Handala wiper
Handala Wiper is a custom destructive malware family associated with the Iranian MOIS-linked threat cluster Void Manticore, also tracked as Red Sandstorm and Banished Kitten, and used under the Handala Hack persona. It has been deployed in destructive campaigns targeting organizations in Israel, Albania, and the United States, including activity linked to the Stryker incident. The malware is used during impact operations alongside other destructive methods, including a custom PowerShell-based wiper, VeraCrypt disk encryption, and manual deletion of files and virtual machines.
High-confidence reporting describes Handala Wiper as a Windows-focused wiper distributed at scale via Group Policy logon scripts and scheduled tasks, including through a batch file named handala.bat, with some samples or deployments named handala.exe. In observed intrusions, operators used compromised VPN credentials for initial access, conducted reconnaissance and credential theft, moved laterally primarily over RDP, and then pushed the wiper from the Domain Controller so the executable could run remotely without being written to disk on every endpoint. Its destructive behavior includes overwriting file contents and corrupting the Master Boot Record (MBR), enabling deep low-level damage and potentially rendering systems unbootable.
The broader Handala ecosystem also includes related destructive tooling. Separate reporting on a July 2024 CrowdStrike outage-themed phishing campaign attributed to Handala Hacking Team described a destructive wiper delivered through a PDF lure, NSIS installer, obfuscated batch script, AutoIt staging, and injection into regasm.exe. That wiper performed host and network reconnaissance, queried icanhazip.com for the victim’s public IP, sent victim and undeleted-file information to a Telegram bot used as command-and-control, and overwrote files with random data before deleting them. The content also notes Handala-linked use of Telegram Bot API as a command-and-control and telemetry channel, BYOVD techniques including ListOpenedFileDrv_32.sys, LOLBin abuse, and payload obfuscation. However, these behaviors are described in relation to Handala-attributed destructive malware activity more broadly and are not all explicitly confirmed as core behaviors of the custom Handala Wiper binary itself.
Known associated indicators and artifacts directly mentioned in the content include filenames handala.exe, handala.bat, and handala.gif; infrastructure including 107.189.19[.]52 as a payload retrieval server in related intrusions; and VPS infrastructure associated with Handala operations such as 82.25.35[.]25 and 31.57.35[.]223. The content also states that MD5 hashes exist for Handala Wiper and related components, but the hashes themselves are not provided in the supplied material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks; an AI-assisted PowerShell wiper that deletes user directories and drops handala.gif; use of VeraCrypt to encrypt system drives; and manual deletion of VMs and files.
The first is the custom Handala Wiper, distributed via Group Policy logon scripts through a batch file named handala.bat. This wiper overwrites file contents and applies Master Boot Record (MBR) corruption for deep, low-level damage.
This event was subsequently exploited by threat actors to launch malicious campaigns, one in particular looking to deploy destructive wiper payloads to targeted hosts and network systems.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques“Spear Phishing Attachment (T1566.001) The phishing campaign utilizes a .PDF attachment to deceive users… The document contains a link… directs users to malicious software that wipes the compromised systems.”
Victims were directed to download a malicious archive containing a disguised installer that deployed a destructive wiper payload.
Execution
4 techniquesDuring impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks...
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts...
Handala campaigns typically use a staged execution chain designed to evade detection. Payload components are reconstructed at runtime and delivered through scripting frameworks before deploying the final wiper payload.
Handala Destructive Wiper detection involves monitoring for suspicious activities such as ... unauthorized AutoIt script executions ...
Persistence
4 techniquesinitiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts.
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which executed a batch file named handala.bat.
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks...
Privilege Escalation
6 techniquesinitiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts.
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which executed a batch file named handala.bat.
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping, distributed via Group Policy logon scripts and scheduled tasks...
The wiper was distributed across the network as a scheduled task using Group Policy logon scripts...
“Exploitation for Privilege Escalation BYOVD (T1068)… employs… ‘Bring Your Own Vulnerable Driver’ (BYOVD), utilizing a driver named ListOpenedFileDrv_32.sys… loaded as a service…”
Stealth
6 techniquesHandala Destructive Wiper detection involves monitoring for suspicious activities such as ... the dropping of malicious drivers.
“Obfuscated Files or Information (T1027) …scatters garbage or invalid Windows commands among legitimate batch script instructions… effectively masks the true functionality of the script while allowing it to run as intended.”
Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable.
Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected regasm processes...
Defense Impairment
1 techniqueDiscovery
1 techniqueExfiltration
1 technique“Automated Exfiltration (T1020)… created a [Telegram] bot to serve as the C2… responsible for sending information from the compromised host…”
Impact
3 techniquesMITRE ATT&CK TTPs Tactic ID Technique Impact T1485 Data Destruction
During impact, Void Manticore combines multiple destructive methods: a custom Handala Wiper (sometimes handala.exe) with MBR-based wiping...
MITRE ATT&CK TTPs Tactic ID Technique Impact T1561.002 Disk Structure Wipe
IOCs tracked for this family
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive wiper malware used by Handala-associated operators to erase data and disrupt operations, delivered via Group Policy logon scripts during destructive intrusions.
A custom destructive wiper used by Handala Hack that overwrites file contents and corrupts the MBR to make systems and data difficult to recover. It is distributed via Group Policy logon scripts and executed remotely from the Domain Controller so it is not written to disk on targeted machines.
Custom destructive wiper used by Void Manticore for MBR-based wiping and distributed via Group Policy logon scripts and scheduled tasks.
Custom destructive wiper malware used by Handala to erase files and disrupt systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.