DARK Web Profile: Handala Hack traces a claims-driven persona back to a destructive Iranian-linked actor, with Handala presenting as a pro-Palestinian hacktivist group but widely assessed as MOIS-operated.
Since appearing in December 2023, the group has executed dozens of attacks against Israeli and Western targets, deploying custom wiper malware and expanding to U.S. corporations, while its most destructive claimed operation to date—Operation Epic Fury in March 2026—was an attack on Stryker that reportedly wiped over 200,000 devices across 79 countries and involved 50 TB of data exfiltration.
Handala’s attribution has hardened toward MOIS, with threat actor cards naming Void Manticore, Storm-0842, BANISHED KITTEN, and Dune; independent analyses emphasise MOIS affiliation rather than IRGC. The group’s operations feature a two-cluster structure, with Scarred Manticore and Handala handling initial access and disruption respectively, and campaigns commonly rely on spear-phishing and staged malware delivery, including BYOVD and living-off-the-land techniques.
Researchers at Reichman University tallied at least 85 claimed attacks between February 2024 and February 2025, and Handala’s targets have broadened from Israeli entities to U.S. companies, Gulf states, and Western institutions. According to Check Point Research, the actor is linked to multiple aliases within a broader MOIS network, reinforcing the perception of a coordinated, state-adjacent threat.