ON 28 April 2026, U.S. service members in Bahrain began receiving WhatsApp messages signed by a group calling itself Handala, claiming that missiles and drones were already aimed at them and that their identities were under surveillance, with the messages linked to the group’s website, according to Stars and Stripes. The following day, Handala claimed on Telegram that it had doxxed 2,379 U.S. Marines stationed in the Persian Gulf.
The article notes that Handala appears to operate within Iran’s broader intelligence structure, with attribution linking the group to the Ministry of Intelligence (MOIS) though other firms use aliases such as Void Manticore, Storm-0842, and Dune. It also highlights that Handala has previously escalated by targeting Israeli and other entities, including a 2026 campaign that involved doxxing contractors and breaching emails, framed as an intelligence and influence operation rather than purely military hacking.
The report describes Handala’s toolkit as a mix of custom malware and social engineering, and cites Stryker’s March 2026 incident as an instance of the group attempting to use cloud credentials to push a factory reset on devices.