Handala's DICOM Obsession: Iranian State Hackers Zero In on Medical Imaging Systems

RedSheep Reports | March 24, 2026

Iranian state-linked hackers have turned medical imaging infrastructure into a priority target. The Handala group, formally attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Department of Justice on March 20, 2026 [2], has been conducting operations against healthcare organizations with increasing aggression. At the same time, internet-facing DICOM (Digital Imaging and Communications in Medicine) servers have grown 286% since 2017 [4], creating a massive and poorly defended attack surface that groups like Handala are built to exploit.

DICOM gateways appeared among the top five riskiest IoMT (Internet of Medical Things) device types for the first time in March 2026 research [5]. Seventy-five percent of the riskiest device types weren't even on the list two years ago [5]. The convergence of a newly aggressive Iranian cyber capability and a sprawling, insecure medical imaging ecosystem demands immediate attention from healthcare security teams.

DICOM Protocol Designed for Trust, Deployed on the Open Internet

DICOM is the universal standard for handling, storing, and transmitting medical images: X-rays, CT scans, MRIs, ultrasounds, and more. It's implemented in almost every radiology, cardiology imaging, and radiotherapy setting globally [3]. The problem is foundational. The protocol was developed in the early 1990s for isolated networks. It lacks built-in security mechanisms, including encryption and authentication [3].

Researchers at Aplite found over 3,800 DICOM servers directly accessible on the internet, with roughly 30% actively leaking sensitive data [3]. The cumulative damage is staggering: approximately 59 million personal and medical records have been exposed over past decades through these systems [3].

The growth trend is accelerating, not slowing. Healthcare organizations keep connecting imaging equipment to the internet for remote access, teleradiology, and cloud-based workflows, but they're doing so without addressing the protocol's complete absence of security controls.

Making matters worse, 63% of vulnerabilities in CISA's Known Exploitable Vulnerabilities catalog are present on healthcare networks [4]. Critical medical equipment sometimes ends up on guest networks, providing trivial access to attackers who are already on the same segment [4].

Who Is Handala?

Handala is not a cybercriminal operation chasing ransom payments. It's an arm of Iran's intelligence apparatus. Check Point Research linked the group to Void Manticore, which operates under Iran's MOIS [6].

The DOJ's March 20 action seized four domains operated by Handala: Justicehomeland.org, Handala-Hack.to, Karmabelow80.org, and Handala-Redwanted.to [10]. These domains supported hack-and-leak operations, propaganda distribution, and direct threats against Iranian dissidents [2]. The group sent death threats via email, claiming partnerships with cartels, and posted stolen data as part of psychological operations targeting adversaries of the Iranian regime [2].

Handala isn't the only Iranian group with healthcare in its sights. CISA has separately warned about Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm), which targets U.S. healthcare facilities and conducts ransomware-enabling operations alongside state-sponsored espionage [8]. The Iranian threat to healthcare is broad, persistent, and multi-actor.

Initial Access

Handala targets IT and service providers to obtain credentials, then uses compromised VPN accounts to gain entry to victim networks [6]. The group exploits external remote services as its primary foothold. For DICOM environments specifically, the standard DICOM ports (104 and 11112) are the obvious entry points. Many PACS (Picture Archiving and Communication Systems) ship with default credentials that administrators never change, and the protocol itself doesn't enforce authentication [3].

The group has also been observed using Starlink IP ranges (specifically 188.92.255.0/24) to continue operations even during Iran's internet blackouts [11]. This operational resilience means defenders can't assume Iranian campaigns will pause during regional disruptions.

Lateral Movement and Hands-On Operations

Check Point's analysis describes Handala as relying on "quick, hands-on activity within victim networks" [6]. The group uses Remote Desktop Protocol (RDP) for lateral movement and manual operations [12]. They don't rely on sophisticated custom tooling for traversal. Instead, they use off-the-shelf tools and publicly available utilities to move through compromised environments [6].

NetBird, a tunneling tool, has been observed in Handala operations to maintain access to victim networks [6]. Once inside a healthcare environment through a DICOM server or PACS, the group can reach Active Directory, EHR systems, and other critical infrastructure on the same network.

Persistence and Destruction

Handala deploys custom wiper malware via Group Policy logon scripts across victim networks [6]. The group's signature tool is the Handala Wiper, which overwrites files and corrupts the Master Boot Record (MBR) [12]. Supporting components include handala.bat (a batch file for executing wiper components), handala.exe (the wiper executable), and handala.gif (a propaganda image placed on logical drives after wiping) [6].

The group also deploys AI-assisted PowerShell scripts for file deletion and has abused VeraCrypt as a data destruction tool [6][12]. These aren't subtle techniques. The operational pattern is access, move fast, destroy.

Declining OPSEC

Rewterz analysts noted that Handala's activities have been traced to Iranian IP addresses, indicating declining operational security [12]. Vendor-cited IPs associated with Handala operations (31.57.35.223 and 82.25.35.25) exposed Windows RPC and SMB services [9]. This sloppiness may reflect the group's prioritization of speed and impact over stealth, particularly in the context of wartime operations.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

DICOM Exposure Audit: Start by identifying every DICOM service in your environment. Query for traffic on TCP ports 104 and 11112. Any DICOM service reachable from outside your network perimeter is an immediate priority. Run an external scan of your own IP ranges.

Network Segmentation Verification: DICOM and PACS systems should never share network segments with general IT infrastructure, guest networks, or internet-facing services. Verify this isn't just a policy but an active configuration. Check for any routes between imaging VLANs and corporate Active Directory.

VPN and Remote Access Monitoring: Handala's preferred initial access vector is compromised VPN accounts [6]. Hunt for anomalous VPN logins: unusual times, geolocations (particularly Iranian IP space and Starlink ranges in 188.92.255.0/24), or logins from accounts associated with third-party service providers.

RDP Lateral Movement Detection: Monitor for RDP connections originating from DICOM servers or PACS workstations. These systems should not be initiating RDP sessions. A SIEM query like source_ip IN [dicom_server_ips] AND dest_port=3389 will flag this behavior.

Group Policy Abuse: Handala deploys wipers through GPO logon scripts [6]. Monitor for unexpected modifications to Group Policy Objects, particularly new logon scripts. Alert on any GPO changes that reference handala.bat, handala.exe, or unfamiliar batch/PowerShell scripts.

NetBird Tunneling: Hunt for NetBird traffic in your environment. Look for unexpected outbound connections from medical imaging systems, particularly to non-standard ports or known tunneling infrastructure.

File System Indicators: The presence of handala.gif on any logical drive is a post-compromise indicator [6]. Scan endpoints for this filename.

Analysis

The DICOM threat isn't theoretical. It's a measured, growing risk backed by specific adversary interest and structural vulnerability. Healthcare organizations have spent years connecting imaging infrastructure to the internet without meaningfully addressing a protocol that has no native security. The growth in internet-facing DICOM deployments happened alongside zero fundamental improvement to the protocol's security posture [3].

Handala's operational profile is a poor match for stealthy, long-term espionage. Check Point's description of "quick, hands-on activity" [6] and declining OPSEC [12] suggests a group optimized for speed and destructive impact. DICOM servers are attractive to this kind of operator because they're easy to find, easy to access, and sit on networks with high-value targets nearby.

The formal DOJ attribution of Handala to MOIS [2] likely places these operations in the category of state-directed activity. This means the threat won't be deterred by takedowns of individual domains or infrastructure. The seizure of four Handala domains [10] is useful for disrupting specific campaigns, but MOIS will stand up replacements.

References

1. CNN Politics. "Stryker: Pro-Iran hackers claim cyberattack on major US medical device maker." March 11, 2026. https://www.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker
2. U.S. Department of Justice. "Justice Department Disrupts Iranian Cyber Enabled Psychological Operations." March 20, 2026. https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations
3. Dark Reading. "Leaky DICOM Medical Standard Exposes Millions of Patient Records." https://www.darkreading.com/cyber-risk/leaky-dicom-medical-protocol-exposes-millions-patient-records
4. Censinet. "Study: 162 New Medical Device Vulnerabilities Found." https://censinet.com/perspectives/study-162-new-medical-device-vulnerabilities-found
5. Help Net Security. "The devices winning the race to get hacked in 2026." March 23, 2026. https://www.helpnetsecurity.com/2026/03/23/connected-devices-security-risk-2026-research/
6. Check Point Research. "'Handala Hack' - Unveiling Group's Modus Operandi." 2026. https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
7. CISA. "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations." https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
8. Protos AI. "Stryker Wiper Attack 2026: Handala Timeline Reconstruction & IOCs." https://www.protoslabs.io/resources/timeline-reconstruction-stryker-handala-threat-group-wiper-attack
9. U.S. Department of Justice. "Justice Department Seizes Domains Used by Iranian Intelligence Ministry." https://www.justice.gov/opa/pr/justice-department-seizes-domains-used-iranian-intelligence-ministry-cyber-enabled
10. Nariman Gharib via X. "Iranian MOIS-linked hackers using Starlink IPs." https://x.com/NarimanGharib/status/2013351039362007470
11. Rewterz. "Handala Hack Uses RDP and Wipers in MOIS-Linked Attacks." https://rewterz.com/threat-advisory/handala-hack-uses-rdp-and-wipers-in-mois-linked-attacks-active-iocs

Hunt Guide: Hunt Report: Handala/MOIS Targeting of DICOM Medical Imaging Infrastructure

Hypothesis: If Handala or affiliated Iranian threat actors are active in our environment, we expect to observe unauthorized access to DICOM servers (TCP 104/11112), VPN anomalies from Iranian/Starlink IP ranges, RDP lateral movement from medical systems, and deployment of Handala wiper components via GPO.

Intelligence Summary: Iranian MOIS-attributed Handala group is actively targeting healthcare organizations with focus on exposed DICOM medical imaging systems. The group uses compromised VPN credentials for initial access, RDP for lateral movement, and deploys custom wiper malware via Group Policy to destroy data. Over 3,800 DICOM servers are internet-accessible with 30% actively leaking data.

Confidence: High | Priority: Critical

Scope

• Networks: All medical imaging VLANs, PACS networks, DICOM gateways, VPN concentrators, and domain controllers
• Timeframe: Initial: 90 days historical, Ongoing: Real-time detection with 24-hour lookback
• Priority Systems: Internet-facing DICOM servers (TCP 104/11112), PACS servers, imaging workstations, radiology department systems, VPN gateways, domain controllers with medical OU management

MITRE ATT&CK Techniques

T1133 — External Remote Services (Initial Access) [P1]

Handala compromises VPN accounts from IT/service providers to gain initial access to victim networks

Splunk SPL:

index=vpn* OR index=auth* | eval src_category=case(cidrmatch("188.92.255.0/24", src_ip), "Starlink", cidrmatch("31.57.35.0/24", src_ip), "Iran", cidrmatch("82.25.35.0/24", src_ip), "Iran", 1=1, "Other") | where src_category IN ("Starlink", "Iran") OR (user IN ("*vendor*", "*contractor*", "*service*") AND (date_hour<6 OR date_hour>22)) | stats count by src_ip, user, src_category, date_hour | where count>5

Elastic KQL:

event.category:(authentication OR network) AND (source.ip:188.92.255.0/24 OR source.ip:31.57.35.0/24 OR source.ip:82.25.35.0/24 OR (user.name:(*vendor* OR *contractor* OR *service*) AND (event.hour:[0 TO 5] OR event.hour:[23 TO 24])))

Sigma Rule:

title: Suspicious VPN Login from Iranian or Starlink IP Ranges
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects VPN logins from Iranian IP space or Starlink ranges used by Handala
references:
  - https://x.com/NarimanGharib/status/2013351039362007470
logsource:
  category: authentication
  product: vpn
detection:
  selection_ips:
    src_ip|cidr:
      - '188.92.255.0/24'
      - '31.57.35.0/24'
      - '82.25.35.0/24'
  selection_vendor:
    user|contains:
      - 'vendor'
      - 'contractor'
      - 'service'
    time|windash: '00:00-06:00'
  selection_vendor2:
    user|contains:
      - 'vendor'
      - 'contractor'
      - 'service'
    time|windash: '22:00-24:00'
  condition: selection_ips or selection_vendor or selection_vendor2
falsepositives:
  - Legitimate remote access from Iran (unlikely)
  - Legitimate vendor access outside business hours
level: high

Focus on VPN logins from Starlink ranges (188.92.255.0/24) and vendor accounts outside business hours. Correlate with subsequent RDP activity.

T1021.001 — Remote Desktop Protocol (Lateral Movement) [P1]

Handala uses RDP for manual lateral movement within compromised networks

Splunk SPL:

index=wineventlog EventCode IN (4624, 4625) Logon_Type=10 | join type=outer src_ip [search index=medical_assets | table ip_address asset_type | rename ip_address as src_ip] | where isnotnull(asset_type) | eval suspicious=if(asset_type IN ("DICOM", "PACS", "Imaging"), 1, 0) | where suspicious=1 | stats count by src_ip, dest, user, asset_type | sort -count

Elastic KQL:

event.code:(4624 OR 4625) AND winlog.event_data.LogonType:"10" AND source.ip:(10.50.100.0/24 OR 10.50.101.0/24 OR 172.16.200.0/24)

Sigma Rule:

title: RDP Lateral Movement from Medical Imaging Systems
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
status: stable
description: Detects RDP connections originating from DICOM/PACS systems which should not initiate RDP
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4624
    LogonType: 10
  filter_sources:
    SourceNetworkAddress|startswith:
      - '10.50.100.'  # Medical imaging subnet
      - '10.50.101.'  # PACS subnet
      - '172.16.200.' # DICOM subnet
  condition: selection and filter_sources
falsepositives:
  - Administrative access from jump boxes on medical networks
level: high
tags:
  - attack.lateral_movement
  - attack.t1021.001

Medical imaging systems should never initiate RDP connections. Any RDP from DICOM/PACS subnets is highly suspicious. Adjust subnet ranges to match your environment.

T1072 — Software Deployment Tools (Execution) [P1]

Handala deploys wiper malware via Group Policy logon scripts across victim networks

Splunk SPL:

index=wineventlog (EventCode=4688 OR EventCode=1) (CommandLine="*handala*" OR Image="*handala*" OR CommandLine="*gpupdate*" OR Parent_Process_Name="*gpscript.exe*") | eval threat_indicator=case(match(CommandLine, "handala"), "Handala_Wiper", match(Parent_Process_Name, "gpscript"), "GPO_Script", 1=1, "Other") | stats count by Computer, User, CommandLine, threat_indicator | where threat_indicator!="Other"

Elastic KQL:

event.code:(4688 OR 1) AND (process.command_line:*handala* OR process.executable:*handala* OR process.parent.name:gpscript.exe OR process.command_line:*gpupdate*)

Sigma Rule:

title: Handala Wiper Deployment via Group Policy
id: c3d4e5f6-a7b8-9012-cdef-345678901234
status: experimental
description: Detects execution of Handala wiper components potentially deployed via GPO
references:
  - https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
logsource:
  category: process_creation
  product: windows
detection:
  selection_handala:
    - CommandLine|contains: 'handala'
    - Image|contains: 'handala'
    - OriginalFileName: 'handala.exe'
  selection_gpo:
    ParentImage|endswith: '\gpscript.exe'
    CommandLine|contains:
      - '.bat'
      - '.exe'
      - '.ps1'
  condition: selection_handala or selection_gpo
fields:
  - ComputerName
  - User
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Unknown
level: critical

Monitor for any process execution containing 'handala' or unusual scripts executed by gpscript.exe. Immediate response required.

T1485 — Data Destruction (Impact) [P1]

Handala Wiper overwrites files and corrupts Master Boot Record on victim systems

Splunk SPL:

index=sysmon EventID=1 (Image="*handala.exe*" OR CommandLine="*handala*") OR (EventID=9 Device="\Device\Harddisk*\DR*") | eval threat_type=case(match(Image, "handala"), "Handala_Wiper", EventID=9, "MBR_Access", 1=1, "Other") | stats count by ComputerName, User, threat_type, Image, Device | where threat_type!="Other"

Elastic KQL:

event.code:1 AND (process.executable:*handala.exe* OR process.command_line:*handala*) OR (event.code:9 AND file.path:\Device\Harddisk*)

Sigma Rule:

title: Handala Wiper MBR Corruption Activity
id: d4e5f6a7-b8c9-0123-defa-456789012345
status: stable
description: Detects Handala wiper attempting to corrupt Master Boot Record
logsource:
  product: windows
  service: sysmon
detection:
  selection_wiper:
    EventID: 1
    Image|contains: 'handala'
  selection_mbr:
    EventID: 9
    Device|startswith: '\Device\Harddisk'
    Image|endswith:
      - '\handala.exe'
      - '\wiper.exe'
  condition: selection_wiper or selection_mbr
level: critical
tags:
  - attack.impact
  - attack.t1485

MBR access by non-system processes is extremely rare. Combined with handala.exe execution indicates active destruction.

T1090 — Proxy (Command and Control) [P2]

Handala uses NetBird tunneling tool to maintain persistent network access

Splunk SPL:

index=sysmon EventID=3 (Image="*netbird*" OR DestinationPort IN (33073, 51820, 51821)) | join type=outer DestinationIp [search index=medical_assets | table ip_address asset_type | rename ip_address as SourceIp] | eval risk_score=case(isnotnull(asset_type), 100, DestinationPort IN (33073, 51820), 75, 1=1, 25) | stats sum(risk_score) as total_risk by SourceIp, DestinationIp, DestinationPort, Image | where total_risk>50

Elastic KQL:

event.code:3 AND (process.name:*netbird* OR destination.port:(33073 OR 51820 OR 51821) OR network.protocol:wireguard)

Sigma Rule:

title: NetBird Tunneling Tool Network Activity
id: e5f6a7b8-c9d0-1234-efab-567890123456
status: experimental
description: Detects network connections from NetBird tunneling tool used by Handala
logsource:
  category: network_connection
  product: windows
detection:
  selection_netbird:
    Image|contains: 'netbird'
  selection_ports:
    DestinationPort:
      - 33073
      - 51820
      - 51821
  selection_process:
    Image|contains:
      - '\netbird.exe'
      - '\netbird-ui.exe'
  condition: selection_netbird or (selection_ports and selection_process)
falsepositives:
  - Legitimate use of NetBird for remote access
level: high

NetBird uses WireGuard protocol. Look for connections to ports 33073, 51820-51821 from medical networks.

T1059.001 — PowerShell (Execution) [P2]

Handala uses AI-assisted PowerShell scripts for file deletion operations

Splunk SPL:

index=wineventlog EventCode=4104 (ScriptBlockText="*Remove-Item*" AND ScriptBlockText="*-Recurse*" AND ScriptBlockText="*-Force*") OR (ScriptBlockText="*Get-ChildItem*" AND ScriptBlockText="*.Delete()*") | rex field=ScriptBlockText "(?<suspicious_paths>C:\\\\Users\\\\|C:\\\\Windows\\\\|C:\\\\Program)" | stats count by Computer, suspicious_paths, ScriptBlockText | where count>10

Elastic KQL:

event.code:4104 AND powershell.script_block_text:(*Remove-Item* AND *Recurse* AND *Force*) OR (*Get-ChildItem* AND *Delete()*)

Sigma Rule:

title: Mass File Deletion via PowerShell
id: f6a7b8c9-d0e1-2345-fabc-678901234567
status: stable
description: Detects PowerShell scripts performing mass file deletion
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
  keywords:
    ScriptBlockText|contains|all:
      - 'Remove-Item'
      - '-Recurse'
      - '-Force'
  suspicious_paths:
    ScriptBlockText|contains:
      - 'C:\Users'
      - 'C:\Windows'
      - 'C:\Program Files'
  condition: selection and keywords and suspicious_paths
level: high

Look for recursive file deletion in system directories. AI-generated scripts may have unusual formatting or comments.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=dns OR index=proxy | search query="*justicehomeland.org*" OR url="*justicehomeland.org*" | stats count by src_ip, query, url | sort -count

index=dns OR index=proxy | search query="*handala-hack.to*" OR url="*handala-hack.to*" | stats count by src_ip, query, url | sort -count

index=dns OR index=proxy | search query="*karmabelow80.org*" OR url="*karmabelow80.org*" | stats count by src_ip, query, url | sort -count

index=dns OR index=proxy | search query="*handala-redwanted.to*" OR url="*handala-redwanted.to*" | stats count by src_ip, query, url | sort -count

index=dns OR index=proxy | search query="*handala.to*" OR url="*handala.to*" | stats count by src_ip, query, url | sort -count

index=* (src_ip="31.57.35.223" OR dest_ip="31.57.35.223") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | sort -count

index=* (src_ip="82.25.35.25" OR dest_ip="82.25.35.25") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | sort -count

index=* (CommandLine="*handala.bat*" OR FileName="handala.bat" OR TargetFilename="*handala.bat*") | stats count by ComputerName, User, CommandLine, TargetFilename | sort -count

index=* (Image="*handala.exe*" OR FileName="handala.exe" OR TargetFilename="*handala.exe*" OR process="*handala.exe*") | stats count by ComputerName, User, Image, TargetFilename | sort -count

index=* (FileName="handala.gif" OR TargetFilename="*handala.gif*" OR file="*handala.gif*") | stats count by ComputerName, TargetFilename, file_path | sort -count

YARA Rules

Handala_Wiper_Artifacts — Detects Handala wiper components and artifacts

rule Handala_Wiper_Artifacts {
    meta:
        description = "Detects Handala wiper executables and related files"
        author = "Threat Hunt Team"
        date = "2024-03-24"
        reference = "https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/"
    strings:
        $filename1 = "handala.exe" ascii wide nocase
        $filename2 = "handala.bat" ascii wide nocase
        $filename3 = "handala.gif" ascii wide nocase
        $batch_cmd1 = "del /f /s /q" ascii wide
        $batch_cmd2 = "format c: /y" ascii wide nocase
        $batch_cmd3 = "cipher /w:" ascii wide
        $mbr_pattern = { 33 C0 8E D8 8E C0 8E D0 BC 00 7C }
        $wiper_msg = "Your files have been encrypted" ascii wide
        $persian_text = { D8 A8 D8 B1 D8 A7 DB 8C 20 D8 A2 D8 B2 D8 A7 D8 AF DB 8C }
    condition:
        (2 of ($filename*)) or 
        (any of ($filename*) and any of ($batch_cmd*)) or
        ($mbr_pattern and any of ($filename*)) or
        ($persian_text and any of ($filename*))
}

NetBird_Tunneling_Tool — Detects NetBird tunneling tool used by Handala for C2

rule NetBird_Tunneling_Tool {
    meta:
        description = "Detects NetBird VPN/tunneling tool"
        author = "Threat Hunt Team"
        date = "2024-03-24"
    strings:
        $netbird1 = "netbird" ascii wide nocase
        $netbird2 = "netbird.exe" ascii wide nocase
        $netbird3 = "netbird-ui.exe" ascii wide nocase
        $netbird_agent = "NetBird Agent" ascii wide
        $wireguard = "wireguard" ascii wide nocase
        $config1 = "management.json" ascii wide
        $config2 = "netbird.json" ascii wide
        $pdb_path = "netbird\\client\\" ascii
    condition:
        (2 of ($netbird*)) or
        ($netbird_agent) or
        (any of ($netbird*) and $wireguard) or
        (any of ($config*) and $wireguard)
}

Suricata Rules

SID 3000001 — Detects DNS queries to Handala C2 domains

alert dns any any -> any any (msg:"Handala C2 Domain Query"; dns.query; content:"handala"; nocase; content:".to"; nocase; distance:0; sid:3000001; rev:1; metadata:confidence high, threat_name Handala;)

SID 3000002 — Detects traffic to Handala infrastructure IPs

alert ip any any -> [31.57.35.223,82.25.35.25] any (msg:"Traffic to Known Handala Infrastructure"; threshold:type limit,track by_src,count 1,seconds 3600; sid:3000002; rev:1; metadata:confidence high, threat_name Handala;)

SID 3000003 — Detects DICOM protocol on internet-facing interfaces

alert tcp $EXTERNAL_NET any -> $HOME_NET [104,11112] (msg:"External DICOM Connection Attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; sid:3000003; rev:1; metadata:service dicom, threat_type reconnaissance;)

SID 3000004 — Detects NetBird/WireGuard tunneling traffic

alert udp any any -> any [51820,51821,33073] (msg:"Possible NetBird Tunneling Activity"; content:"|01 00 00 00|"; depth:4; threshold:type threshold,track by_src,count 10,seconds 60; sid:3000004; rev:1;)

SID 3000005 — Detects RDP from medical device subnets

alert tcp [10.50.100.0/24,10.50.101.0/24,172.16.200.0/24] any -> any 3389 (msg:"RDP from Medical Device Network"; flow:to_server,established; sid:3000005; rev:1; metadata:severity critical;)

Data Source Requirements

Sources

• CNN Politics - Stryker: Pro-Iran hackers claim cyberattack on major US medical device maker
• U.S. Department of Justice - Justice Department Disrupts Iranian Cyber Enabled Psychological Operations
• Dark Reading - Leaky DICOM Medical Standard Exposes Millions of Patient Records
• Censinet - Study: 162 New Medical Device Vulnerabilities Found
• Help Net Security - The devices winning the race to get hacked in 2026
• Check Point Research - 'Handala Hack' - Unveiling Group's Modus Operandi
• CISA - Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
• Protos AI - Stryker Wiper Attack 2026: Handala Timeline Reconstruction & IOCs
• U.S. Department of Justice - Justice Department Seizes Domains Used by Iranian Intelligence Ministry
• Nariman Gharib via X - Iranian MOIS-linked hackers using Starlink IPs
• Rewterz - Handala Hack Uses RDP and Wipers in MOIS-Linked Attacks