetBird |
| Operational Indicators | Threat actor messaging referencing “Handala,” “HamsaUpdate,” or anti-Israel propaganda statements |
Indicators of Compromise (IOCs)
Publicly documented hard IOCs are limited, which is common with hacktivist groups. Indicators below should be evaluated in context, especially medium-likelihood items.
Initial Access IOCs
| IOC | Description | Likelihood |
|---|---|---|
| link-target[.]net/jfby32 | Example lure / delivery URL seen in campaign | Medium |
| www[.]icanhazip[.]com | IP identification site | Medium |
| mega[.]nz / mega[.]io | Mega used to host malicious .msi installers | High |
| 64.176.172.0/24 | Reported CIDR associated with campaign infrastructure | Medium |
| storjshare[.]io/ | Storj-hosted payload used to deliver installer / payload | High |
| 169.150.227.0/24 | VPN service | Medium |
| 64.176.172.101 | Reported recurring cluster / staging IP | Medium |
| 64.176.172.165 | Reported recurring cluster / staging IP | Medium |
| 64.176.169.22 | Reported recurring cluster / staging IP (Void Manticore lineage) | Medium |
| 64.176.172.235 | Reported recurring cluster / staging IP | Medium |
| 64.176.173.77 | Reported recurring cluster / staging IP | Medium |
| 146.185.219.235 | VPN service | Medium |
Malware / File IOCs
| IOC | Description | Likelihood |
|---|---|---|
| Careol.zip / Carrol.zip | Archive names observed in campaign; OCR / spelling variants | Medium |
| Carrol.cmd | Script artifact observed in delivery / execution chain | Medium |
| Champion.pif | Payload filename observed in campaign artifacts | Medium |
| cl.exe | Wiper binary (destructive executable) | High |
| ClientBin.aspx | ASPX web shell | Medium |
| CrowdStrike.exe | Fake “fix” executable name used as lure / payload | Medium |
| do.zip / Do.exe | Delivery / artifact name tied to destructive stage | Medium |
| error4.aspx | ASPX web shell | Medium |
| error4.aspx / ClientBin.aspx / pickers.aspx | ASPX webroot filenames matching observed webshells | High |
| GoXML.exe | Wiper-family executable observed in destructive incidents | High |
| mellona.exe / disable_defender.exe | Tools / filenames used for AV or defense disabling | Medium |
| OpenFileFinder.dll | DLL observed in payload chains (data access / exfil stage) | Medium |
| Phase3.ps1 | PowerShell stage observed in wiper chains | Medium |
| Pickers.aspx | ASPX web shell | Medium |
| RawDisk3 | Service label used to run raw disk / destructive driver | High |
| reGeorge | Webshell family used for web-tier persistence and lateral pivot | High |
| rwdsk.sys | Raw disk / driver artifact used by destructive tooling | High |
| Ukraine | Wiper-stage artifact name appearing in reporting | Medium |
Released Cryptographic Hashes
| Artifact | Hash |
|---|---|
| cl.exe | e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 |
| GoXML.exe | bbe983dba3bf319621b447618548b740 |
| Handala PowerShell Wiper | 3cb9dea916432ffb8784ac36d1f2d3cd |
| Handala Wiper (handala.exe) | 5986ab04dd6b3d259935249741d3eff2 |
| malicious .msi (CRM-linked installer) | 6eb7dbf27a25639c7f11c05fd88ea2a301e0ca93d3c3bdee1eb5917fc60a56ff |
| NetBird Installation File | 3dfb151d082df7937b01e2bb6030fe4a |
| Rwdsk.sys | 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 |
Additional Note: Additional hashes have been released and tied to the threat actor without full context. Independent validation has not been performed. Use those values with caution.
Observed Command Execution
| Command / IOC | Description | Likelihood |
|---|---|---|
vssadmin Delete Shadows /all /quiet | Shadow copy deletion command used pre/post-wipe | High |
bcdedit /set {default} recoveryenabled No | Boot recovery disabled via bcdedit (anti-recovery) | High |
bcdedit /set {default} bootstatuspolicy ignoreallfailures | Boot policy changed to hinder recovery | High |
Wiper arg: confirmdeletefiles | Wiper invocation argument observed in destructive chain | High |
ping 4.2.2.4 -n 5 > Nul | Ping timing / flow-control pattern used inside scripts | Medium |
Operational Characteristics
- Public real-time announcement of attacks on social media
- Focus on psychological influence and media impact rather than stealth persistence
- Blends hacktivism with destructive operations, which is increasingly common in geopolitically motivated campaigns
Sources
- Wiz Threats – Handala
- JISS – Cyber as the Continuation of War by Other Means
- Brandefense – Handala: The Rise of a Decentralized Pro-Palestinian Threat Actor
- Malpedia – Handala (Threat Actor)
- eSecurity Planet – Handala Leak Shows Telegram Account Risk
- Government of Canada – Iran-linked hacker group reporting
- ETDA Thailand – Handala Hack Team threat card
- LevelBlue SpiderLabs – Handala publication analysis
- ICT.org – Handala Hack Team psychological warfare assessment
- Cyberint – Handala Hack overview
- Splunk – Handala’s Wiper: Threat Analysis and Detections
- Intezer – Operation HamsaUpdate analysis
- Medium CTI research on Handala Hack Group
