Handala Hackers Use RDP and NetBird In MOIS-Linked Wiper Attacks

The Iranian state-sponsored threat group Handala Hack is stepping up its attacks on international organizations' computers This article explores handala hack group. . The group is linked to Iran's Ministry of Intelligence and Security (MOIS) and uses a lot of manual hacking methods, stolen credentials, and network tools like NetBird and Remote Desktop Protocol (RDP) to launch aggressive attacks that wipe data.

Profile and Tactics of the Threat Actor Cybersecurity researchers also know Handala Hack as Void Manticore. It runs its campaigns using a number of different online identities. These include Karma and Homeland Justice, a persona that focuses on the government and telecom sectors in Albania.

Over time, Handala Hack has become the group's most well-known public face. It has taken credit for many attacks in Israel and has recently started attacking big U.S.-based companies like Stryker. Handala Hack doesn't use complicated automated malware like highly sophisticated advanced persistent threats do.

Instead, they prefer to break into networks by hand. Hackers usually get their first foothold by using hacked commercial VPN accounts. Logos of Void Manticore characters (from left to right): Homeland Justice, Handala, and Karma (Source: checkpoint) They look for weaknesses in IT service providers so they can steal user credentials. Researchers have recently seen the group connect to victim networks using Starlink Internet Protocol (IP) addresses and even directly from Iranian IP addresses.

This shows that they have changed how they protect their operations.

This real zero-trust networking platform lets hackers set up a private, encrypted mesh network inside the victim's infrastructure. The group can work more quickly and effectively by having multiple footholds. Wiping and Defenses that Hurt The main goal of Handala Hack is to cause the most disruption in operations by destroying data, which is often done along with hack-and-leak extortion methods.

Operational links of Void Manticore (Source: checkpoint) During the last destructive phase of an intrusion, threat actors use up to four wiping techniques at the same time. To cause a lot of damage, they use Windows Group Policy to spread their bad tools across the whole network.

Execution of Handala Wiper by Wiper (Source: checkpoint) The group's coordinated wiping activities include: Custom Handala Wiper: The attackers use a custom executable that actively replaces the contents of files. It also damages the system's master boot record (MBR), ruining the disk structure and making it impossible to recover lost data. AI-Assisted PowerShell Wiper: This is a bad script that probably uses artificial intelligence to automatically scan and delete all files in user directories.

After that, it leaves behind a propaganda image on the wiped drives. Type Indicator Handala Wiper 5986ab04dd6b3d259935249741d3eff2 Handala Powershell Wiper 3cb9dea916432ffb8784ac36d1f2d3cd VeraCrypt Installer 3236facc7a30df4ba4e57fddfba41ec5 NetBird Installer 3dfb151d082df7937b01e2bb6030fe4a NetBird e035c858c1969cffc1a4978b86e90a30 Handala VPS 82.25.35[. ]25 Even though these attacks have a big effect, the group's use of simple methods gives defenders clear chances to stop them.

Organizations can keep themselves safe by keeping an eye on their credentials and their networks.