Handala Hack and Friends

Marc Sleeman

Jun 23, 2026 — 14 min read

On the 11th of March 2026, the Iranian aligned Handala Hack (Handala) group claimed responsibility for a disruptive cyberattack which affected the medical multinational corporation, Stryker. The X account, @DarkWebInformer shared a screenshot [1] with Handala's claims which stated they had wiped "200,000 systems, servers and mobile devices" and also extracted "50 terabytes of critical data". Handala specifically stating the attack was in retaliation for a US strike which hit the Minab school, in the Hormozgan province of Iran.

‼️🇺🇸 Stryker is currently offline due to a wiper malware attack by Handala. https://t.co/6aRRG8pO7H pic.twitter.com/7Eqe33psQj
— Dark Web Informer (@DarkWebInformer) March 11, 2026

On the same day, Stryker had also published a statement on their website which stated:

"Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained." [2]

This statement seemed to corroborate the claims made by Handala, that they had successfully executed a cyber attack against the corporation. The impact outlined in the statement was also indicative of Iranian-aligned threat actors that aim to inflict [3][4] destruction or significant disruption to the Information Technology (IT) of victims. Naturally the attack was picked up by the media, with the ABC publishing "Australian hospitals on alert after Iranian hackers attack medical technology company Stryker" [5].

The Stryker Cyber Attack

While it is not publicly known exactly what occurred during the attack on Stryker, several media outlets have claimed to have sources with insight of the attack. One source reported that devices at the company had been "wiped" and in one instance, the Irish Examiner quoted [6] a Stryker employee as stating "anyone with Outlook on their personal phones had their phones wiped.". Bleeping Computer also reported [7] that a source had told them that Microsoft Intune's remote wipe functionality had been used by the threat actor. This information seemed to indicate Handala had managed to compromise a Stryker identity with sufficient privileges to use Intune's remote wipe function. By default, accounts with the "Help Desk" Operator [8] in Microsoft Entra can perform this action.

The same Bleeping Computer article also reported that Microsoft's Detection and Response Team (DART) and Palo Alto Unit 42 had been engaged to perform Digital Forensics and Incident Response (DFIR).

On the 12th of March Palo Alto published a threat advisory [9], "Insights: Increased Risk of Wiper Attacks". While Palo Alto stopped short of saying that they responded to the Stryker attack, they did state "Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran".

The controls recommended by Palo Alto in the advisory were all focused on secure privileged account management (PAM) practices for Entra. For example, implementing Just In Time (JIT) access, making use of Microsoft Entra Privileged Identity Management (PIM), Cloud-native (or "Cloud Only") accounts and the use of FIDO2 hardware for multi-factor authentication. They also explicitly state, "Attackers such as Handala target high-value accounts with "standing" (always-on) permissions to facilitate immediate impact.".

Alon Gal from Hudson Rock posted [10] on LinkedIn that he had reviewed sources of infostealer credentials and identified that they contained credentials tied to the Stryker Entra tenant, the passwords were brute forcible and that the credentials were "months if not years old". He also noted that "admindev@stryker.com" and "adminqa@stryker.com" accounts were amongst those in infostealer sources. Alon also hazarded a guess that Handala may have just made use of infostealer credentials with high privileges to perform the attack.

Alon Gal's LinkedIn post speculating about a possible method used for initial access in the Stryker attack.

We were able to find similar results by searching our Data Breach and Dark Web monitoring provider for compromised credentials associated with the Stryker domain (stryker.com).

A snippet of Results for searching for "stryker.com" using a "Stealer" API.

Assuming credentials from infostealers were valid and the controls recommended by Palo Alto were not implemented by Stryker group, it may indicate the attack on Stryker group was opportunistic rather than a sophisticated and targeted cyber attack.

Who are Handala Hack?

Handala Hack are a threat group who emerged in 2023 [11] with spear phishing campaigns conducted against Israeli targets that aimed to deliver wiper malware. Several social media accounts associated with the group published content indicating that their aim was to promote political, pro-Palestinian messages. The group's name and logo is taken from a symbol of Palestinian resistance against Israeli oppression, which originates from a Palestinian cartoon by polictical artist Naji al-Ali. The cartoon is of a Palestinian child with his hands behind his back, facing away from the viewer. It is intended as a symbol of Palestinian resistance, resiliency and defiance.

By Naji al-Ali - http://arab.sa.utoronto.ca/handala-l.bmp, Fair use, https://en.wikipedia.org/w/index.php?curid=11560691

In addition to the Stryker group cyber attack, Handala have previously conducted a number of cyber attacks, mainly focused on Israeli targets:

A phishing campaign impersonating CrowdStrike following the global outage in 2024. This campaign was targeted at Israeli companies [12]. The pretext and targeting was also similar to an earlier phishing campaign in 2023, where the pretext instructed targets to perform actions to "patch" an F5 vulnerability.
The group claimed to be responsibile for an attack on the Israeli company Vidisco [13]. Handala claimed the organisation had assisted Mossad with conducting their attack on Hezbollah using exploding pagers [14].
They also claimed to have hacked a global defense company, focused on radar, DRS RADA. Although the company's website was defaced and taken down, Handala never leaked the 2 terabytes of data they claimed to have compromised [15].

The website (https[:]//handala-hack[.]to) where Handala Hack were posting details of their "exploits" has now been taken down but is still accessible using the Internet Archive: https://web.archive.org/web/20260317143537/https://handala-hack.to/

Notably, threat intelligence (TI) providers assert that the group often exaggerate the impact of their attacks [16] in social media posts and on their website [17]. This is a common trait of Iranian aligned threat actors, with Microsoft previously stating "Multiple Iranian state groups have turned to cyber-enabled IO more regularly since June 2022 to boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities." [18]. This statement aligns with observations of Handala behaviour, which indicates their intent is to gain attention and psychologically influence. A former Israeli deputy director general of Israel National Cyber Directorate (INCD), Rafael Franco, previously summarised Handala as "a 'loud' actor whose main goal is psychological and cognitive influence" [19] following their breach of former Prime Minister, Naftali Bennett's Telegram account.

While Handala's targeting has mainly been focused on Israel, SOCRadar note [20] that they have expanded operations to target Gulf State organisations since 2025. We could not find evidence in the public domain that Handala have directly targeted Australian organisations. However, there is reporting that prominent Australian individuals have been victims of their attacks [21].

Ministry of Intelligence and Security (MOIS) Threats

Despite their Hacktivist persona, CheckPoint's public TI [22] indicates Handala Hack are a front for the Iranian Advanced Persistent Threat (APT), Void Manticore. This group is one of many Iranian threats reported as being affiliated with the Iranian Ministry of Intelligence and Security (MOIS).

Void Manticore have historically been responsible for attacks which deploy wiper malware and leak compromised data through online personas such as Handala Hack, Karma and Homeland Justice.

Microsoft [23] and Checkpoint [24] reporting indicates that during at least two incidents, Void Manticore had likely received their access and privileged credentials from another MOIS affiliated threat actor, Scarred Manticore, allowing them to perform destructive actions.

Reporting [25] from Mandiant (now Google Threat Intelligence) also supports Microsoft and Checkpoint's observations, stating, "A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.". Although Mandiant do not state UNC1860 is Scarred Manticore they highlight there are similarities with their targeting and tradecraft. They also note that they responded to several incidents in 2019 where organisations compromised by APT34 were previously compromised by UNC1860 and vice versa. APT34 or OilRig is another threat actor affiliated with the MOIS.

APT34/Oilrig

APT34 have been active since 2014 with reporting on their notable activity in 2016 and 2017, by Palo Alto [26] and FireEye [27]. Targeting has mostly focused on the Middle East but they have also attacked other regions such as the United States, Europe and Aisa [28]. Attacks have been performed against organisations in finance, government, critical infrastructure and communications.

Similar to other Iranian threat actors APT34 has made heavy use of spear phishing to deliver office documents with malicious macros for initial access [26][27][28]. They have also made use of web shells to maintain persistent access into networks and deployed password filter DLLs to harvest plain text credentials on Exchange servers [29]. Notably a number of the threat actor's malware has made use of DNS traffic for command and control [26][30].

IN 2019, APT34 made headlines after their tools and information about previous intrusions were allegedly leaked [31]. An internet persona "Lab Dookhtegan" reached out to several journalists and provided them with data dumps that the persona claimed were from APT34. Palo Alto reviewed [32] the available data and came to the conclusion that it did have hallmarks consistent with the threat group.

In 2019 The United Kingdom's National Cyber Security Centre (NCSC) published an advisory which detailed how the Russian threat actor Turla had been scanning for APT34 web shells to gain access to already compromised targets in the Middle East [33]. NCSC specifically stated that "The behaviour of Turla in scanning for backdoor shells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of where they were deployed.". They also indicated Turla had knowledge of the keys used to control access to the web shells: "Commands were passed to the ASPX shell in encrypted HTTP Cookie values, requiring knowledge of the cryptographic keys to produce valid tasking and successfully interact with it.".

Additional Groups

In addition to Void Manticore, Scarred Manticore and APT34, TI providers have linked additional threat actors to the MOIS. These include:

Agrius
APT39
Hexane/Lyceum
MuddyWater

Agrius

Agrius are another MOIS affiliated threat actor that has primarily targeted Israel and in some cases, Middle Eastern countries such as the United Arab Emirates [34]. The group have relied on exploiting publicly disclosed vulnerabilities and common web application vulnerabilities such as SQL injection to compromise systems with internet facing services. Upon obtaining privileged credentials the group has exfiltrated data and deployed wipers to cause impact [35].

Hexane/Lyceum

Unlike other MOIS affiliated actors, Hexane's cyber attacks have been conducted for espionage and not to deploy wipers . The group was first reported [36] on by SecureWorks in 2019, but noted as being operational since 2018. In 2018 the group was focused on targets in Africa, before shifting to countries in the Middle East in 2019. In 2021, ClearSkySec reported [37] that the group had also targeted an Israeli company.

Dragos reported [38] that the threat actor had been targeting oil and gas companies in the Middle East in 2019 and later progressed to targeting telecommunications providers in the Middle East, Asia and Africa.

Hexane have predominantly gained initial access using spear phishing campaigns with payloads for remote code execution, password spraying and password brute force attacks. Payloads delivered by the group have been macro enabled Excel and Word documents.

Multiple TI vendors have identified overlap with the groups tradecraft and that used by APT34. Kaspersky researchers noting [39] that "Lyceum’s modus operandi bears a striking resemblance to that of APT34/OilRig. Both groups have
similar geopolitical targeting, and prefer to use DNS tunnelling in the different payloads they have developed over the
years.". SecureWorks also identified overlaps [36] but stated "As of this publication, there is insufficient technical evidence to support an attribution assessment.". ESET's MuddyWater report [40] from 2026 specifically states that Lyceum is a "subgroup" of OilRig (APT34).

APT39

APT39 are another MOIS affiliated threat actor whose operational goals deviate from destruction. APT39's targeting has focused on Airlines, IT firms, telecommunications, education and travel companies [41][42] in countries across multiple continents. This targeting also deviates from the MOIS convention. Symantec first published information [43] on the group's activity in 2015, noting they had been active since at least July 2014. Around the time the United States (U.S.) Department of Treasury imposed sanctions on 45 individuals associated with the group in 2020 [44], public reporting on the group seemed to stop.

Several TI vendors [41][43] and the FBI [42] detail that the objective of APT39 is to compromise organisations with the intent of gaining access to Personally Identifiable Information (PII). This information is targeted to support the MOIS with tracking and monitoring persons of interest.

Similar to Hexane, the group have relied upon spear phishing and compromising vulnerable web servers to gain initial access to target organisations. A blog by the online persona "Nariman Gharib" [45] provides screenshots of what the author claims are from targeting documents obtained from an APT39 system. These screenshots appear to include terminal output from SQLMap being used to successfully exploit SQL injection vulnerabilities amongst the use of other common offensive security tools.

A screenshot shared by "Nariman Gharib" - https://blog.narimangharib.com/posts/2025%2F07%2F1752917718209?lang=eng

MuddyWater

MuddyWater are a MOIS threat actor [46] who has been active since 2017 and has continued operations, with publicly reporting as recent as March 2026 [47][48]. The group have historically targeted organisations with spear phishing for initial access. Spear phishing payloads in early attacks (prior to 2022) were macro enabled documents [49] before the group shifted to delivering PDF files with links to ZIP files containing Remote Monitoring and Management (RMM) tools [50][51]. They have also used compromised email accounts to target further victims [52]. Microsoft have also reported that the group have exploited the Log4j vulnerability to deploy web shells to internet facing web applications [53].

While public sources report that the group typically focuses on espionage [54] there have been reports that the group has attempted to deploy the Thanos ransomware [55]. Microsoft also detail [56] how they likely provided access to a second group tracked by Microsoft as DEV-1084 (DarkBit) in one attack. DEV-1084 then proceeded to cause impact by deleting Azure resources and deploying ransomware.

MuddyWater's targeting has been broad, with a focus on Middle Eastern countries but they have also compromised organisations in Europe, the United States and Asia.

Current Risk Assessments From Reputable Sources

Palo Alto

Palo Alto have stated [57] the following in regards to the current risk of Iranian threat actors:

"Beginning the morning of Feb. 28, 2026, Iran’s available internet connectivity dropped to between 1-4%. We assess that the loss of connectivity and significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term."

and

"For Iran-aligned threat actors based outside of the region, we assess that hacktivist groups will target organizations perceived as adversaries but their impact is likely to be of low to medium significance."

National Cyber Security Centre (UK)

The United Kingdom's National Cyber Security Centre has released an advisory [58] which states:

"As a result of the ongoing conflict in the Middle East, there is likely no current significant change in the direct cyber threat from Iran to the UK, however due to the fast-evolving nature of the conflict, this assessment may be subject to change."

and

"There is almost certainly a heightened risk of indirect cyber threat for those organisations and entities who have a presence, or supply chains, in the Middle East."

Closing

Public reporting on the Stryker cyber attack and threat intelligence detailing the behaviour of Handala Hack indicate the attack was unlikely to be sophisticated in nature. Although Handala claimed responsibility, the attack was likely performed at the behest of Iran's MOIS. It also may be possible the credentials were provided to Handala by another of the more sophisticated MOIS affiliated threat actors.

If Handala and Void Manticore's historical targeting (based on the references) does not change, it is fair to assume Australian organisations will not be targeted directly unless it is opportunistic.

Organisations that would like practical assurance that they have effective controls to prevent attacks from similar threats could consider Purple Teaming. This would involve emulating the Tactics, Techniques and Procedures (TTP) used by MOIS affiliated threat actors. Evaluated TTP should include those used by the more sophisticated of the MOIS threats and have a history of providing access to other groups under the MOIS umbrella.