Skip to content
Ransomware group

Handala

Handala is described in the provided content both as an Iran-aligned cyber group/pro-Palestinian hacktivist persona linked to Iran and as a destructive malware/wiper family used in disruptive operations.

Profile source: Mallory opens in a new tab

Handala

Family profile

Handala is described in the provided content both as an Iran-aligned cyber group/pro-Palestinian hacktivist persona linked to Iran and as a destructive malware/wiper family used in disruptive operations. The malware is characterized as a destructive wiper capable of irreversibly wiping data from infected systems, rendering systems inoperable, spreading rapidly across networks, and using evasion techniques. Splunk’s 2024 analytics story on the Handala wiper states defenders should monitor for unexpected regasm processes, unauthorized AutoIt script execution, malicious driver drops, abrupt system slowdowns, and creation of unknown files or processes. The content says Handala has been used against critical infrastructure and organizations and can cause major disruption, downtime, financial loss, data loss, and compromise of sensitive information.

The content also links Handala to healthcare-sector targeting. It states that Handala, described there as an Iran-aligned cyber group, targeted a medical technology organization in 2026 with data exfiltration and destructive actions. A separate report says Stryker suffered a major cyberattack involving wiper malware claimed by Handala; Handala allegedly claimed theft of 50 TB of data and wiping of more than 200,000 systems, servers, and mobile devices, while Stryker confirmed a global disruption affecting its Microsoft environment.

A more detailed intrusion chain in the content associates the name Handala with a Delphi-coded second-stage loader observed in Operation HamsaUpdate, a phishing campaign targeting Israeli customers using F5-themed lures. In that campaign, Windows victims were instructed to execute a ZIP-delivered .NET loader masquerading as an F5 update tool. One variant extracted Handala.exe, a Delphi second-stage loader, which launched an AutoIt-based injector chain. The chain used a renamed AutoIt interpreter (Naples.pif) and an obfuscated script to inject RC4-decrypting shellcode, decompress payloads with LZNT1, and communicate over HTTPS with 31.192.237[.]207:2515. In the same campaign, the Windows wiper payload Hatef overwrote files with random data and deleted them across key directories and drives, while the Linux payload Hamsa used a heavily obfuscated bash script to delete user accounts, wipe home directories, destroy partitions, delete system binaries, and reboot the host. Both variants reported execution details to a Telegram bot/channel identified in the content. The report notes that a group calling itself "Handala Hack Team" claimed responsibility, but also states there was insufficient basis for attribution and that a false hacktivist persona was possible.

PolySwarm telemetry cited in the content observed continued circulation of HANDALA alongside other destructive and criminal malware families during the period leading up to and coinciding with the 2026 FIFA World Cup.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Handala

Stryker has suffered a major cyberattack involving wiper malware claimed by Handala, a pro-Palestinian hacktivist group linked to Iran.

MITRE ATT&CK

Handala in ATT&CK

9 distinct techniques

Reporting

Research mentioning Handala

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.