FBI Seizes Handala Domains After Stryker Wiper Attack: Anatomy of an MOIS Cyber Operation

On March 19, 2026, the FBI seized four domains belonging to Handala, the Iranian hacktivist group responsible for wiping approximately 200,000 devices at medical technology giant Stryker just eight days earlier [1][4]. The seized domains: handala-hack.to, handala-redwanted.to, justicehomeland.org, and karmabelow80.org [2]. Their nameservers were redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov [4]. Within hours, Handala posted on Telegram that new infrastructure was being built. The replacement domain they announced? It redirected straight back to the FBI seizure notice [2].

The Department of Justice tied the seizures directly to Iran's Ministry of Intelligence and Security (MOIS), stating the domains were used for "hacking, psychological operations, and transnational repression" [2]. The FBI's investigation also revealed the group used Handala_Team@outlook.com to send death threats to Iranian dissidents [3], indicating state-directed operations beyond typical hacktivist activity.

Who Is Handala

Handala first appeared in December 2023 [4]. Check Point Research tracks the group as Void Manticore, linking it to MOIS's Internal Security Deputy, specifically its Counter-Terrorism Division [5]. Microsoft tracks overlapping activity as Red Sandstorm, while CrowdStrike uses Banished Kitten [7].

The group operates multiple personas simultaneously: Handala Hack, Karma, and Homeland Justice [5][7]. Each persona targets different victim sets but shares infrastructure, tooling, and tradecraft. The seized domains were associated with these personas: handala-hack.to and handala-redwanted.to for the Handala identity, justicehomeland.org for Homeland Justice, and karmabelow80.org for Karma [2].

Handala has declared its allegiance explicitly. Per the DoJ filing: "We the Handala Hack team, the loyal followers of the supreme leader Ali Hosseini Khamenei, declare war on all the enemies of Islam in the West" [3]. The group posted names and personally identifiable information of approximately 190 individuals associated with the Israeli Defense Forces [3]. Seyed Yahya Hosseini Panjaki, who reportedly supervised the group, was killed in March 2026 [5].

The Stryker Attack: Weaponizing Microsoft Intune

The Stryker attack on March 11, 2026 was the first confirmed major cyber disruption of a U.S. corporation since joint U.S.-Israeli military strikes on Iran began in late February 2026. Stryker, a $25 billion medical technology company, was targeted because of its 2019 acquisition of Israeli company OrthoSpace [8].

The attackers compromised a Windows domain administrator account and created a new Global Administrator account [4]. With that access, they took over Stryker's Microsoft Intune dashboards, the cloud-based mobile device management (MDM) platform that controls endpoint configuration across the enterprise [1].

Then they issued authenticated mass remote wipe commands [12]. Approximately 200,000 devices were wiped [4]. The attack disrupted order processing, manufacturing, and shipping, including custom patient implants [2].

This technique is significant. Palo Alto's Unit 42 noted that in recent wiper incidents, "threat actors operating under the Void Manticore (Handala) persona did not deploy a novel wiper or traditional compiled malware" [6]. They used the legitimate remote-wipe capability built into Intune itself. The enterprise admin tool became the weapon. Unit 42 observed this approach affected over 200,000 devices globally across multiple incidents [6].

The Destructive Toolkit

When Handala does deploy custom malware, the destructive phase runs four separate wiping techniques simultaneously [7]. The toolkit includes:

• Handala Wiper (handala.exe): Custom destructive malware with MBR-wiping capabilities, distributed via Group Policy logon scripts through handala.bat [5][7]
• BiBi Wiper: Cross-platform wiper targeting both Windows and Linux [6]
• Hatef Wiper: .NET-based wiper for Windows environments [6]
• Hamsa Wiper: Bash-based wiper for Linux systems [6]

A particularly brazen touch: the wiper deployed against Stryker masqueraded as a CrowdStrike update, using the filename CrowdStrike.bin [9]. A deobfuscated version was found on GitHub at MrDomainAdmin/handalas-wiper-emulation [9].

The group's tradecraft has shifted from custom-compiled malware toward living-off-the-land (LotL) techniques [6]. PowerShell is used extensively for data collection and staging [11]. New additions to the toolset include the NetBird networking tool and AI-assisted PowerShell scripts [7]. Initial access and lateral movement rely on RDP and exploitation of highly privileged identities with cloud-based management console access [6][7].

Seized Infrastructure vs. Announced Replacement

The FBI seizure targeted the group's public-facing infrastructure, specifically the sites used to claim credit for attacks and leak stolen data [3].

Seized Domains (March 19, 2026):

Handala's X (formerly Twitter) account was also suspended following the seizures [1].

The group responded on Telegram, acknowledging the situation: "In light of recent events and the need to establish secure and resilient infrastructure, we inform you that building a new digital base is a complex and time-consuming process" [2]. The replacement domain they pointed to simply redirected back to the FBI seizure banner [2]. That failure suggests the seizure caught them off guard more than previous disruptions had.

Operational Infrastructure

Beyond the public-facing leak sites, Handala's C2 infrastructure has been partially mapped through multiple research efforts. Check Point published campaign-level C2 indicators, and independent researchers documented the group's connection patterns [10].

The group routes operations through commercial VPN nodes and, during Iran's internet blackout, switched to Starlink IP ranges to maintain connectivity [5][8]. Check Point Research observed campaigns originating from Starlink addresses during these periods [8].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Intune Abuse Detection: The most critical detection gap exposed by the Stryker attack is monitoring for mass remote wipe commands through MDM platforms. Security teams should alert on:

• Bulk device wipe commands in Microsoft Intune audit logs, particularly outside maintenance windows
• New Global Administrator account creation in Azure AD/Entra ID, especially when preceded by domain admin activity
• Intune compliance policy changes that affect large device populations

Network-Based Hunting:

• Query firewall and proxy logs for connections to the documented C2 IPs: 82.25.35.25, 31.57.35.223, 146.185.219.235 [5]
• Monitor for connections from Starlink IP ranges (188.92.255.0/24, 209.198.131.0/24) to administrative interfaces, particularly during geopolitical escalations [10]
• Flag traffic from commercial VPN ranges 169.150.227.0/24 and 149.88.26.0/24 hitting management consoles [10]

Endpoint Detection:

• Hunt for handala.exe, handala.bat, and CrowdStrike.bin across file creation logs [5][9]
• Monitor Group Policy Object modifications that add logon scripts, especially batch files that execute unknown binaries [7]
• Alert on NetBird networking tool installations in environments where it isn't sanctioned [7]

SIEM Query Example (Splunk):

index=azure sourcetype="AzureAD:AuditLog" Operation="Add member to role" RoleName="Global Administrator"
| where NOT match(UserPrincipalName, "expected_admin_pattern")

Analysis

The FBI seizure neutralized Handala's public propaganda and data-leak infrastructure but did not touch the group's offensive capability. The Stryker attack was already complete. The stolen data had already been exfiltrated. The wipers had already run. Domain seizures target the "claim credit" phase of the kill chain, not the intrusion itself.

Handala's admission that rebuilding is "a complex and time-consuming process" [2], combined with the failed replacement domain, suggests these seizures caused more disruption than the group's public messaging implied. The simultaneous suspension of their X account further degraded their ability to amplify attacks for psychological effect [1].

The killing of MOIS supervisor Panjaki adds another variable [5]. Leadership disruption in a state-sponsored operation can degrade coordination and decision-making, though MOIS has demonstrated institutional continuity through personnel changes before.

The shift to weaponizing legitimate enterprise tools like Microsoft Intune is the most consequential tactical development here. Custom malware can be signatured and blocked. Legitimate remote wipe commands issued through authenticated admin sessions look identical to normal IT operations. This forces defenders to solve an identity security problem, not a malware detection problem [6][12].

Assessment

Confidence: Moderate

The sources collectively paint a picture that none of them state explicitly: Handala's operational security is deteriorating even as its destructive capability grows. Check Point mapped their C2 infrastructure. Independent researchers documented their VPN and Starlink egress patterns [10]. The FBI had enough attribution confidence to obtain seizure warrants. One researcher noted their operational security has "declined" [10]. The group's Telegram response to the seizure was almost plaintive, a far cry from the bravado of their declaration of war against "enemies of Islam in the West" [3].

This suggests MOIS may be prioritizing speed and impact over tradecraft discipline. The geopolitical context supports this interpretation: with kinetic strikes ongoing since late February 2026, the pressure to deliver visible retaliatory cyber operations likely exceeds the patience required for careful operational security.

The contrarian read - Handala's apparent OPSEC failures could be intentional. A state intelligence service might deliberately allow some infrastructure to be burned while protecting its actual high-value access. The seized domains were propaganda sites. The C2 servers documented in public research may already be deprecated. The real question is what infrastructure hasn't been mapped.

Defenders should treat the current intelligence picture as incomplete and assume Handala retains access to U.S. enterprise environments that hasn't been disclosed.

References

[1] https://techcrunch.com/2026/03/19/fbi-seizes-pro-iranian-hacking-groups-websites-after-destructive-stryker-hack/

[2] https://cybernews.com/news/fbi-seizes-handala-leak-sites-after-stryker-cyberattack/

[3] https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations

[4] https://www.bleepingcomputer.com/news/security/fbi-seizes-handala-data-leak-site-after-stryker-cyberattack/

[5] https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

[6] https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/

[7] https://cybersecuritynews.com/handala-hack-uses-rdp/

[8] https://connect.securonix.com/threat-research-intelligence-62/iran-backed-handala-wiper-attack-devastates-stryker-globally-230

[9] https://www.dugganusa.com/post/the-handala-wiper-masquerades-as-crowdstrike-we-found-it-on-github

[10] https://cstromblad.com/posts/threat-actor-profile-handala/

[11] https://www.vectra.ai/blog/what-the-stryker-incident-reveals-about-handalas-attack-playbook

[12] https://www.criticalstart.com/resources/research-report/cssa260303-the-threat-%E2%80%93-handala-hack-team

Hunt Guide: Hunt Report: Handala/Void Manticore Destructive Campaign

Hypothesis: If Handala/Void Manticore actors are active in our environment, we expect to observe unauthorized Microsoft Intune mass wipe commands, new Global Administrator account creation, PowerShell-based reconnaissance, and connections to documented C2 infrastructure in Azure AD audit logs, EDR telemetry, and network traffic logs.

Intelligence Summary: Iranian MOIS-affiliated group Handala conducted destructive wiper attacks against Stryker Corporation on March 11, 2026, weaponizing Microsoft Intune MDM to wipe ~200,000 devices. The group operates under multiple personas (Handala, Karma, Homeland Justice) and has shifted tactics from custom malware to living-off-the-land techniques, exploiting cloud management platforms for mass destruction.

Confidence: High | Priority: Critical

Scope

• Networks: All corporate networks with emphasis on: Azure/O365 environments, Domain Controllers, endpoints with Intune MDM enrollment, systems with access to medical/defense data
• Timeframe: Initial sweep: 90 days retroactive. Ongoing: Real-time detection with 24-hour aggregation windows for behavioral analytics
• Priority Systems: Microsoft Intune administrators, Azure Global Administrators, Domain Controllers, SYSVOL repositories, executive workstations, Israeli subsidiary systems, defense contractor networks

MITRE ATT&CK Techniques

T1078 — Valid Accounts (Defense Evasion, Persistence, Privilege Escalation, Initial Access) [P1]

Handala compromised domain administrator accounts and created new Global Administrator accounts in Azure AD to gain persistent elevated access

Splunk SPL:

index=azure sourcetype="AzureAD:AuditLog" (Operation="Add member to role" OR Operation="Add user") RoleName IN ("Global Administrator", "Company Administrator") | eval suspicious=if(match(UserPrincipalName, "(?i)(admin|service|test)"), 0, 1) | where suspicious=1 | stats count by UserPrincipalName, RoleName, _time | sort -_time

Elastic KQL:

(event.dataset:"azure.auditlogs" AND event.action:("Add member to role" OR "Add user") AND azure.auditlogs.properties.targetResources.modifiedProperties.displayName:("Global Administrator" OR "Company Administrator")) AND NOT user.email:(/.*admin.*/ OR /.*service.*/ OR /.*test.*/)

Sigma Rule:

title: Suspicious Azure Global Administrator Account Creation
id: 8b7a0e8d-3c4f-4e1a-9f2b-7d5c6e8a9f3b
status: experimental
description: Detects creation of new Global Administrator accounts in Azure AD
author: SOC Team
date: 2024/01/01
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    Operation: 
      - 'Add member to role'
      - 'Add user'
    RoleName:
      - 'Global Administrator'
      - 'Company Administrator'
  filter:
    UserPrincipalName|contains:
      - 'admin'
      - 'service'
      - 'test'
  condition: selection and not filter
falsepositives:
  - Legitimate administrator account creation during onboarding
level: high

Alert immediately on any Global Administrator role assignment outside change windows. Correlate with source IP geolocation and impossible travel detections.

T1485 — Data Destruction (Impact) [P1]

Mass device wiping via Microsoft Intune remote wipe commands affecting 200,000+ endpoints

Splunk SPL:

index=intune sourcetype="Intune:AuditLog" (action="RemoteWipe" OR action="Wipe" OR action="FactoryReset") | bucket span=1m _time | stats count by _time, UserPrincipalName | where count > 10 | eval severity=case(count<=50,"medium",count<=100,"high",count>100,"critical")

Elastic KQL:

(event.provider:"Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" AND event.action:("RemoteWipe" OR "Wipe" OR "FactoryReset")) OR (azure.activitylogs.operation_name:"Microsoft.Intune/*Wipe*")

Sigma Rule:

title: Mass Device Wipe via Microsoft Intune
id: 7d5c6e8a-9f3b-4e1a-8b7a-0e8d3c4f7d5c
status: experimental
description: Detects mass remote wipe commands issued through Microsoft Intune
author: SOC Team
date: 2024/01/01
logsource:
  service: intune
  product: azure
detection:
  selection:
    action|contains:
      - 'RemoteWipe'
      - 'Wipe'
      - 'FactoryReset'
  timeframe: 1m
  condition: selection | count() by UserPrincipalName > 10
falsepositives:
  - Legitimate IT operations during device refresh cycles
level: critical

Critical alert threshold at >10 devices wiped per minute. Immediate incident response required. Check for correlated Global Admin account creation in previous 24 hours.

T1059.001 — PowerShell (Execution) [P2]

PowerShell used extensively for data collection, staging, and AI-assisted reconnaissance scripts

Splunk SPL:

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 (ScriptBlockText=*Get-ADUser* OR ScriptBlockText=*Get-ADComputer* OR ScriptBlockText=*Get-MgUser* OR ScriptBlockText=*Get-MgDirectoryRole* OR ScriptBlockText=*Invoke-WebRequest* OR ScriptBlockText=*DownloadString*) | rex field=ScriptBlockText "(?<suspicious_pattern>(Get-AD|Get-Mg|Invoke-|Download|IEX|Start-BitsTransfer))" | stats count by Computer, suspicious_pattern, _time | where count > 20

Elastic KQL:

(event.provider:"Microsoft-Windows-PowerShell" AND event.code:"4104" AND powershell.script.text:("Get-ADUser" OR "Get-ADComputer" OR "Get-MgUser" OR "Get-MgDirectoryRole" OR "Invoke-WebRequest" OR "DownloadString"))

Sigma Rule:

title: Suspicious PowerShell Reconnaissance Activity
id: 3c4f7d5c-6e8a-9f3b-8b7a-0e8d4e1a7d5c
status: experimental
description: Detects PowerShell commands associated with Handala reconnaissance
author: SOC Team
date: 2024/01/01
logsource:
  product: windows
  service: powershell
  definition: 'Script block logging must be enabled'
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'Get-ADUser'
      - 'Get-ADComputer'
      - 'Get-MgUser'
      - 'Get-MgDirectoryRole'
      - 'NetBird'
  condition: selection
falsepositives:
  - Administrative scripts
  - IT automation
level: medium

Baseline normal admin PowerShell usage. Alert on high-volume AD enumeration or unusual Graph API queries from non-admin accounts.

T1484 — Domain Policy Modification (Defense Evasion, Privilege Escalation) [P1]

Group Policy Object modifications to deploy handala.bat logon scripts for wiper distribution

Splunk SPL:

index=windows sourcetype=WinEventLog:Security (EventCode=5136 OR EventCode=5141 OR EventCode=4739) (ObjectClass="groupPolicyContainer" OR AttributeLDAPDisplayName="gPCFileSysPath") | regex ObjectDN=".*CN=User.*CN=Scripts.*" | table _time, user, ObjectDN, AttributeValue | append [search index=windows sourcetype="*sysmon*" EventCode=11 TargetFilename="*\SYSVOL\*\Policies\*\User\Scripts\Logon\*.bat" | table _time, Computer, TargetFilename, User]

Elastic KQL:

(event.code:("5136" OR "5141" OR "4739") AND (winlog.event_data.ObjectClass:"groupPolicyContainer" OR winlog.event_data.AttributeLDAPDisplayName:"gPCFileSysPath")) OR (event.code:"11" AND file.path:*\\SYSVOL\\*\\Policies\\*\\User\\Scripts\\Logon\\*.bat)

Critical detection for GPO-based lateral movement. Alert on any new .bat files in SYSVOL Scripts folders, especially containing 'handala' string.

T1036 — Masquerading (Defense Evasion) [P1]

Wiper malware masqueraded as CrowdStrike update using filename CrowdStrike.bin

Splunk SPL:

index=* (sourcetype="*sysmon*" EventCode=11 OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11) TargetFilename="*CrowdStrike.bin" NOT (Image="*\CrowdStrike\*" OR Company="CrowdStrike*") | eval suspicious_path=if(match(TargetFilename,"(?i)(temp|appdata|public|users)"),1,0) | where suspicious_path=1 | table _time, Computer, TargetFilename, Image, User, Hashes

Elastic KQL:

(event.code:"11" AND file.name:"CrowdStrike.bin" AND NOT (process.executable:*\\CrowdStrike\\* OR process.code_signature.subject_name:"CrowdStrike*"))

High-confidence detection. Any CrowdStrike.bin outside official CrowdStrike directories is suspicious. Check file hash against known good CrowdStrike binaries.

T1561.002 — Disk Structure Wipe (Impact) [P1]

Handala Wiper includes MBR-wiping capabilities for destructive impact

Splunk SPL:

index=* (sourcetype="*sysmon*" OR sourcetype=WinEventLog:Security) ((EventCode=1 OR EventCode=4688) AND (Image="*\handala.exe" OR CommandLine="*handala.bat*" OR OriginalFileName="handala.exe")) OR (EventCode=9 AND Device="\Device\Harddisk0\DR0" AND (Image="*\handala.exe" OR Image="*\unknown*"))

Elastic KQL:

(process.name:("handala.exe" OR "handala.bat") OR process.command_line:(*handala*)) OR (event.code:"9" AND file.path:"\\Device\\Harddisk0\\DR0")

Critical impact detection. Any process accessing \Device\Harddisk0\DR0 (MBR) from unusual locations warrants immediate investigation.

T1090 — Proxy (Command and Control) [P2]

Operations routed through commercial VPN nodes and Starlink IP ranges for anonymization

Splunk SPL:

index=network (src_ip="169.150.227.0/24" OR src_ip="149.88.26.0/24" OR src_ip="188.92.255.0/24" OR src_ip="209.198.131.0/24") (dest_port=3389 OR dest_port=445 OR dest_port=5985 OR dest_port=443) | regex dest="(azure|login\.microsoftonline|graph\.microsoft|admin\.)" | stats count by src_ip, dest, dest_port | where count > 10

Elastic KQL:

(source.ip:("169.150.227.0/24" OR "149.88.26.0/24" OR "188.92.255.0/24" OR "209.198.131.0/24") AND destination.port:(3389 OR 445 OR 5985 OR 443) AND destination.domain:(*azure* OR *login.microsoftonline* OR *graph.microsoft* OR *admin*))

Monitor for connections from Starlink/VPN ranges to administrative interfaces. Correlation with authentication anomalies increases confidence.

T1021.001 — Remote Desktop Protocol (Lateral Movement) [P2]

RDP used for lateral movement within compromised environments

Splunk SPL:

index=windows sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=10 | bucket span=1h _time | stats dc(Source_Network_Address) as unique_sources, values(Source_Network_Address) as source_ips by dest, _time | where unique_sources > 5 | eval suspicious_sources=mvfilter(match(source_ips,"^(169\.150\.227\.|149\.88\.26\.|188\.92\.255\.|209\.198\.131\.)"))

Elastic KQL:

(event.code:"4624" AND winlog.event_data.LogonType:"10") AND (source.ip:("169.150.227.0/24" OR "149.88.26.0/24" OR "188.92.255.0/24" OR "209.198.131.0/24"))

Alert on RDP from documented VPN/Starlink ranges or unusual geographic locations. Combine with impossible travel detection.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest="handala-hack.to" OR query="handala-hack.to" OR url="*handala-hack.to*") | stats count by src_ip, user, _time

index=* (dest="handala-redwanted.to" OR query="handala-redwanted.to" OR url="*handala-redwanted.to*") | stats count by src_ip, user, _time

index=* (dest="justicehomeland.org" OR query="justicehomeland.org" OR url="*justicehomeland.org*") | stats count by src_ip, user, _time

index=* (dest="karmabelow80.org" OR query="karmabelow80.org" OR url="*karmabelow80.org*") | stats count by src_ip, user, _time

index=* (dest_ip="82.25.35.25" OR src_ip="82.25.35.25") | stats count by src_ip, dest_ip, dest_port, _time | sort -count

index=* (dest_ip="31.57.35.223" OR src_ip="31.57.35.223") | stats count by src_ip, dest_ip, dest_port, _time | sort -count

index=* (dest_ip="146.185.219.235" OR src_ip="146.185.219.235") | stats count by src_ip, dest_ip, dest_port, _time | sort -count

index=* (filename="handala.exe" OR file="handala.exe" OR TargetFilename="*handala.exe" OR Image="*handala.exe" OR process="*handala.exe") | dedup host | table _time, host, user, file_path, file_hash

index=* (filename="handala.bat" OR file="handala.bat" OR TargetFilename="*handala.bat" OR CommandLine="*handala.bat*") | dedup host | table _time, host, user, file_path

index=* (filename="CrowdStrike.bin" OR file="CrowdStrike.bin" OR TargetFilename="*CrowdStrike.bin" OR Image="*CrowdStrike.bin") | dedup host | table _time, host, user, file_path, file_hash

index=* (sender="Handala_Team@outlook.com" OR recipient="Handala_Team@outlook.com" OR from="Handala_Team@outlook.com" OR to="Handala_Team@outlook.com") | table _time, subject, sender, recipient, src_ip

YARA Rules

Handala_Wiper_Indicators — Detects Handala wiper variants based on filename and string patterns

rule Handala_Wiper_Indicators {
    meta:
        description = "Detects Handala wiper malware and components"
        author = "SOC Team"
        date = "2024-01-01"
        reference = "Handala/Void Manticore Campaign"
    strings:
        $filename1 = "handala.exe" ascii wide nocase
        $filename2 = "handala.bat" ascii wide nocase
        $filename3 = "CrowdStrike.bin" ascii wide nocase
        $str1 = "Handala Hack" ascii wide
        $str2 = "loyal followers of the supreme leader" ascii
        $str3 = "Ali Hosseini Khamenei" ascii
        $pdb = "handala.pdb" ascii
        $mutex = "Global\\HandalaWiper" ascii wide
        $mbr_wipe = {B8 01 02 00 00 BB 00 7C} // MOV AX, 0201h; MOV BX, 7C00h (MBR write)
    condition:
        uint16(0) == 0x5A4D and (
            any of ($filename*) or
            2 of ($str*) or
            $pdb or
            $mutex or
            $mbr_wipe
        )
}

BiBi_Hatef_Hamsa_Wipers — Detects BiBi, Hatef, and Hamsa wiper variants used by Handala

rule BiBi_Hatef_Hamsa_Wipers {
    meta:
        description = "Detects BiBi, Hatef, and Hamsa wiper variants"
        author = "SOC Team"
        date = "2024-01-01"
    strings:
        $bibi1 = "BiBi" ascii wide
        $bibi2 = "BiBiWiper" ascii wide nocase
        $hatef1 = "Hatef" ascii wide
        $hatef2 = "HatefWiper" ascii wide nocase
        $hamsa1 = "Hamsa" ascii wide
        $hamsa2 = "HamsaWiper" ascii wide nocase
        $bash_wipe = "dd if=/dev/zero of=/dev/sda" ascii
        $rm_recursive = "rm -rf --no-preserve-root /" ascii
        $shred_cmd = "shred -vfz" ascii
    condition:
        any of ($bibi*, $hatef*, $hamsa*) or
        (uint32(0) == 0x464C457F and any of ($bash_wipe, $rm_recursive, $shred_cmd))
}

Suricata Rules

SID 3100001 — Detects connection to Handala C2 server 82.25.35.25

alert tcp $HOME_NET any -> 82.25.35.25 any (msg:"ET MALWARE Handala C2 Connection to 82.25.35.25"; flow:established,to_server; threshold:type limit, track by_src, seconds 600, count 1; classtype:trojan-activity; reference:url,research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/; sid:3100001; rev:1;)

SID 3100002 — Detects connection to Handala C2 server 31.57.35.223

alert tcp $HOME_NET any -> 31.57.35.223 any (msg:"ET MALWARE Handala C2 Connection to 31.57.35.223"; flow:established,to_server; threshold:type limit, track by_src, seconds 600, count 1; classtype:trojan-activity; reference:url,research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/; sid:3100002; rev:1;)

SID 3100003 — Detects connection to Handala C2 server 146.185.219.235

alert tcp $HOME_NET any -> 146.185.219.235 any (msg:"ET MALWARE Handala C2 Connection to 146.185.219.235"; flow:established,to_server; threshold:type limit, track by_src, seconds 600, count 1; classtype:trojan-activity; reference:url,research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/; sid:3100003; rev:1;)

SID 3100004 — Detects DNS query for seized Handala domain handala-hack.to

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query for Seized Handala Domain handala-hack.to"; dns.query; content:"handala-hack.to"; nocase; classtype:trojan-activity; reference:url,justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations; sid:3100004; rev:1;)

SID 3100005 — Detects DNS query for seized Handala domains

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query for Seized Handala Domains"; dns.query; content:"handala-redwanted.to"; nocase; classtype:trojan-activity; reference:url,justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations; sid:3100005; rev:1;)

SID 3100006 — Detects outbound connection from Starlink range used by Handala

alert tcp [188.92.255.0/24,209.198.131.0/24] any -> $EXTERNAL_NET [443,3389,445] (msg:"ET MALWARE Suspicious Starlink IP Range Activity Associated with Handala"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; classtype:suspicious-activity; sid:3100006; rev:1;)

Data Source Requirements

Sources

• TechCrunch - FBI seizes pro-Iranian hacking group's websites after destructive Stryker hack
• Cybernews - FBI seizes Handala leak sites after Stryker cyberattack
• Department of Justice - Justice Department Disrupts Iranian Cyber-Enabled Psychological Operations
• BleepingComputer - FBI seizes Handala data leak site after Stryker cyberattack
• Check Point Research - Handala Hack: Unveiling Group's Modus Operandi
• Palo Alto Networks Unit 42 - Evolution of Iran Cyber Threats
• Cybersecurity News - Handala Hack Uses RDP
• Securonix - Iran-Backed Handala Wiper Attack Devastates Stryker Globally
• Duggan USA - The Handala Wiper Masquerades as CrowdStrike - We Found It on GitHub
• Chris Stromblad - Threat Actor Profile: Handala
• Vectra AI - What the Stryker Incident Reveals About Handala's Attack Playbook
• Critical Start - The Threat – Handala Hack Team