Skip to main content
Mallory
Back to threat actors
1 malware family

Handala Hacking Team

Also known asHandala Hacking Team

Handala Hacking Team is a pro-Palestinian hacktivist group active since at least 2023, with some reporting placing activity since at least December 2023. The group heavily targets Israeli organizations and organizations doing business in Israel, and has also been reported targeting critical vertical organizations in Israel. Reported claimed targeting spans Business Services, Construction & Engineering, Technology, Government, Transportation, and other critical sectors during periods of heightened regional tensions. The group operates a data leak site and has claimed attacks against organizations in Israel, although reporting notes hacktivist personas may exaggerate operational impact and at least one organization publicly dismissed Handala claims of attack or data exfiltration. Observed and reported activity includes data theft, phishing, extortion, website defacement, disruptive and destructive attacks, and hack-and-leak style operations. In one reported July 2024 campaign exploiting the CrowdStrike outage as a lure, Handala Hacking Team was attributed by Cisco Talos and others to a destructive wiper operation delivered via spearphishing PDF attachments. The infection chain used an NSIS installer, an obfuscated batch script, staged AutoIt components, and injected a decompressed wiper into regasm.exe. The malware performed host and network reconnaissance, checked for security products, used a Telegram bot as command-and-control, and overwrote then deleted files, potentially rendering systems unbootable. The campaign also reportedly used a BYOVD-style step involving ListOpenedFileDrv_32.sys loaded by OpenFileFinder.dll. Reporting also states the group has been observed routing traffic through StarLink and scanning externally facing applications for vulnerabilities. Handala Hacking Team uses the Handala character created by Naji al-Ali across social media accounts on Telegram, Tox, and X. No additional aliases or sub-groups were directly identified in the provided content beyond the name Handala Hacking Team.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Commercial & Professional Services
  • Capital Goods
  • Software & Services
  • Transportation

Where they target

Geographies tied to known operations.

  • 🇮🇱 Israel
MITRE ATT&CK

Tradecraft

13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics20 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0001
Initial Access
2 techniques
T1195
Supply Chain Compromise
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.010
AutoHotKey & AutoIT
TA0004
Privilege Escalation
1 technique
T1068
Exploitation for Privilege Escalation
TA0005
Stealth
3 techniques
T1027
Obfuscated Files or Information
T1218
System Binary Proxy Execution
T1218.009
Regsvcs/Regasm
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
TA0010
Exfiltration
2 techniques
T1020×2
Automated Exfiltration
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1498×2
Network Denial of Service
T1561
Disk Wipe
T1561.002
Disk Structure Wipe
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Handala wiperThis event was subsequently exploited by threat actors to launch malicious campaigns, one in particular looking to deploy destructive wiper payloads to targeted hosts and network systems.1Mar 11, 2026
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
blackpoint cyberNews
Mar 12, 2026
Intel Bulletin: Geopolitical Escalation and Cyber Risk Advisory - March 12, 2026 - Blackpoint

Iran-aligned hacktivist activity cluster reported targeting Israeli organizations, operating a data leak site and conducting scanning for vulnerabilities in externally facing applications; noted use of Starlink-routed traffic.

Read more
blackpoint cyberNews
Mar 2, 2026
Intel Bulletin: Geopolitical Escalation and Cyber Risk Advisory - Blackpoint

Hacktivist group active since 2023 that claims attacks during periods of heightened geopolitical tension, including against Israeli organizations; operates a data leak site and is associated (per claims and historical patterns) with defacements, DDoS, data exfiltration/leaks, and potentially disruptive malware deployment.

Read more
splunk security blogNews
Sep 6, 2024
Handala’s Wiper: Threat Analysis and Detections | Splunk

Pro-Palestinian hacktivist group active since at least Dec 2023, heavily targeting Israeli organizations (and those doing business in/supporting Israel). In this campaign, they exploited the CrowdStrike BSOD outage as a lure in spear-phishing to deliver a destructive custom wiper. They use phishing (including SMS), extortion/data-leak-site pressure, defacement, and destructive attacks. The wiper chain uses NSIS installers, obfuscated batch scripts, AutoIt-based payload staging, Telegram bot C2/exfil, process injection into regasm.exe, and BYOVD via ListOpenedFileDrv_32.sys loaded by OpenFileFinder.dll to support destructive operations (wipe/overwrite+delete).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping13

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.