“Handala Hack” – Unveiling Group’s Modus Operandi

Void Manticore (aka Handala Hack, Red Sandstorm, Banished Kitten), an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), continues conducting destructive wiping attacks combined with hack-and-leak operations. The group operates multiple personas, with Handala Hack targeting Israel and U.S. enterprises (including medical technology firm Stryker), while Homeland Justice focuses on Albania. The threat actor employs manual, hands-on operations using compromised VPN credentials for initial access, custom and off-the-shelf wipers, and newly observed tactics including NetBird for network tunneling and AI-assisted PowerShell scripts for data destruction. Void Manticore collaborates with Scarred Manticore and has historically relied on commercial VPNs and open-source offensive tools. Organizations should prioritize securing VPN infrastructure, monitoring for brute-force attempts, and implementing robust backup and detection strategies against destructive malware.

Key Findings Introduction Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks […] The post “Handala Hack” – Unveiling Group’s Modus Operandi appeared first on Check Point Research .

Void Manticore (aka Handala Hack, Red Sandstorm, Banished Kitten), an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), continues conducting destructive wiping attacks combined with hack-and-leak operations. The group operates multiple personas, with Handala Hack targeting Israel and U.S. enterprises (including medical technology firm Stryker), while Homeland Justice focuses on Albania. The threat actor employs manual, hands-on operations using compromised VPN credentials for initial access, custom and off-the-shelf wipers, and newly observed tactics including NetBird for network tunneling and AI-assisted PowerShell scripts for data destruction. Void Manticore collaborates with Scarred Manticore and has historically relied on commercial VPNs and open-source offensive tools. Organizations should prioritize securing VPN infrastructure, monitoring for brute-force attempts, and implementing robust backup and detection strategies against destructive malware. Key Findings Introduction Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks […] The post “Handala Hack” – Unveiling Group’s Modus Operandi appeared first on Check Point Research . Key Findings Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) Additional personas associated with this actor include Karma and Homeland Justice, which have been used in targeted operations against Israel and Albania Handala continues to rely on longstanding TTPs, primarily conducting quick, hands-on activity within victim networks and employing multiple wiping methods simultaneously In parallel, some newly observed TTPs include the deployment of NetBird to tunnel traffic into the network, as well as the use of an AI-assisted PowerShell script for wiping activity Introduction Handala Hack , also tracked by Check Point Research as Void Manticore , is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates several online personas, with the most prominent among them being Homeland Justice , maintained from mid-2022 specifically for multiple attacks against government, telecom, and other sectors in Albania, as well as Handala Hack, which has been responsible for multiple intrusions in Israel and recently expanding its targeting to US-based enterprises such as medical technology giant Stryker. The techniques, tactics, and procedures (TTPs) associated with Void Manticore intrusions remained largely consistent throughout 2024 to 2026, as the group continued to rely primarily on manual, hands-on operations, off-the-shelf wipers, and publicly available deletion and encryption tools. Accordingly, our previous research on the actor, published in early 2025, remains highly relevant to understanding their activity. Void Manticore has historically used both custom-built and publicly available tools, while also relying on underground criminal services to obtain initial access and malware. As the group’s operations expanded in scope, with recent attacks targeting U.S. organizations, we decided to share our observations on this cluster’s activity, with a particular focus on recent TTPs and newly identified indicators. Because the group operates primarily through manual, hands-on activity, its indicators tend to be short-lived and consist largely of commercial VPN services, open-source software, and publicly available offensive security tools. Background “Handala Hack” is an online persona operated by Void Manticore (Red Sandstorm, Banished Kitten), a MOIS-affiliated threat actor, and appears to draw its name and imagery from the Palestinian cartoon character Handala . The persona has been used extensively since late 2023 and represents one of the group’s three primary operational fronts. The other two are Karma, which was likely completely replaced by Handala, and Homeland Justice , a persona the group continues to use in operations targeting Albania. Figure 1 – Logos of Void Manticore personas (from left to right): Homeland Justice, Handala and Karma. Based on our observations, intrusions linked to all three personas exhibit highly similar TTPs, as well as code overlaps in the wipers they deploy. Another distinctive characteristic shared by Karma and “ Homeland Justice ” is the collaboration with Scarred Manticore , a separate Iranian threat actor. In the case of Handala and Karma , we have also observed incidents in which the victim-facing group (i.e., messaging within the wipers, notes left in a compromised environment) was presented as...