Skip to content
.ca
sign in
7 mincritical

“Handala Hack” – Unveiling Group’s Modus Operandi

Handala Hack, an Iranian MOIS-affiliated threat actor also known as Void Manticore, conducts destructive wiping and hack-and-leak operations against US, Israeli, and Albanian targets. The group leverages compromised VPN credentials for initial access, uses NetBird for internal tunneling, and deploys multiple parallel wiping techniques—including custom MBR wipers, PowerShell scripts, and VeraCrypt—distributed via Active Directory Group Policy.

Sens:ImmediateConf:highAnalyzed:2026-03-12reports

Authors: Check Point Research

ActorsVoid ManticoreHandala HackHomeland JusticeKarmaRed SandstormBanished KittenScarred ManticoreStorm-861ShroudedSnooper
Handala HackVoid ManticoreNetBirdWiperIran

Source:Check Point

IOCs · 3

Key Takeaways

  • Handala Hack (Void Manticore) is an Iranian MOIS-affiliated actor conducting destructive wiping and hack-and-leak operations.
  • The group uses compromised VPN accounts and default hostnames for initial access, recently leveraging Starlink and Iranian IPs.
  • Lateral movement relies heavily on RDP and the manual deployment of NetBird for zero-trust mesh network tunneling.
  • Destructive phases employ multiple parallel techniques: a custom Handala Wiper (MBR wiping), an AI-assisted PowerShell wiper, VeraCrypt disk encryption, and manual deletion.
  • Wipers are distributed via Group Policy (GPO) logon scripts, executing directly from the Domain Controller's SYSVOL share.

Affected Systems

  • Windows environments
  • Active Directory
  • VPN infrastructure
  • Virtualization platforms

Attack Chain

Handala Hack gains initial access by compromising VPN accounts, often using default hostnames and commercial VPN nodes. Once inside, they perform reconnaissance using ADRecon and extract credentials by dumping LSASS and exporting registry hives via WMIC. Lateral movement is conducted manually via RDP, and NetBird is deployed to tunnel traffic and establish a zero-trust mesh network for internal access. Finally, the group deploys multiple destructive tools simultaneously via Group Policy logon scripts, including a custom MBR wiper, an AI-assisted PowerShell file deletion script, and VeraCrypt for disk encryption, while also manually deleting virtual machines.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but it does provide detailed behavioral indicators, file hashes, and IP addresses for custom detection engineering.

Detection Engineering Assessment

EDR Visibility: High — EDR can easily detect LSASS dumping via comsvcs.dll, WMIC shadow copy extraction, execution of unauthorized tunneling tools (NetBird), and mass file deletion/MBR wiping behaviors. Network Visibility: Medium — Network monitoring can identify connections from known bad VPN/Starlink IPs and unusual RDP traffic, but internal tunneling via NetBird may obscure lateral movement. Detection Difficulty: Moderate — While the destructive actions are noisy and easy to detect, the initial access and lateral movement rely heavily on living-off-the-land techniques (RDP, WMIC) and legitimate tools (NetBird, VeraCrypt), which can blend in with normal administrative activity.

Required Log Sources

  • Windows Security Event Log (Event ID 4624, 4625)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)
  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 13 (Registry Event)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for WMIC executions spawning cmd.exe to copy files from Volume Shadow Copies, indicating potential registry hive extraction.Process creation logs (Sysmon Event ID 1) showing wmic.exe with 'process call create' and 'HarddiskVolumeShadowCopy'.Credential AccessLow
Identify the execution of rundll32.exe loading comsvcs.dll with the MiniDump function, a common technique for LSASS memory dumping.Process creation and command line logs (Sysmon Event ID 1).Credential AccessLow
Detect the presence and execution of NetBird or VeraCrypt binaries downloaded directly from web browsers on server infrastructure.File creation logs (Sysmon Event ID 11) and process creation logs (Sysmon Event ID 1) linked to browser processes.Lateral Movement / ImpactMedium
Monitor for unusual RDP connections originating from machines with default Windows naming conventions (e.g., DESKTOP-XXXXXX or WIN-XXXXXX) outside of normal business hours.Windows Security Event Logs (Event ID 4624 - Logon) focusing on Logon Type 10 (RemoteInteractive).Lateral MovementMedium
Search for the execution of executables or batch scripts (e.g., handala.bat, handala.exe) directly from the SYSVOL share via Group Policy logon scripts.Process creation logs showing execution paths containing '\SYSVOL' and '\scripts'.ExecutionLow

Control Gaps

  • Lack of MFA on VPN/Remote Access
  • Permissive RDP access across the internal network
  • Unrestricted outbound internet access from servers (allowing tool downloads)

Key Behavioral Indicators

  • WMIC copying from HarddiskVolumeShadowCopy
  • rundll32.exe executing comsvcs.dll MiniDump
  • Executables launching from SYSVOL share
  • Mass file deletion via PowerShell
  • RDP logins from default DESKTOP-/WIN- hostnames

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block inbound connections from Iran and known Handala VPS/VPN IP ranges (e.g., Starlink, commercial VPNs).
  • Search for and terminate unauthorized instances of NetBird, VeraCrypt, and ADRecon (dra.ps1) in the environment.
  • Review and remove any suspicious Group Policy Objects (GPOs) or logon scripts, particularly those referencing 'handala'.

Infrastructure Hardening

  • Enforce Multi-Factor Authentication (MFA) on all remote access and privileged accounts.
  • Restrict and harden RDP access across the environment, disabling it where not operationally required.
  • Implement conditional access controls and restrict VPN connectivity to business-related countries only.

User Protection

  • Monitor for unusual access patterns, such as first-time logins outside typical hours or multiple failed logins followed by success.
  • Deploy EDR solutions configured to block LSASS memory dumping and unauthorized Volume Shadow Copy access.

Security Awareness

  • Train administrative staff to recognize and report the unauthorized installation of remote management or tunneling tools like NetBird.

MITRE ATT&CK Mapping

  • T1133 - External Remote Services
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1199 - Trusted Relationship
  • T1110 - Brute Force
  • T1003.001 - OS Credential Dumping: LSASS Memory
  • T1003.002 - OS Credential Dumping: Security Account Manager
  • T1087.002 - Account Discovery: Domain Account
  • T1021.001 - Remote Services: Remote Desktop Protocol
  • T1572 - Protocol Tunneling
  • T1105 - Ingress Tool Transfer
  • T1047 - Windows Management Instrumentation
  • T1484.001 - Domain Policy Modification: Group Policy Modification
  • T1037.003 - Boot or Logon Initialization Scripts: Network Logon Script
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1561.002 - Disk Wipe: Disk Structure Wipe
  • T1485 - Data Destruction
  • T1486 - Data Encrypted for Impact

Additional IOCs

  • Ips:
    • 82[.]25[.]35[.]25 - Handala VPS
    • 31[.]57[.]35[.]223 - Handala VPS
    • 146[.]185[.]219[.]235 - VPN exit node used by Handala
    • 188[.]92[.]255[.]X - Starlink IP range used by Handala
    • 209[.]198[.]131[.]X - Starlink IP range used by Handala
    • 149[.]88[.]26[.]X - Commercial VPN IP range used by Handala
    • 169[.]150[.]227[.]X - Commercial VPN IP range used by Handala
  • File Hashes:
    • 3236facc7a30df4ba4e57fddfba41ec5 (MD5) - VeraCrypt Installer used for disk encryption impact
    • 3dfb151d082df7937b01e2bb6030fe4a (MD5) - NetBird Installer used for internal tunneling
  • File Paths:
    • c:\users\public - Destination path for copied registry hives during credential extraction
    • \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system - Source path for SYSTEM hive extraction via Volume Shadow Copy
    • \\[REDACTED]\\SYSVOL\\[REDACTED]\\scripts\\Administtration\\install\\handala.rar - Source path for propaganda image referenced in the PowerShell wiper script
    • \\[REDACTED]\\sysvol\\[REDACTED]\\scripts\\administtration\\install\\handala.exe - Execution path of the Handala wiper triggered via GPO
  • Command Lines:
    • Purpose: Extract SYSTEM registry hive from Volume Shadow Copy for credential dumping | Tools: wmic.exe, cmd.exe | Stage: Credential Access
    • Purpose: Dump LSASS memory for credential extraction | Tools: rundll32.exe, comsvcs.dll | Stage: Credential Access | rundll32.exe comsvcs.dll MiniDump
  • Other:
    • WIN-P1B7V100IIS - Handala Machine Name
    • DESKTOP-FK1NPHF - Handala Machine Name
    • DESKTOP-R1FMLQP - Handala Machine Name
    • WIN-DS6S0HEU0CA - Handala Machine Name
    • DESKTOP-T3SOB36 - Handala Machine Name
    • WIN-GPPA5GI4QQJ - Handala Machine Name
    • VULTR-GUEST - Handala Machine Name
    • DESKTOP-HU45M79 - Handala Machine Name
    • DESKTOP-TNFP4JF - Handala Machine Name
    • DESKTOP-14O69KQ - Handala Machine Name
    • DESKTOP-9KG46L1 - Handala Machine Name
    • DESKTOP-G2MH4KD - Handala Machine Name
    • handala.gif - Propaganda image dropped by the PowerShell wiper

Related