Posted in

Handala Launches Severe RDP & Wiper Attacks Globally

by Rakesh0

An Iranian state‑aligned threat actor known as Handala Hack has conducted a series of high‑impact destructive cyberattacks across Israel, Albania, and the United States, using a combination of RDP access, network tunneling tools, and multi‑layered wipers to cause maximum operational damage.

The group is part of Void Manticore, also tracked as Red Sandstorm and Banished Kitten, and is directly linked to Iran’s Ministry of Intelligence and Security (MOIS)—making it a state‑backed destructive operator rather than a hacktivist collective.

Handala’s operations are not espionage-driven. Their campaigns are engineered specifically for data destruction, with a goal of making recovery extremely difficult or impossible.

🏴 Handala Hack: Personas and Global Expansion

Handala Hack draws its branding from the Palestinian cartoon figure “Handala” and maintains three public-facing personas:

  • Handala Hack
  • Karma
  • Homeland Justice

Homeland Justice has been active since mid‑2022 targeting Albanian government agencies, telecom operators, and national infrastructure, while former alias Karma has largely been phased out.

Beginning in late 2025 and early 2026, the group expanded operations to the United States, including attacks on medical technology firm Stryker, demonstrating an escalating global threat footprint.

Check Point researchers documented Handala’s evolving techniques—some consistent since 2024, others newly introduced in 2026.

🔍 Evolving Intrusion Techniques

Recent campaigns show refinement in Handala’s tactics, including:

Use of NetBird

A legitimate peer‑to‑peer networking tool abused for covert traffic tunneling inside compromised environments.

AI‑Assisted PowerShell Wiper

An automated script capable of wiping directory contents and overwriting drives with propaganda images.

Operational Sloppiness

Investigators observed activity tied directly to Iranian IP addresses, unlike earlier campaigns that used commercial VPNs to mask origin—a notable decline in operational discipline.

🚪 Initial Access: VPN Credential Theft and RDP Navigation

Handala’s intrusions typically begin with compromised VPN credentials—either brute‑forced or harvested via upstream supply‑chain compromises targeting IT service providers.

After establishing foothold, the attackers rely heavily on Remote Desktop Protocol (RDP) to manually pivot between systems. Multiple attacker-controlled machines—at least five simultaneously in some cases—were observed operating inside a single victim network.

This manual navigation underscores Handala’s intent to rapidly maximize destruction, not to linger for espionage.

💣 Parallel Wiping Operations: Multi‑Layered Destruction

What makes Handala especially dangerous is its multi‑pronged wiper strategy, which runs four destructive mechanisms simultaneously, ensuring organizations have minimal opportunity for recovery.

1. Handala Wiper (GPO‑Delivered, Fileless Execution)

  • Delivered via Group Policy logon scripts
  • Triggered by a batch file named handala.bat
  • Overwrites files and corrupts the Master Boot Record (MBR)
  • Executable runs remotely from the Domain Controller, never written to disk

This fileless behavior makes it extremely difficult for traditional security tools to detect.

2. AI‑Assisted PowerShell Wiper

  • Wipes files across user directories
  • Fills drives with a propaganda image (handala.gif) to overwrite free space

3. VeraCrypt Drive Locking

Handala operators download VeraCrypt directly using the victim’s own browser, encrypting entire drives to block data recovery efforts.

4. Manual RDP‑Based Deletion

As a final blow, the actors manually delete:

  • Virtual machines
  • File shares
  • Critical directories

…over RDP, a process they have documented and publicized in their own leaked videos.

🌐 Why Recovery Is Nearly Impossible

This parallel wiping approach ensures:

  • Compromised systems lose data simultaneously from multiple angles
  • Domain Controllers distribute destructive payloads at scale
  • Local backups are erased
  • Storage volumes become unrecoverable
  • Wiper traces blend into legitimate GPO or admin‑level actions

Even well‑prepared organizations may face catastrophic outages.

🛡 Defensive Recommendations

Security teams must treat Handala as a state-backed destructive threat, not a nuisance or hacktivist actor. Recommended actions include:

🔐 1. Enforce MFA for All Remote Access & Privileged Accounts

This remains the single most important control.

🌍 2. Block Connections from Iranian and Known Starlink IP Ranges

Researchers observed attacker activity originating from both.

🚫 3. Disable RDP Wherever Possible

Especially on systems with default naming patterns like:

  • DESKTOP-XXXXXX
  • WIN-XXXXXX

🛰 4. Monitor for NetBird or Other Tunneling Tools

Presence of such software in enterprise networks is a major red flag.

📊 5. Watch for Anomalous VPN Activity

Indicators include:

  • Logins from new countries
  • Logins outside normal business hours
  • Sudden spikes in VPN data transfer

🖥 6. Audit Group Policy for Suspicious Logon Scripts

Wiper scripts are often deployed through GPO mechanisms.

Conclusion

Handala Hack has emerged as one of the most destructive Iranian threat actors, capable of leveling entire enterprise environments through a combination of:

  • Stolen VPN credentials
  • RDP lateral movement
  • Network tunneling
  • Parallel wiping
  • MOIS‑backed operational support

Its campaigns reflect Iran’s ongoing shift toward rapid, high‑impact cyber retaliation, where the goal is not theft—but destruction.

Organizations worldwide, particularly in critical infrastructure and high‑visibility global sectors, should treat Handala as a Tier‑1 destructive threat and adopt hardened remote‑access, tunneling detection, and GPO security strategies immediately.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *