← Dispatches

TLP:CLEAR · 2026-03-11

The Boy With His Back Turned: Exposing Handala, Its MOIS Handlers, and the Bangkok Footage They Thought Was Tel Aviv

Handala is not a hacktivist group. It is a MOIS operational cluster — Void Manticore — running rotating personas under a refugee cartoon's name. Its parent in the Ministry of Intelligence's Domestic Security Directorate is FBI-wanted, EU-sanctioned, and personally directed an attack against Iranian journalists as revenge for his Treasury designation. The cell's channel admin is a 27-year-old from Tabriz who has used his own birthdate as a password across his accounts. Their flagship wiper will not execute on machines named "HANDALA" — operator safety infrastructure embedded in production malware. And when they tried to intimidate Israel with evidence of airport surveillance access, they accidentally published ceiling photographs from Suvarnabhumi Airport, Bangkok. Here is the full picture: operators, infrastructure, tooling, and every OPSEC failure the open record contains.

The Symbol

Handala is a cartoon: a 10-year-old Palestinian refugee drawn by Naji al-Ali, always seen from behind, arms clasped, never facing the viewer. Al-Ali said the boy would turn around when Palestinians returned home. He has been facing away since 1969. The Iranian Ministry of Intelligence chose this symbol to brand a state wiper cell. The choice is deliberate — righteous grievance, perpetual resistance, anonymity as identity.

The symbol is borrowed. The operations are MOIS.

The State Structure

The intelligence community designation is Void Manticore. Microsoft tracks the same cluster as Storm-0842. CrowdStrike calls it Banished Kitten. Sophos uses COBALT MYSTIQUE. Recorded Future has it as Dune. These names refer to the same entity: a destructive operations unit within Iran's Ministry of Intelligence and Security (MOIS), operating under the Domestic Security Directorate.

Void Manticore does not operate alone. It operates in sequence with Scarred Manticore — a separate MOIS intelligence collection unit that maintains long-term access to target networks, sometimes for 12 months or longer. When destruction is authorized, Scarred Manticore hands Domain Admin credentials to Void Manticore. Void Manticore deploys wipers. The model was documented by Check Point Research in both the 2022 Albania operations (Homeland Justice persona) and the 2023–2024 Israel operations (Karma/Handala personas). The Stryker operation on March 11, 2026 follows the same template.

Void Manticore runs three primary operational personas:

PersonaPrimary TargetPeriod
Homeland JusticeAlbania (government systems)July 2022–present
Karma / KarmaBelow80Israel (destructive wipers)2023–2024
Handala / Handala Hack TeamIsrael + US (hack-leak-wipe)December 2023–present
HPR / HPR IntelligenceAnnouncement and amplification2025–present

The Director

Seyed Yahya Hosseini Panjaki (aliases: Seyed Yahya Hamidi) holds the title of Deputy Director for Domestic Security within MOIS and heads its "Martyr Soleimani" unit. He was born January 23, 1975 in Karaj, holds a PhD in Political Science from Azad University of Tabriz, and is listed on the FBI's Most Wanted for Terrorism. He is designated by the US Treasury under Executive Order 13553, sanctioned by the EU, and sanctioned by the UK.

He is not a background figure. Iran International reporting from August 2025, sourced to journalist Nariman Gharib, established that Panjaki personally directed the July 2025 operation against Iran International journalists — including the exfiltration and publication of their passports, driver's licenses, and intimate content — as personal revenge following his Treasury designation earlier that year. The Tabriz connection runs through the cell: Panjaki was educated there; the two identified subordinate operators both live there.

The Operators

Ali Bermoudeh

National ID: 1362398276. Age 27 as of 2025. Tabriz, Iran. Channel administrator for the Handala Telegram infrastructure. His online retail business — a storefront on Iranian e-commerce platforms — provides surface-level civilian cover. He began working with Iran's Cyber Police (FATA) at approximately age 16, making his introduction to state-directed cyber operations a teenage recruitment.

His father, Mousa Bermoudeh, holds a provincial government position within the Foundation of Martyrs and Veterans Affairs and is a decorated IRGC-Basij member. This is the family connection that enabled recruitment into the MOIS orbit.

The critical OPSEC failure: his passwords consist of his birthdate — "1377629" — across multiple accounts. The number encodes year 1377 in the Iranian calendar (approximately 1998), combined with date digits. Nariman Gharib's investigation confirmed this credential pattern across the accounts used to administer Handala channels. A state-sponsored operative running nation-state operations with a date-of-birth password.

Morteza Aftabifar

National ID: 1680072404. Tabriz, Iran. Aftabifar is Bermoudeh's handler within the Ministry of Intelligence — the MOIS officer managing the relationship between the channel administrator and the directorate. Both men are in Tabriz, under Panjaki's directorate. This is a contained provincial cell.

The Infrastructure

Leak Sites

DomainStatusNotes
handala.toActive redirect loopTrellian parking; TLS cert renewed March 9, 2026; FingerprintJS profiling with tr_uuid + fp= parameters
handala-hack.toActiveDDoS-Guard (185.178.208.137, Rostov-na-Donu, Russia); active geoblocking; primary clearnet leak site and RedWanted bounty board
vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onionActiveTor hidden service, NGINX

The handala.to redirect behavior is not a simple forward. The site implements a 300-millisecond delay via FingerprintJS browser fingerprinting before redirecting visitors. Every browser that accesses the site has its fingerprint collected and appended as a fp= parameter to the outbound redirect URL. Failed fingerprinting attempts return error codes fp=-7 and fp=-3. This is active counterintelligence infrastructure: Handala is profiling who visits their site. Researchers, security vendors, government analysts, and journalists checking their leak site are generating fingerprints that the operators can observe. The redirect destination and collection mechanism provide operational visibility into their audience.

Certificate Transparency Timeline

CT log queries on *.handala-hack.to establish the infrastructure timeline precisely:

EventDate
handala-hack.to first certificate issuedJuly 24, 2024
Most recent certificate renewalFebruary 26, 2026
Current certificate validityThrough May 27, 2026

The domain was provisioned in mid-2024, maintained through the February 2026 period immediately preceding the Operation Epic Fury strikes, and renewed 2 days before the airstrikes began. Issuers across the cert history include Let's Encrypt, Sectigo, and others. A wildcard certificate *.handala.to is active, indicating subdomain infrastructure beyond what is publicly enumerated.

C2 and Staging Infrastructure

IndicatorTypeNotes
64.176.169.22Void Manticore C2Vultr AS20473; SSH only; active
64.176.172.235Void Manticore C2Vultr AS20473; HTTPS serving Check Point ZTA cert
64.176.172.165Void Manticore C2Vultr AS20473
64.176.173.77Void Manticore C2Vultr AS20473
64.176.172.101Void Manticore C2Vultr AS20473; HTTPS+SSH; serving Cloudways
31.192.237.207Operation HamsaUpdate C2ilyarolevik1.pserver.space; Chelyabinsk-Signal LLC; SSH active; port 2515 closed (dormant)
64.176.168.0/21Vultr blockFull CIDR containing documented C2 nodes and automation infrastructure
gramatikservicesapi.topAutomation server64.176.169.27; Vultr AS20473; n8n v1.61.0; active since Sep 9 2024

C2 communications use SSH reverse SOCKS proxy tunneling via OpenSSH on port 443 with keepalive intervals forwarding to ports 1080/1090 — legitimate-looking traffic on a port that passes most firewall inspection.

Exfiltration Infrastructure

IndicatorTypeNotes
handala-bucketAWS S3 bucket nameIdentified in senvarservice-DC.exe by OP Innovate
link[.]storjshare[.]io/s/jwyite7mez2ilyvm2esxw2jq3apq/crowdstrikeisrael/update.zipStorj staging URLCrowdStrike-lure campaign payload
link[.]storjshare[.]io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zipStorj staging URLCrowdStrike-lure campaign payload (variant)
sjc1.vultrobjects[.]com/f5update/update[.]shVultr Object StorageOperation HamsaUpdate Linux payload

Telegram C2 Credentials (Burned)

Handala wiper malware contains hardcoded Telegram bot API credentials that route victim telemetry — IP address, hostname, timestamp, and file deletion progress — directly to operator-controlled channels. The following credentials have been extracted from analyzed samples and are now burned:

CredentialValueCampaign
Bot API token7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHcTrellix-analyzed campaign
Channel ID7436061126Trellix-analyzed campaign
Bot API token6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQAIntezer HamsaUpdate campaign
Channel ID6932028002Intezer HamsaUpdate campaign

Hardcoding operator Telegram credentials in production malware is a recurring failure across the Iranian hacktivist ecosystem. These tokens, once extracted from samples, give researchers direct access to the bot API — including the ability to query message history and subscriber counts — until the tokens are rotated. Live verification on March 11, 2026 confirmed both tokens return HTTP 401 Unauthorized — Handala rotated credentials following the OP Innovate public disclosure. The channel IDs remain valid for monitoring if tokens are re-issued.

Starlink Routing During Iran Blackout

Check Point Research documented Handala campaign activity originating from Starlink IP ranges in January 2026, during Iran's nationwide internet disruption following the early Operation Epic Fury strikes. Iran had designated Starlink a regime threat and attempted to block it domestically. MOIS used it to maintain attack continuity when terrestrial infrastructure was severed. The group was observed probing externally facing applications for misconfigurations and weak credentials from Starlink ASN ranges during this period.

The Automation Layer: gramatikservicesapi.top

Active probing of the documented Vultr C2 block (64.176.168.0/21) identified an operational automation server that was not previously reported in public threat intelligence.

`gramatikservicesapi.top` (64.176.169.27, Vultr AS20473) runs n8n v1.61.0 — a self-hosted workflow automation platform — in a Docker + PostgreSQL stack. The server has been operational since September 9, 2024, auto-renewing Let's Encrypt certificates every 60–90 days without interruption. The most recent renewal was March 5, 2026 — six days before the Stryker operation.

Timeline correlation: Handala's @Handala_Hack account on X was banned August 21, 2024. This n8n instance came online 19 days later, on September 9, 2024.

The operational configuration exposed via the unauthenticated /rest/settings endpoint:

ParameterValue
timezoneAsia/Jerusalem
databaseTypepostgresdb
isDockertrue
versionCli1.61.0
nodeJsVersion20.17.0
urlBaseWebhookhttps://gramatikservicesapi.top/
saveDataErrorExecutionall
saveDataSuccessExecutionall
maxExecutionTimeout3600 (1 hour)

The Asia/Jerusalem timezone matches Israeli Standard Time — consistent with a cell timing campaign automation to Israeli business hours. The saveDataSuccessExecution: all setting means every executed workflow, including exfiltrated data or sent messages, is logged to the PostgreSQL database.

OPSEC failure: Port 5678 (n8n admin interface) is directly accessible from the internet without authentication beyond the login wall. The /rest/settings endpoint returns the full server configuration — timezone, database type, webhook endpoints, instance ID, and telemetry keys — without requiring any credentials. This is the same class of misconfiguration documented in the GoPhish dispatch: operators configure tools correctly enough to function but leave configuration endpoints exposed.

The n8n API requires an X-N8N-API-KEY header for workflow and execution enumeration. Public registration is disabled (500 on /rest/register). The workflow content — and therefore the specific operations being automated — is not accessible without authentication.

Assessment: The timeline correlation (19 days after X ban), the Vultr co-location with documented Void Manticore C2 infrastructure, the Asia/Jerusalem timezone, the .top TLD (a consistent pattern in Iranian threat actor infrastructure), and the automation purpose (n8n is used for social media posting, webhook routing, Telegram bot management, and phishing campaign orchestration) collectively indicate this is Void Manticore's campaign automation backend. Confidence: medium-high (circumstantial; direct confirmation would require workflow access).

The Toolkit

BiBi Wiper (Flagship)

Named after Benjamin Netanyahu. Dual Windows/Linux variants. Corrupts files with random data and appends .BiBi or .bb[random] extensions. Preserves executables to keep processes running during destruction, maximizing the window before detection. Contains a conditional check hardcoded as if "Israel" != "Country" — author commentary embedded as a behavioral fingerprint in production code.

Hatef (Windows Wiper)

Internal name "Hatef" (هاتف) — Persian for "a voice from the unseen" or "oracle." Requires administrator privileges. Implements a singleton check: reads its own process name and kills duplicate instances. Overwrites files with 4,096-byte random data blocks and reports progress via Telegram.

The most operationally significant detail in the Hatef binary: it checks the machine hostname before executing. If the machine is named "HANDALA" — exactly — the wiper will not run. This is operator safety infrastructure to prevent accidental self-infection. It is also an immediately deployable defensive measure: any organization can name a canary or honeypot system "HANDALA" to detect and stall a Hatef infection before execution begins.

Hamsa (Linux Wiper)

Named for five Base64 encoding layers in the original sample. Implements a 30-minute initial delay (anti-sandbox). Detects Linux distribution (Red Hat/Ubuntu/Debian) to target appropriate system paths. Installs xfsprogs, wipe, and parted utilities. Deletes user accounts with UID above 999. Wipes system binaries (sparing reboot and rm for controlled shutdown). Repartitions non-root drives with XFS filesystem. Sends a completion report to the operator's Telegram channel before rebooting.

Handala Loader (Delphi Stage)

A Delphi-compiled second-stage loader that executes an obfuscated script ("Closest") to disable security software, then runs an AutoIt interpreter ("Naples.pif") that injects RC4 shellcode, decompresses it via LZNT1, and injects into dllhost.exe and Windows Media Player processes.

Karma Shell

A custom ASP.NET web shell using base64 + XOR-23 encryption for command obfuscation. Deployed post-initial-compromise on victim web servers as a persistent access mechanism.

The CrowdStrike-Lure Attack Chain

The July 2024 campaign analyzed by Trellix demonstrates the full infection chain. A phishing email carries a CrowdStrike-themed PDF lure. The PDF contains a download link to a ZIP hosted on Storj. Inside: an NSIS installer executing a batch script named "Carrol" that implements:

- AV detection: checks for Webroot, AVAST, AVG, Bitdefender, Norton, Sophos, Quick Heal; sleeps 3 minutes if detected

- Sandbox evasion: checks for C:\aaa_TouchMeNot_.txt (Windows Defender Emulator marker) and Kaspersky/Avast sandbox machine names

- String obfuscation: the copy command reconstructs strings by omitting the literal "locatedflatrendsoperating" from concatenated segments

- BYOVD: unsigned 32-bit driver ListOpenedFileDrv_32.sys (targeting XP/Vista/7) for privilege escalation

- Process injection: AutoIt interpreter injected via process hollowing into RegAsm.exe

- Execution guard: wiper checks for machine name containing "Gaza hackers Team Handala Machine" before executing

File destruction: 4,096-byte random data overwrites.

The Stryker Operation (March 11, 2026)

The Stryker attack represents a qualitative shift in Void Manticore's methodology. No traditional wiper malware was deployed. Instead:

1. Microsoft Intune MDM administrative credentials were compromised through prior access (assessed credential theft; Scarred Manticore handoff)

2. Legitimate Intune factory-reset commands were issued to all enrolled devices

3. 200,000+ devices across 79 countries were wiped using Microsoft's own tooling

4. Stryker's Entra login page was defaced with the Handala logo

5. Executive-targeted emails announced the operation

6. Two-factor authentication phones — personal devices enrolled in corporate MDM — were wiped alongside corporate assets

Claimed scope: 50TB exfiltrated prior to the wipe. Stryker's public statement acknowledged "no indication of ransomware or malware" — technically accurate, because the destruction was executed through a legitimate management platform, not a malware payload. Check Point Research assessed this as "the first time this Iranian-backed actor has disruptively targeted a major US enterprise."

Stated motivation: retaliation for the Israeli strike on the Minab school and "ongoing cyber assaults against the infrastructure of the Axis of Resistance." Handala framed Stryker as a "Zionist-rooted corporation" based on its 2019 acquisition of Israeli orthopedics firm OrthoSpace and its US Department of Defense contracts.

The Intune abuse technique bypasses endpoint detection and response tools that are looking for malware execution. There is no dropper, no shellcode, no suspicious process tree. The wipe command comes from a legitimate administrative platform with valid credentials. EDR tools observe expected administrative behavior until the reset command completes.

HPR INTELLIGENCE: The Broadcast Account

@HPRNEW ("HPR INTELLIGENCE") is a Handala announcement and amplification account on X, created in March 2026. The "new" suffix marks prior account action: Handala's original @Handala_Hack account was banned by X on August 21, 2024 for violating the platform's abusive behavior policy. A backup @Handala_Backup account was also established. HPR INTELLIGENCE is the continuation account for the current campaign cycle.

The name expands to "Handala People's Resistance Front of Truth-Seekers." The multilingual framing — the October 2025 manifesto was published in English, Hebrew, Arabic, Spanish, and Farsi — reflects a deliberate effort to project an international grassroots movement. On March 11, 2026, @HPRNEW posted "HELLO Stryker #HANDALA" within hours of the wiper deployment, linking to the Telegram announcement of the operation.

The Bangkok Blunder

This is the most significant open-source intelligence failure in the group's documented history.

On November 15, 2025, Handala published a propaganda post titled *"Smile for the Camera — Handala Is Watching"* claiming to have accessed "Shabak's airport security systems" — a reference to Shin Bet, Israel's internal security service, implying access to Ben Gurion International Airport.

Image analysis by Nariman Gharib and researchers at Iran Cyber News Agency matched the published ceiling photographs, immigration hall architecture, elevator bank layouts, and queue barrier systems to Suvarnabhumi Airport, Bangkok, Thailand — not Ben Gurion.

MOIS surveillance access to Suvarnabhumi is significant. The airport processed 62.2 million passengers in 2024 and serves as a major Asia-Europe-Middle East transit hub. The inadvertently confirmed capabilities include:

- AI-powered facial recognition systems

- License plate tracking infrastructure

- Integrated CCTV network access across a major international transit hub

- Thailand Immigration System (TIS) watchlist and blacklist query access

The mistake — being unable to distinguish Ben Gurion from Suvarnabhumi in their own propaganda materials — reveals that the cell operates across multiple airport surveillance environments simultaneously and does not maintain careful asset cataloguing. They published surveillance footage from the wrong country.

RedWanted

On March 1, 2026, Handala launched RedWanted via handala-hack.to — a bounty board listing Israeli defense engineers involved in missile defense systems. The site offers $30,000 USD for "valuable information" on listed targets and schedules weekly data releases on Saturdays. This represents a shift from purely state-directed operations toward crowdsourced intelligence collection against specific human targets.

Victim Profile

From ransomware.live tracking: 144 documented victims, first observed May 26, 2024, most recent March 11, 2026 (Stryker). Average gap between attack and public claim: 23.8 days. Geographic distribution: Israel (63 victims), United States (4), UK (2), UAE (2). Sector breakdown: Technology (23), Government (10), Energy (9), Healthcare (8), Manufacturing (5).

IOC Summary

Infrastructure

IndicatorTypeNotes
handala-hack.toLeak site domainActive; DDoS-Guard hosted; RedWanted bounty board
handala.toRedirect domainFingerprintJS visitor profiling; currently redirects
vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onionTor hidden serviceActive; NGINX
64.176.169.22C2 IPVultr, documented Void Manticore C2
64.176.172.235C2 IPVultr, documented Void Manticore C2
64.176.172.165C2 IPVultr, documented Void Manticore C2
64.176.173.77C2 IPVultr, documented Void Manticore C2
64.176.172.101C2 IPVultr, documented Void Manticore C2
31.192.237.207:2515C2 IP:portChelyabinsk, Russia; Operation HamsaUpdate
handala-bucketAWS S3 bucketExfiltration staging; identified in senvarservice-DC.exe
7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHcTelegram bot tokenBurned; Trellix campaign wiper C2
7436061126Telegram channel IDBurned; Trellix campaign wiper reporting
6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQATelegram bot tokenBurned; HamsaUpdate wiper C2
6932028002Telegram channel IDBurned; HamsaUpdate wiper reporting
@HPRNEWX/Twitter handleHPR INTELLIGENCE; Handala announcement account
gramatikservicesapi.topAutomation servern8n v1.61.0; 64.176.169.27; Vultr AS20473; Asia/Jerusalem TZ; active since Sep 9 2024
3d8869443494a76e14cc3d430f43310d203b30947a0ce06f004c438441e349a1n8n instance IDgramatikservicesapi.top automation server fingerprint

Malware Hashes

HashTypeSample
e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35SHA256Hatef wiper (Windows)
454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567SHA256Handala Delphi loader
fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2SHA256F5UPDATER.exe loader (HamsaUpdate)
96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8SHA256update.zip (CrowdStrike lure campaign)
2a5dd680c05b43d72365e8beb7e40088MD5Wiper (Trellix campaign)
fca0910949d92dc3dd3dfcf0fb3d0408MD5AutoIT script (Trellix campaign)
755c0350038daefb29b888b6f8739e81MD5CrowdStrike.exe NSIS installer
da663d3ea0c818a60292e5239ef23daeMD5ListOpenedFileDrv_32.sys (BYOVD driver)
D0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6SHA256Void Manticore wiper (Check Point)
DEEAF85B2725289D5F262B4F60DDA0C68AE42D8D46D0DC19B9253B451AEA25ASHA256Void Manticore wiper (Check Point)

Attribution

NameRoleIdentifiers
Seyed Yahya Hosseini PanjakiMOIS Deputy Director, Domestic SecurityDOB 1975-01-23, Karaj; PhD Azad U. Tabriz; FBI Wanted; US/EU/UK sanctioned
Ali BermoudehHandala Telegram channel adminNID 1362398276; DOB ~1998; Tabriz; FATA background
Morteza AftabifarMOIS handler (Bermoudeh's officer)NID 1680072404; Tabriz

Detection Artifacts

IndicatorTypeNotes
Machine named HANDALAHostname checkHatef wiper will not execute; use as honeypot canary
Machine named containing Gaza hackers Team Handala MachineHostname checkCrowdStrike-lure wiper execution guard
.BiBi file extensionFile artifactBiBi wiper corruption marker
.bb[random] file extensionFile artifactBiBi wiper corruption marker (variant)
RECOVER_YOUR_DATA table in MySQLDB artifact(shared pattern with other Iranian actors)
Karma shell (base64+XOR-23)Web shellPost-compromise persistence on web servers
C:\aaa_TouchMeNot_.txtSandbox checkWiper checks for WD Emulator marker before executing

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.