Handala Hack Uses RDP, NetBird, and Parallel Wipers in MOIS-Linked Destructive Intrusions

The Iranian hacker group Handala Hack has used remote desktop access, network tunneling, and multiple data-wiping tools at the same time to launch a series of destructive cyberattacks against businesses in Israel, Albania, and the United States. The group goes by the name Void Manticore, but it is also known as Red Sandstorm and Banished Kitten. It is directly connected to Iran's Ministry of Intelligence and Security (MOIS).

The attacks don't have anything to do with spying; they're made to destroy data and make it almost impossible to get it back. Handala Hack has been around since late 2023 and is named after the famous Palestinian cartoon character Handala. Handala Hack, Karma, and Homeland Justice are the three public faces of the group.

At the edge, connections from Iranian IP addresses and known Starlink IP ranges should be blocked. If you don't need RDP access, you should turn it off, especially on computers with default Windows naming formats like DESKTOP-XXXXXX or WIN-XXXXXX. Teams should also keep an eye out for tools like NetBird and other tunneling utilities, as their presence may mean that someone is doing something on the internal network without permission.

To get more instant updates, follow ZeroOwl on LinkedIn and X.