Handala wiper
Handala Wiper is a custom destructive malware family associated with the Iranian MOIS-linked threat cluster tracked as Void Manticore, also known as Red Sandstorm and Banished Kitten, operating under the Handala Hack persona. Reporting describes it as part of Handala’s broader destructive toolkit used in hack-and-leak and impact operations targeting organizations in Israel, Albania, and more recently the United States, including the March 2026 Stryker incident. The malware has been observed in Windows-focused destructive operations and is also referenced alongside related Handala tooling and Linux-targeting wipers such as Hamsa.
High-confidence reporting states that Handala Wiper is distributed during the impact phase via Group Policy logon scripts and scheduled tasks, including through a batch file named handala.bat, allowing execution from the Domain Controller without writing the executable to disk on every endpoint. In some cases the payload is referred to as handala.exe. Its destructive behavior includes overwriting file contents and corrupting or overwriting the Master Boot Record (MBR) to cause deep system damage and hinder recovery. In observed campaigns, it has been deployed in parallel with other destructive methods, including a custom PowerShell-based wiper that deletes files in user directories and drops handala.gif, VeraCrypt-based disk encryption, and manual deletion of files and virtual machines over RDP.
The actor using Handala Wiper commonly gains access through compromised VPN credentials, brute force, credential stuffing, or supply-chain compromise of IT/service providers, then performs hands-on-keyboard operations, credential dumping, Active Directory reconnaissance, and lateral movement primarily over RDP, sometimes using NetBird for tunneling to internal hosts. The malware is linked in the content to destructive campaigns rather than espionage, with emphasis on operational disruption, data destruction, and psychological impact. Detection content in the supporting material associates Handala Wiper activity with anomalous high-volume file deletion on Windows, suspicious use of regasm/regsvcs-related behaviors, and reconnaissance such as querying public IP-check services.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Handala Malware Capability: While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities.
The first is the custom Handala Wiper, distributed via Group Policy logon scripts through a batch file named handala.bat. This wiper overwrites file contents and applies Master Boot Record (MBR) corruption for deep, low-level damage.
This event was subsequently exploited by threat actors to launch malicious campaigns, one in particular looking to deploy destructive wiper payloads to targeted hosts and network systems.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks...
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts...
Persistence
4 techniques
Persistence
initiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts.
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which executed a batch file named handala.bat.
Privilege Escalation
6 techniques
Privilege Escalation
initiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts.
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which executed a batch file named handala.bat.
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks...
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts...
Stealth
6 techniques
Stealth
Handala Destructive Wiper detection involves monitoring for suspicious activities such as ... the dropping of malicious drivers.
“Obfuscated Files or Information (T1027) …scatters garbage or invalid Windows commands among legitimate batch script instructions… effectively masks the true functionality of the script while allowing it to run as intended.”
Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable.
Defense Impairment
1 technique
Defense Impairment
Discovery
1 technique
Discovery
Exfiltration
1 technique
Exfiltration
Impact
4 techniques
Impact
Handala Malware Capability: While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities.
Handala Malware Capability: While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities.
IOCs tracked for this family
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom wiper malware associated with Handala, described as capable of destructive operations including MBR overwriting.
Destructive wiper malware used by Handala-associated operators to erase data and disrupt operations, delivered via Group Policy logon scripts during destructive intrusions.
A custom destructive wiper used by Handala Hack that overwrites file contents and corrupts the MBR to make systems and data difficult to recover. It is distributed via Group Policy logon scripts and executed remotely from the Domain Controller so it is not written to disk on targeted machines.
Custom destructive wiper used by Void Manticore for MBR-based wiping and distributed via Group Policy logon scripts and scheduled tasks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.