The Expansion of Void Manticore Targeting to U.S. Enterprises

Handala Hack is an online cyber persona used by the Iranian state-linked threat actor Void Manticore (also known as Red Sandstorm or Banished Kitten), which is affiliated with the Iranian Ministry of Intelligence and Security (MOIS). The group conducts destructive cyber operations and hack-and-leak campaigns, primarily targeting organizations in Israel, Albania, and recently the United States. In March 2026, the group executed its most significant U.S. operation to date – a massive, destructive attack against Stryker, a major American medical technology firm. This shift signals a transition from regional targeting in Israel and Albania to high-impact sabotage of Fortune 500 infrastructure.

Severity: High

Actor Profile & Affiliations

• Primary Actor: Void Manticore (MOIS-affiliated).
• Associated Personas:
  • Handala Hack: Primary front for operations against Israel and the U.S. (e.g., Stryker).
  • Homeland Justice: Dedicated to operations against the Albanian government and telecom sectors.
  • Karma: An older persona, now largely replaced by Handala.
• Key Leadership: Reportedly supervised by Seyed Yahya Hosseini Panjaki, who was killed in early March 2026 during strikes on Iran.
• Collaborators: Frequently collaborates with Scarred Manticore (Storm-0861) for initial network access.

Destructive Modus Operandi

The group often deploys four distinct wiping techniques simultaneously to maximize impact:

1. Handala Wiper: A custom executable that overwrites file contents and employs MBR-based wiping to destroy disk structures.
2. AI-Assisted PowerShell Wiper: A script (likely developed with AI help) that enumerates and deletes all files in user directories, followed by dropping a propaganda image (handala.gif).
3. VeraCrypt Encryption: Leveraging the legitimate VeraCrypt utility to encrypt system drives, complicating recovery efforts.
4. Manual Deletion: Operators manually log in via RDP to delete virtual machines and files directly.

Case Study: The Stryker “Global Network Disruption” (March 2026)

• Attack Timeline: Discovered shortly after midnight on March 11, 2026.
• Trigger/Motivation: Handala claimed the attack was “retaliation” for a February 28 missile strike on a school in Minab, Iran.
• Scale of Destruction:
  • Endpoints: The group claimed to have wiped over 200,000 systems, including Windows servers, PCs, and mobile devices.
  • Data Theft: Reported exfiltration of 50 terabytes of sensitive corporate and R&D data.
  • Operational Impact: Forced the temporary shutdown of offices in 79 countries. Stryker reported “global network disruption” affecting order processing, manufacturing, and shipping.
• Clinical Impact: While Stryker confirmed surgical systems like Mako and LIFEPAK remained safe, the LIFENET system (used by emergency responders to transmit patient data) experienced temporary outages for some users.

Recommendations

1. Move beyond SMS or push notifications to FIDO2-compliant hardware keys.
2. Restrict administrative logins to compliant, company-managed devices and specific geographic locations. Block all access from high-risk regions (e.g., Iran) and commercial VPN/TOR exit nodes.
3. Implement “Just-In-Time” (JIT) access. No account should have permanent Global Admin rights; rights should be requested, approved, & automatically revoked after a set window.
4. Use Entra ID PIM to manage eligible role assignments. Require multi-factor authentication (MFA), business justification and, for high-risk roles, manual approval before activation.
5. Reduce the number of Global Administrator and Intune Administrator accounts to the fewest possible based on business needs.
6. Use cloud-only accounts (e.g., admin@tenant.onmicrosoft.com) for administrative roles to prevent lateral movement from on-premises Active Directory via synchronized account compromise.
7. Configure your MDM to require approval from a second administrator before executing “Bulk Wipe” or “Factory Reset” commands on more than a small threshold of devices.
8. Prevent unauthorized devices from enrolling in Intune by requiring a pre-set hardware ID or specific group membership.
9. Ensure “Tamper Protection” is enabled to prevent the group from disabling Windows Defender or EDR agents.
10. Create alerts for the installation or execution of VeraCrypt or BitLocker commands on unauthorized systems.
11. Monitor for the use of potentially unwanted software, including RMM tools, VPN applications such as NetBird, and tunneling utilities such as SSH for windows.
12. Disable RDP on all workstations. For servers where it is required, use a Remote Desktop Gateway with MFA and ensure it is not exposed directly to the internet.
13. Since the group targets and wipes primary data and even virtual machines, maintain off-site, immutable backups that cannot be deleted even with administrative credentials.
14. Shorten session duration for sensitive administrative portals (e.g., Intune, Entra and Azure portals) to under 1 hour. This helps limit the area of impact for a stolen session token.
15. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/7188b896ea445df141cf7bb68438102542374523f3816b0fa6c893c1d3d80e62/iocs

IOCs

Source:

• https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
• https://flashpoint.io/blog/destructive-activity-targeting-stryker-highlights-emerging-supply-chain-risks/
• https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/
• https://www.nbcnews.com/world/iran/iran-appears-conducted-significant-cyberattack-us-company-first-war-st-rcna263084
• https://edition.cnn.com/2026/03/11/politics/pro-iran-hackers-cyberattack-medical-device-maker

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.