3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Handala Team

Handala Team

ID: 6907c3f629dd073bc8fcc4762691278f71272
Hacktivist Group Hacktivism
Threat types: Hacktivism, Data Leak, pro-Palestine
Palestine ISR
Updated: 2026-04-03
Created: 2026-01-27
Progress: 94% Completeness: 96% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
Handala Handala Group Ha********** Ha***************
H**
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Handala Hack Team is an Iran-aligned cyber persona assessed in public reporting as linked to MOIS-associated activity and used for hack-and-leak, wiper, intimidation, and disruptive operations primarily against Israeli targets and adjacent ecosystems.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2024-07-26 — Trellix documented lure emails abusing the CrowdStrike outage theme to deliver malware to Israeli targets. · ref
T1204.002 Malicious File TA0002
  • 2024-07-26 — Users were lured to launch a fake update package delivering the destructive chain. · ref
T1059.005 Visual Basic TA0002
  • 2024-07-26 — Public malware analysis documented AutoIT script staging and execution inside the Handala chain. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • 2024-07-26 — Trellix described process hollowing into RegAsm.exe during execution of the malicious chain. · ref
T1218.009 Regsvcs/Regasm TA0005
  • 2024-07-26 — RegAsm.exe was abused as part of the payload execution flow. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-07-26 — System information exfiltration via Telegram API was documented in the wiper chain analysis. · ref
T1561.001 Disk Content Wipe TA0040
  • 2024-09-06 — Splunk documented the Handala destructive payload’s file wiping / overwrite behavior. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-06-15 — Cyberint reported Handala’s ransomware-style attack against Ma’agan Michael kibbutz with 22GB exfiltrated and threatening SMS messages sent to residents. · ref
T1114 Email Collection TA0009
  • 2025-12-18 — INFERENCE (confidence: medium): Public reporting around Bennett and Braverman indicates messaging-account or communications data compromise and publication activity. · ref
T1005 Data from Local System TA0009
  • 2026-02-25 — Public reporting described release of medical records allegedly taken from Clalit systems, consistent with collection of locally accessible sensitive data. · ref
T1589.001 Credentials TA0043
  • 2025-12-16 — INFERENCE (confidence: medium): Handala’s bounty-style and doxxing-oriented campaigns imply collection and curation of identity details related to Israeli military and defense-linked individuals. · ref
T1585.001 Social Media Accounts TA0042
  • 2024-08-21 — The actor maintained public branding across X, Telegram, and forums for claim publication and propaganda. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-15T03:32:57+00:00

Handala / Handala Hack Team (HHT) / Handala Hack

Classification: TLP:WHITE — (Cyber / “Faketivist” / State-linked)

Author: iQBlack Team



Executive Summary

Handala (often branded as Handala Hack Team / Handala Hack) is a pro-Palestinian, Iran-aligned cyber actor that emerged around December 2023, shortly after the outbreak of the Israel–Hamas war. While initially framed as another “hacktivist” outfit running DDoS and simple website attacks, multiple government and private-sector assessments now attribute Handala to Iran’s Ministry of Intelligence (MOIS), tracked in some taxonomies as Storm-0842 / Banished Kitten / Void Manticore, i.e. a state-directed psychological warfare unit masquerading as a grassroots collective.


Handala’s activity focuses overwhelmingly on Israeli targets (and, to a lesser extent, foreign entities linked to Israel), including government, defense, healthcare, high-tech, telecom, transportation, and education sectors. Their core pattern is “hack-and-leak with psy-ops”: compromise, selective data theft, release of mixed authentic and fabricated data, and aggressive messaging aimed at eroding public trust in Israeli institutions, senior officials and security services rather than monetizing access.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Handala Hack Team

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Handala Hack Team

Priority: HIGH (Israel-linked / politically exposed / healthcare / defense-adjacent) / MEDIUM globally.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-15T03:35:18+00:00

IOC Appendix — Handala Hack Team

Classification: TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-15T03:36:06+00:00

OSINT Library — Handala Hack Team


2024-07-16 — Cyberint / Check Point — “Handala Hack: What We Know About the Rising Threat Actor”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/20
Address Verification SOCMINT
x.com/Han********* Restricted Not integrated
x.com/Han******** Restricted Not integrated
x.com/Han******** Restricted Not integrated
Address Verification SOCMINT
t.me/han***** Restricted Not integrated
t.me/han*************** Restricted Not integrated
t.me/Han************** Restricted Not integrated
t.me/Han************ Restricted Not integrated
t.me/han******* Restricted Not integrated
t.me/han***** Restricted Not integrated
t.me/han***** Restricted Not integrated
t.me/HAN********** Restricted Not integrated
t.me/INT********** Restricted Not integrated
Address Verification SOCMINT
handala-hack.to Restricted Not integrated
handala-redwanted.to Restricted Not integrated
linktr.ee/han**** Restricted Not integrated
handala.ps Restricted Not integrated
handala.cx Restricted Not integrated
handala.to Restricted Not integrated
www.handala-hack.ps Restricted Not integrated
handala-hack.tw Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Propaganda Free Preview
Propaganda
Website Free Preview
Website
Image used in social media account Free Preview
Image used in social media account
Image used in social media account Free Preview
Image used in social media account