High

Analysis Summary

The Iranian threat actor Handala Hack has conducted a series of highly destructive cyberattacks targeting organizations in Albania and the United States. Operating under the broader umbrella of Void Manticore, also known as Red Sandstorm and Banished Kitten, the group is directly linked to Iran’s Ministry of Intelligence and Security (MOIS). Unlike traditional cyber-espionage groups, Handala Hack focuses on pure destruction aiming to wipe data and cripple systems in a way that makes recovery extremely difficult. Active since late 2023, the group uses multiple personas, including Handala Hack, Karma, and Homeland Justice, the latter of which has been targeting the government and telecom sectors since 2022.

The group’s attack chain typically begins with compromised VPN credentials, obtained either through brute-force attacks or supply chain compromises involving IT service providers. Once inside a network, attackers move laterally using Remote Desktop Protocol, manually controlling systems to expand their access. In recent campaigns, they have incorporated tools like NetBird to tunnel traffic through victim networks, allowing stealthy internal communication. Notably, researchers observed multiple attacker-controlled machines (at least five) operating simultaneously within a single environment, highlighting the group’s strategy of accelerating damage through parallel operations.

A defining feature of Handala Hack is its multi-layered destruction approach. The attackers deploy several wiping mechanisms at once via Group Policy to ensure rapid and widespread impact. Their custom Handala Wiper overwrites files and corrupts the Master Boot Record (MBR), causing deep system damage while avoiding detection by running remotely from the Domain Controller. In parallel, an AI-assisted PowerShell script deletes user files and floods systems with propaganda images. The attackers also abuse legitimate tools like VeraCrypt to encrypt drives, making recovery even harder, while simultaneously deleting virtual machines and files manually through RDP sessions.

Recent findings show a decline in the group’s operational security, with activities now traced directly to Iranian IP addresses instead of anonymized VPN services. Their evolving tactics—such as combining tunneling tools, AI-assisted scripts, and simultaneous wiper deployment—demonstrate a shift toward faster and more aggressive attacks. To defend against such threats, organizations must enforce strong security controls including multi-factor authentication, strict monitoring of VPN and login activity, limiting or disabling unnecessary RDP access, and detecting unauthorized tools like NetBird. Blocking suspicious IP ranges and closely monitoring unusual network behavior are also critical to preventing or minimizing the impact of these destructive campaigns.

Impact

• Information Disclosure
• Business Operations Disruption
• Gain Access
• Financial Loss

Indicators of Compromise

SHA1

• b9930eda0091790c563226549e734a903e1baf7c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enforce Multi-Factor Authentication (MFA) on all remote access and privileged accounts.
• Disable unnecessary RDP access, especially on default Windows-named machines (e.g., DESKTOP-XXXXXX, WIN-XXXXXX).
• Monitor VPN logins for unusual locations, times, and new device registrations.
• Block connections from suspicious IP ranges, including Iranian IPs and known Starlink ranges.
• Deploy endpoint detection tools to detect wipers, scripts, and unauthorized remote execution.
• Limit administrative privileges and segregate high-value systems.
• Audit and monitor Group Policy changes to detect unauthorized scripts or deployments.
• Detect and block tunneling tools like NetBird or other peer-to-peer networking applications.
• Implement frequent, isolated backups with offline copies to ensure recovery after data-wiping attacks.