THE DomainTools analysis presents Homeland Justice, KarmaBelow80 and Handala as a MOIS-aligned cyber influence ecosystem rather than separate hacktivist groups, with activity spanning 2022 to 2026 and evolving from destructive intrusions to a multi-domain influence operation framed around narrative control.
It traces a common, modular tradecraft across phases—from initial access and data exfiltration to destructive encryption and public attribution—using Telegram for amplification and domain infrastructure for leak publication. The campaign has expanded from Albania-focused operations in 2022 to Israel-targeted activity in 2023–2024 and beyond, incorporating surveillance capabilities and living-off-the-land techniques, including signed binaries and PowerShell-based propagation.
Recent reporting notes a converged Handala- and Karma-led activity, with domain registrations between 19 March and 23 March 2026 across Handala, Karma, and Homeland Justice personas, signalling concurrent reconstitution and attribution shaping. The Stryker incident in March 2026 is highlighted as a notable example of administrative-level disruption via Microsoft Intune, illustrating a shift toward enterprise management‑plane targeting alongside data exfiltration and public messaging, according to Cyber Magazine.