The Symbol
Handala is a cartoon: a 10-year-old Palestinian refugee drawn by Naji al-Ali, always seen from behind, arms clasped, never facing the viewer. Al-Ali said the boy would turn around when Palestinians returned home. He has been facing away since 1969. The Iranian Ministry of Intelligence chose this symbol to brand a state wiper cell. The choice is deliberate — righteous grievance, perpetual resistance, anonymity as identity.
The symbol is borrowed. The operations are MOIS.
The State Structure
The intelligence community designation is Void Manticore. Microsoft tracks the same cluster as Storm-0842. CrowdStrike calls it Banished Kitten. Sophos uses COBALT MYSTIQUE. Recorded Future has it as Dune. These names refer to the same entity: a destructive operations unit within Iran's Ministry of Intelligence and Security (MOIS), operating under the Domestic Security Directorate.
Void Manticore does not operate alone. It operates in sequence with Scarred Manticore — a separate MOIS intelligence collection unit that maintains long-term access to target networks, sometimes for 12 months or longer. When destruction is authorized, Scarred Manticore hands Domain Admin credentials to Void Manticore. Void Manticore deploys wipers. The model was documented by Check Point Research in both the 2022 Albania operations (Homeland Justice persona) and the 2023–2024 Israel operations (Karma/Handala personas). The Stryker operation on March 11, 2026 follows the same template.
Void Manticore runs three primary operational personas:
| Persona | Primary Target | Period |
|---|---|---|
| Homeland Justice | Albania (government systems) | July 2022–present |
| Karma / KarmaBelow80 | Israel (destructive wipers) | 2023–2024 |
| Handala / Handala Hack Team | Israel + US (hack-leak-wipe) | December 2023–present |
| HPR / HPR Intelligence | Announcement and amplification | 2025–present |
The Director
Seyed Yahya Hosseini Panjaki (aliases: Seyed Yahya Hamidi) holds the title of Deputy Director for Domestic Security within MOIS and heads its "Martyr Soleimani" unit. He was born January 23, 1975 in Karaj, holds a PhD in Political Science from Azad University of Tabriz, and is listed on the FBI's Most Wanted for Terrorism. He is designated by the US Treasury under Executive Order 13553, sanctioned by the EU, and sanctioned by the UK.
He is not a background figure. Iran International reporting from August 2025, sourced to journalist Nariman Gharib, established that Panjaki personally directed the July 2025 operation against Iran International journalists — including the exfiltration and publication of their passports, driver's licenses, and intimate content — as personal revenge following his Treasury designation earlier that year. The Tabriz connection runs through the cell: Panjaki was educated there; the two identified subordinate operators both live there.
The Operators
Ali Bermoudeh
National ID: 1362398276. Age 27 as of 2025. Tabriz, Iran. Channel administrator for the Handala Telegram infrastructure. His online retail business — a storefront on Iranian e-commerce platforms — provides surface-level civilian cover. He began working with Iran's Cyber Police (FATA) at approximately age 16, making his introduction to state-directed cyber operations a teenage recruitment.
His father, Mousa Bermoudeh, holds a provincial government position within the Foundation of Martyrs and Veterans Affairs and is a decorated IRGC-Basij member. This is the family connection that enabled recruitment into the MOIS orbit.
The critical OPSEC failure: his passwords consist of his birthdate — "1377629" — across multiple accounts. The number encodes year 1377 in the Iranian calendar (approximately 1998), combined with date digits. Nariman Gharib's investigation confirmed this credential pattern across the accounts used to administer Handala channels. A state-sponsored operative running nation-state operations with a date-of-birth password.
Morteza Aftabifar
National ID: 1680072404. Tabriz, Iran. Aftabifar is Bermoudeh's handler within the Ministry of Intelligence — the MOIS officer managing the relationship between the channel administrator and the directorate. Both men are in Tabriz, under Panjaki's directorate. This is a contained provincial cell.
The Infrastructure
Leak Sites
| Domain | Status | Notes |
|---|---|---|
handala.to | Active redirect loop | Trellian parking; TLS cert renewed March 9, 2026; FingerprintJS profiling with tr_uuid + fp= parameters |
handala-hack.to | Active | DDoS-Guard (185.178.208.137, Rostov-na-Donu, Russia); active geoblocking; primary clearnet leak site and RedWanted bounty board |
vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion | Active | Tor hidden service, NGINX |
The handala.to redirect behavior is not a simple forward. The site implements a 300-millisecond delay via FingerprintJS browser fingerprinting before redirecting visitors. Every browser that accesses the site has its fingerprint collected and appended as a fp= parameter to the outbound redirect URL. Failed fingerprinting attempts return error codes fp=-7 and fp=-3. This is active counterintelligence infrastructure: Handala is profiling who visits their site. Researchers, security vendors, government analysts, and journalists checking their leak site are generating fingerprints that the operators can observe. The redirect destination and collection mechanism provide operational visibility into their audience.
Certificate Transparency Timeline
CT log queries on *.handala-hack.to establish the infrastructure timeline precisely:
| Event | Date |
|---|---|
handala-hack.to first certificate issued | July 24, 2024 |
| Most recent certificate renewal | February 26, 2026 |
| Current certificate validity | Through May 27, 2026 |
The domain was provisioned in mid-2024, maintained through the February 2026 period immediately preceding the Operation Epic Fury strikes, and renewed 2 days before the airstrikes began. Issuers across the cert history include Let's Encrypt, Sectigo, and others. A wildcard certificate *.handala.to is active, indicating subdomain infrastructure beyond what is publicly enumerated.
C2 and Staging Infrastructure
| Indicator | Type | Notes |
|---|---|---|
64.176.169.22 | Void Manticore C2 | Vultr AS20473; SSH only; active |
64.176.172.235 | Void Manticore C2 | Vultr AS20473; HTTPS serving Check Point ZTA cert |
64.176.172.165 | Void Manticore C2 | Vultr AS20473 |
64.176.173.77 | Void Manticore C2 | Vultr AS20473 |
64.176.172.101 | Void Manticore C2 | Vultr AS20473; HTTPS+SSH; serving Cloudways |
31.192.237.207 | Operation HamsaUpdate C2 | ilyarolevik1.pserver.space; Chelyabinsk-Signal LLC; SSH active; port 2515 closed (dormant) |
64.176.168.0/21 | Vultr block | Full CIDR containing documented C2 nodes and automation infrastructure |
gramatikservicesapi.top | Automation server | 64.176.169.27; Vultr AS20473; n8n v1.61.0; active since Sep 9 2024 |
C2 communications use SSH reverse SOCKS proxy tunneling via OpenSSH on port 443 with keepalive intervals forwarding to ports 1080/1090 — legitimate-looking traffic on a port that passes most firewall inspection.
Exfiltration Infrastructure
| Indicator | Type | Notes |
|---|---|---|
handala-bucket | AWS S3 bucket name | Identified in senvarservice-DC.exe by OP Innovate |
link[.]storjshare[.]io/s/jwyite7mez2ilyvm2esxw2jq3apq/crowdstrikeisrael/update.zip | Storj staging URL | CrowdStrike-lure campaign payload |
link[.]storjshare[.]io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zip | Storj staging URL | CrowdStrike-lure campaign payload (variant) |
sjc1.vultrobjects[.]com/f5update/update[.]sh | Vultr Object Storage | Operation HamsaUpdate Linux payload |
Telegram C2 Credentials (Burned)
Handala wiper malware contains hardcoded Telegram bot API credentials that route victim telemetry — IP address, hostname, timestamp, and file deletion progress — directly to operator-controlled channels. The following credentials have been extracted from analyzed samples and are now burned:
| Credential | Value | Campaign |
|---|---|---|
| Bot API token | 7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc | Trellix-analyzed campaign |
| Channel ID | 7436061126 | Trellix-analyzed campaign |
| Bot API token | 6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA | Intezer HamsaUpdate campaign |
| Channel ID | 6932028002 | Intezer HamsaUpdate campaign |
Hardcoding operator Telegram credentials in production malware is a recurring failure across the Iranian hacktivist ecosystem. These tokens, once extracted from samples, give researchers direct access to the bot API — including the ability to query message history and subscriber counts — until the tokens are rotated. Live verification on March 11, 2026 confirmed both tokens return HTTP 401 Unauthorized — Handala rotated credentials following the OP Innovate public disclosure. The channel IDs remain valid for monitoring if tokens are re-issued.
Starlink Routing During Iran Blackout
Check Point Research documented Handala campaign activity originating from Starlink IP ranges in January 2026, during Iran's nationwide internet disruption following the early Operation Epic Fury strikes. Iran had designated Starlink a regime threat and attempted to block it domestically. MOIS used it to maintain attack continuity when terrestrial infrastructure was severed. The group was observed probing externally facing applications for misconfigurations and weak credentials from Starlink ASN ranges during this period.
The Automation Layer: gramatikservicesapi.top
Active probing of the documented Vultr C2 block (64.176.168.0/21) identified an operational automation server that was not previously reported in public threat intelligence.
`gramatikservicesapi.top` (64.176.169.27, Vultr AS20473) runs n8n v1.61.0 — a self-hosted workflow automation platform — in a Docker + PostgreSQL stack. The server has been operational since September 9, 2024, auto-renewing Let's Encrypt certificates every 60–90 days without interruption. The most recent renewal was March 5, 2026 — six days before the Stryker operation.
Timeline correlation: Handala's @Handala_Hack account on X was banned August 21, 2024. This n8n instance came online 19 days later, on September 9, 2024.
The operational configuration exposed via the unauthenticated /rest/settings endpoint:
| Parameter | Value |
|---|---|
timezone | Asia/Jerusalem |
databaseType | postgresdb |
isDocker | true |
versionCli | 1.61.0 |
nodeJsVersion | 20.17.0 |
urlBaseWebhook | https://gramatikservicesapi.top/ |
saveDataErrorExecution | all |
saveDataSuccessExecution | all |
maxExecutionTimeout | 3600 (1 hour) |
The Asia/Jerusalem timezone matches Israeli Standard Time — consistent with a cell timing campaign automation to Israeli business hours. The saveDataSuccessExecution: all setting means every executed workflow, including exfiltrated data or sent messages, is logged to the PostgreSQL database.
OPSEC failure: Port 5678 (n8n admin interface) is directly accessible from the internet without authentication beyond the login wall. The /rest/settings endpoint returns the full server configuration — timezone, database type, webhook endpoints, instance ID, and telemetry keys — without requiring any credentials. This is the same class of misconfiguration documented in the GoPhish dispatch: operators configure tools correctly enough to function but leave configuration endpoints exposed.
The n8n API requires an X-N8N-API-KEY header for workflow and execution enumeration. Public registration is disabled (500 on /rest/register). The workflow content — and therefore the specific operations being automated — is not accessible without authentication.
Assessment: The timeline correlation (19 days after X ban), the Vultr co-location with documented Void Manticore C2 infrastructure, the Asia/Jerusalem timezone, the .top TLD (a consistent pattern in Iranian threat actor infrastructure), and the automation purpose (n8n is used for social media posting, webhook routing, Telegram bot management, and phishing campaign orchestration) collectively indicate this is Void Manticore's campaign automation backend. Confidence: medium-high (circumstantial; direct confirmation would require workflow access).
The Toolkit
BiBi Wiper (Flagship)
Named after Benjamin Netanyahu. Dual Windows/Linux variants. Corrupts files with random data and appends .BiBi or .bb[random] extensions. Preserves executables to keep processes running during destruction, maximizing the window before detection. Contains a conditional check hardcoded as if "Israel" != "Country" — author commentary embedded as a behavioral fingerprint in production code.
Hatef (Windows Wiper)
Internal name "Hatef" (هاتف) — Persian for "a voice from the unseen" or "oracle." Requires administrator privileges. Implements a singleton check: reads its own process name and kills duplicate instances. Overwrites files with 4,096-byte random data blocks and reports progress via Telegram.
The most operationally significant detail in the Hatef binary: it checks the machine hostname before executing. If the machine is named "HANDALA" — exactly — the wiper will not run. This is operator safety infrastructure to prevent accidental self-infection. It is also an immediately deployable defensive measure: any organization can name a canary or honeypot system "HANDALA" to detect and stall a Hatef infection before execution begins.
Hamsa (Linux Wiper)
Named for five Base64 encoding layers in the original sample. Implements a 30-minute initial delay (anti-sandbox). Detects Linux distribution (Red Hat/Ubuntu/Debian) to target appropriate system paths. Installs xfsprogs, wipe, and parted utilities. Deletes user accounts with UID above 999. Wipes system binaries (sparing reboot and rm for controlled shutdown). Repartitions non-root drives with XFS filesystem. Sends a completion report to the operator's Telegram channel before rebooting.
Handala Loader (Delphi Stage)
A Delphi-compiled second-stage loader that executes an obfuscated script ("Closest") to disable security software, then runs an AutoIt interpreter ("Naples.pif") that injects RC4 shellcode, decompresses it via LZNT1, and injects into dllhost.exe and Windows Media Player processes.
Karma Shell
A custom ASP.NET web shell using base64 + XOR-23 encryption for command obfuscation. Deployed post-initial-compromise on victim web servers as a persistent access mechanism.
The CrowdStrike-Lure Attack Chain
The July 2024 campaign analyzed by Trellix demonstrates the full infection chain. A phishing email carries a CrowdStrike-themed PDF lure. The PDF contains a download link to a ZIP hosted on Storj. Inside: an NSIS installer executing a batch script named "Carrol" that implements:
- AV detection: checks for Webroot, AVAST, AVG, Bitdefender, Norton, Sophos, Quick Heal; sleeps 3 minutes if detected
- Sandbox evasion: checks for C:\aaa_TouchMeNot_.txt (Windows Defender Emulator marker) and Kaspersky/Avast sandbox machine names
- String obfuscation: the copy command reconstructs strings by omitting the literal "locatedflatrendsoperating" from concatenated segments
- BYOVD: unsigned 32-bit driver ListOpenedFileDrv_32.sys (targeting XP/Vista/7) for privilege escalation
- Process injection: AutoIt interpreter injected via process hollowing into RegAsm.exe
- Execution guard: wiper checks for machine name containing "Gaza hackers Team Handala Machine" before executing
File destruction: 4,096-byte random data overwrites.
The Stryker Operation (March 11, 2026)
The Stryker attack represents a qualitative shift in Void Manticore's methodology. No traditional wiper malware was deployed. Instead:
1. Microsoft Intune MDM administrative credentials were compromised through prior access (assessed credential theft; Scarred Manticore handoff)
2. Legitimate Intune factory-reset commands were issued to all enrolled devices
3. 200,000+ devices across 79 countries were wiped using Microsoft's own tooling
4. Stryker's Entra login page was defaced with the Handala logo
5. Executive-targeted emails announced the operation
6. Two-factor authentication phones — personal devices enrolled in corporate MDM — were wiped alongside corporate assets
Claimed scope: 50TB exfiltrated prior to the wipe. Stryker's public statement acknowledged "no indication of ransomware or malware" — technically accurate, because the destruction was executed through a legitimate management platform, not a malware payload. Check Point Research assessed this as "the first time this Iranian-backed actor has disruptively targeted a major US enterprise."
Stated motivation: retaliation for the Israeli strike on the Minab school and "ongoing cyber assaults against the infrastructure of the Axis of Resistance." Handala framed Stryker as a "Zionist-rooted corporation" based on its 2019 acquisition of Israeli orthopedics firm OrthoSpace and its US Department of Defense contracts.
The Intune abuse technique bypasses endpoint detection and response tools that are looking for malware execution. There is no dropper, no shellcode, no suspicious process tree. The wipe command comes from a legitimate administrative platform with valid credentials. EDR tools observe expected administrative behavior until the reset command completes.
HPR INTELLIGENCE: The Broadcast Account
@HPRNEW ("HPR INTELLIGENCE") is a Handala announcement and amplification account on X, created in March 2026. The "new" suffix marks prior account action: Handala's original @Handala_Hack account was banned by X on August 21, 2024 for violating the platform's abusive behavior policy. A backup @Handala_Backup account was also established. HPR INTELLIGENCE is the continuation account for the current campaign cycle.
The name expands to "Handala People's Resistance Front of Truth-Seekers." The multilingual framing — the October 2025 manifesto was published in English, Hebrew, Arabic, Spanish, and Farsi — reflects a deliberate effort to project an international grassroots movement. On March 11, 2026, @HPRNEW posted "HELLO Stryker #HANDALA" within hours of the wiper deployment, linking to the Telegram announcement of the operation.
The Bangkok Blunder
This is the most significant open-source intelligence failure in the group's documented history.
On November 15, 2025, Handala published a propaganda post titled *"Smile for the Camera — Handala Is Watching"* claiming to have accessed "Shabak's airport security systems" — a reference to Shin Bet, Israel's internal security service, implying access to Ben Gurion International Airport.
Image analysis by Nariman Gharib and researchers at Iran Cyber News Agency matched the published ceiling photographs, immigration hall architecture, elevator bank layouts, and queue barrier systems to Suvarnabhumi Airport, Bangkok, Thailand — not Ben Gurion.
MOIS surveillance access to Suvarnabhumi is significant. The airport processed 62.2 million passengers in 2024 and serves as a major Asia-Europe-Middle East transit hub. The inadvertently confirmed capabilities include:
- AI-powered facial recognition systems
- License plate tracking infrastructure
- Integrated CCTV network access across a major international transit hub
- Thailand Immigration System (TIS) watchlist and blacklist query access
The mistake — being unable to distinguish Ben Gurion from Suvarnabhumi in their own propaganda materials — reveals that the cell operates across multiple airport surveillance environments simultaneously and does not maintain careful asset cataloguing. They published surveillance footage from the wrong country.
RedWanted
On March 1, 2026, Handala launched RedWanted via handala-hack.to — a bounty board listing Israeli defense engineers involved in missile defense systems. The site offers $30,000 USD for "valuable information" on listed targets and schedules weekly data releases on Saturdays. This represents a shift from purely state-directed operations toward crowdsourced intelligence collection against specific human targets.
Victim Profile
From ransomware.live tracking: 144 documented victims, first observed May 26, 2024, most recent March 11, 2026 (Stryker). Average gap between attack and public claim: 23.8 days. Geographic distribution: Israel (63 victims), United States (4), UK (2), UAE (2). Sector breakdown: Technology (23), Government (10), Energy (9), Healthcare (8), Manufacturing (5).
IOC Summary
Infrastructure
| Indicator | Type | Notes |
|---|---|---|
handala-hack.to | Leak site domain | Active; DDoS-Guard hosted; RedWanted bounty board |
handala.to | Redirect domain | FingerprintJS visitor profiling; currently redirects |
vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion | Tor hidden service | Active; NGINX |
64.176.169.22 | C2 IP | Vultr, documented Void Manticore C2 |
64.176.172.235 | C2 IP | Vultr, documented Void Manticore C2 |
64.176.172.165 | C2 IP | Vultr, documented Void Manticore C2 |
64.176.173.77 | C2 IP | Vultr, documented Void Manticore C2 |
64.176.172.101 | C2 IP | Vultr, documented Void Manticore C2 |
31.192.237.207:2515 | C2 IP:port | Chelyabinsk, Russia; Operation HamsaUpdate |
handala-bucket | AWS S3 bucket | Exfiltration staging; identified in senvarservice-DC.exe |
7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc | Telegram bot token | Burned; Trellix campaign wiper C2 |
7436061126 | Telegram channel ID | Burned; Trellix campaign wiper reporting |
6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA | Telegram bot token | Burned; HamsaUpdate wiper C2 |
6932028002 | Telegram channel ID | Burned; HamsaUpdate wiper reporting |
@HPRNEW | X/Twitter handle | HPR INTELLIGENCE; Handala announcement account |
gramatikservicesapi.top | Automation server | n8n v1.61.0; 64.176.169.27; Vultr AS20473; Asia/Jerusalem TZ; active since Sep 9 2024 |
3d8869443494a76e14cc3d430f43310d203b30947a0ce06f004c438441e349a1 | n8n instance ID | gramatikservicesapi.top automation server fingerprint |
Malware Hashes
| Hash | Type | Sample |
|---|---|---|
e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35 | SHA256 | Hatef wiper (Windows) |
454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567 | SHA256 | Handala Delphi loader |
fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2 | SHA256 | F5UPDATER.exe loader (HamsaUpdate) |
96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8 | SHA256 | update.zip (CrowdStrike lure campaign) |
2a5dd680c05b43d72365e8beb7e40088 | MD5 | Wiper (Trellix campaign) |
fca0910949d92dc3dd3dfcf0fb3d0408 | MD5 | AutoIT script (Trellix campaign) |
755c0350038daefb29b888b6f8739e81 | MD5 | CrowdStrike.exe NSIS installer |
da663d3ea0c818a60292e5239ef23dae | MD5 | ListOpenedFileDrv_32.sys (BYOVD driver) |
D0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6 | SHA256 | Void Manticore wiper (Check Point) |
DEEAF85B2725289D5F262B4F60DDA0C68AE42D8D46D0DC19B9253B451AEA25A | SHA256 | Void Manticore wiper (Check Point) |
Attribution
| Name | Role | Identifiers |
|---|---|---|
| Seyed Yahya Hosseini Panjaki | MOIS Deputy Director, Domestic Security | DOB 1975-01-23, Karaj; PhD Azad U. Tabriz; FBI Wanted; US/EU/UK sanctioned |
| Ali Bermoudeh | Handala Telegram channel admin | NID 1362398276; DOB ~1998; Tabriz; FATA background |
| Morteza Aftabifar | MOIS handler (Bermoudeh's officer) | NID 1680072404; Tabriz |
Detection Artifacts
| Indicator | Type | Notes |
|---|---|---|
Machine named HANDALA | Hostname check | Hatef wiper will not execute; use as honeypot canary |
Machine named containing Gaza hackers Team Handala Machine | Hostname check | CrowdStrike-lure wiper execution guard |
.BiBi file extension | File artifact | BiBi wiper corruption marker |
.bb[random] file extension | File artifact | BiBi wiper corruption marker (variant) |
RECOVER_YOUR_DATA table in MySQL | DB artifact | (shared pattern with other Iranian actors) |
Karma shell (base64+XOR-23) | Web shell | Post-compromise persistence on web servers |
C:\aaa_TouchMeNot_.txt | Sandbox check | Wiper checks for WD Emulator marker before executing |