Handala

Handala is an Iran-linked threat actor and hacktivist persona assessed with high confidence as a MOIS-affiliated front operating within the Banished Kitten cyber ecosystem. It is also tracked as Void Manticore by Microsoft and Storm-0842 by Check Point Research. Reported aliases in the provided content include Banished Kitten, Dune, Handala Hack, Handala Hack Team, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore. The content also states that Handala Hack Team is an Iranian hacktivist persona first observed in 2023 and operated by COBALT MYSTIQUE. The actor is described as conducting hack-and-leak, destructive, and psychological operations, and as routinely overstating its capability and impact while at times carrying out real data theft and wiper attacks. Confirmed or reported targeting in the content includes U.S. critical infrastructure and healthcare-related organizations, notably California Water Service and Stryker. In the Cal Water case, Handala claimed to have breached the utility, leaked 5 GB of alleged data, and asserted it could disrupt water supply operations. Multiple reports cited in the content state that subsequent investigation by Cal Water and Mandiant found no evidence of threat actor activity in Cal Water’s internal IT or OT environments, with activity limited to unauthorized access to a small number of user accounts in two third-party service provider platforms, one customer online account accessed with stolen credentials, and a third-party GPS correction website. Separate reporting in the content, including Dataminr analysis, states that leaked materials indicated compromise of a customer billing database and an internal RTKBase NTRIP caster environment, with plaintext credentials exposed and possible pivoting between those environments; however, OT or ICS disruption was not confirmed. The content also attributes to Handala a March 2026 attack on Stryker that was described as a wiper attack. Handala claimed it exfiltrated 50 TB of critical data and permanently erased 200,000 devices and 12 PB of Stryker data. The content further states that Handala’s toolkit includes custom wipers named win.handala, Handala Wiper, and Hamsa Wiper, as well as MBR-overwriting capabilities. Across reporting cited here, Handala is associated with data exfiltration, public leaking of stolen data, extortion-style pressure, wiper deployment, and influence or intimidation messaging. Tactics and techniques directly mentioned in the content include impersonation of individuals familiar to victims and technical support associated with social messaging services, PowerShell execution, and video capture-related activity annotated to Void Manticore. The broader reporting also describes likely or observed Iran-linked tradecraft around exploitation of internet-exposed systems, credential attacks, phishing, password spraying, ransomware, wiper malware, website defacement, DDoS, and hack-and-leak operations. Handala has been publicly linked in the content to retaliation-themed operations following U.S. and Israeli military actions against Iran, and is repeatedly characterized as Iran-linked, widely believed to be a front for Iranian government hacking operations, and specifically suspected of serving Iran’s Ministry of Intelligence.