HANDALA Hack is an online persona operated by Void Manticore (also known as Red Sandstorm, Banished Kitten), an actor affiliated with Iran’s MOIS, with Karma and Homeland Justice as other linked fronts used in campaigns against Israel, Albania, and US-based enterprises such as Stryker.
According to Check Point Research, Handala and Karma share highly similar TTPs, with operations conducted in a hands-on, manual style and the use of multiple wipers in parallel, including a PowerShell-based component that AI-assisted code suggests. The group has expanded from Israel-focused intrusions to attacks on US organisations, while continuing to rely on compromised VPN access for initial access and broad credential theft, including Domain Admin credentials.
Lateral movement relies heavily on RDP, complemented by NetBird to tunnel traffic and establish internal connectivity, with at least five attacker-controlled machines active during incidents. Wiping techniques include a custom Handala Wiper and a PowerShell wiper, distributed via Group Policy, alongside attempts to use VeraCrypt for disk encryption to complicate recovery.