Stryker: Handala Hack Uses RDP, NetBird, and Parallel Wipers in MOIS-Linked Destructive Intrusions

Iranian Threat Actor Handala Hack Launches Destructive Cyberattacks Across Israel, Albania, and the U.S.

A cyber threat group linked to Iran’s Ministry of Intelligence and Security (MOIS), known as Handala Hack (also tracked as Void Manticore, Red Sandstorm, and Banished Kitten), has executed a series of data-destructive attacks targeting organizations in Israel, Albania, and the United States. Unlike traditional espionage-focused operations, the group’s campaigns are designed to permanently erase data, making recovery nearly impossible.

Active since late 2023, Handala Hack operates under multiple public-facing personas, including Homeland Justice (used since mid-2022 against Albanian government and telecom sectors) and Karma (now largely replaced by Handala). Recent attacks expanded to the U.S., with medical technology firm Stryker among the confirmed victims.

Attack Methods and Evolution

Check Point researchers identified consistent yet evolving tactics in the group’s operations. While core techniques such as compromised VPN credentials, RDP exploitation, and simultaneous wiper deployments have remained stable since 2024, newer campaigns incorporate:

• NetBird, a legitimate peer-to-peer networking tool, to tunnel traffic within victim networks.
• An AI-assisted PowerShell script as part of its wiping toolkit.
• A decline in operational security, with attacks traced directly to Iranian IP addresses instead of commercial VPNs.

Multi-Layered Destruction

Handala Hack’s destructive phase employs four simultaneous wiping techniques to maximize damage:

1. Handala Wiper – A custom tool distributed via Group Policy logon scripts (handala.bat), overwriting files and corrupting Master Boot Records (MBR). The executable runs remotely from domain controllers, evading detection.
2. AI-PowerShell Wiper – Deletes user directory files and floods drives with a propaganda image (handala.gif).
3. VeraCrypt Abuse – Legitimate encryption software is downloaded via the victim’s browser to lock drives and prevent recovery.
4. Manual Deletion – Attackers delete virtual machines and files over RDP, a tactic documented in leaked videos.

Tactical Execution

Intrusions typically begin with compromised VPN credentials, obtained through brute-force attacks or supply chain breaches. Once inside, operators use RDP to navigate manually, deploying multiple attacker-controlled machines within a single environment to accelerate destruction. The group’s lack of operational discipline including direct use of Iranian IPs has made attribution easier.

The attacks reflect a shift from espionage to pure sabotage, with no financial or intelligence-gathering motives. Instead, the focus is on maximizing disruption across critical sectors.

Source: https://cybersecuritynews.com/handala-hack-uses-rdp/

Stryker cybersecurity rating report: https://www.rankiteo.com/company/stryker

"id": "STR1773714231",
"linkid": "stryker",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Healthcare/Medical Devices',
                        'location': 'United States',
                        'name': 'Stryker',
                        'type': 'Medical Technology Firm'},
                       {'industry': 'Government/Telecommunications',
                        'location': 'Albania',
                        'type': 'Government and Telecom'},
                       {'location': 'Israel', 'type': 'Various organizations'}],
 'attack_vector': ['Compromised VPN credentials',
                   'RDP exploitation',
                   'Group Policy logon scripts',
                   'AI-assisted PowerShell scripts'],
 'data_breach': {'data_encryption': 'VeraCrypt abuse for drive encryption',
                 'type_of_data_compromised': 'Permanently erased data'},
 'date_detected': 'late 2023',
 'description': 'A cyber threat group linked to Iran’s Ministry of '
                'Intelligence and Security (MOIS), known as Handala Hack (also '
                'tracked as Void Manticore, Red Sandstorm, and Banished '
                'Kitten), has executed a series of data-destructive attacks '
                'targeting organizations in Israel, Albania, and the United '
                'States. The group’s campaigns are designed to permanently '
                'erase data, making recovery nearly impossible.',
 'impact': {'data_compromised': 'Permanent data erasure',
            'operational_impact': 'Severe disruption across critical sectors',
            'systems_affected': ['Master Boot Records (MBR)',
                                 'User directories',
                                 'Virtual machines',
                                 'Encrypted drives']},
 'initial_access_broker': {'entry_point': 'Compromised VPN credentials'},
 'motivation': 'Sabotage and disruption',
 'post_incident_analysis': {'root_causes': ['Compromised VPN credentials',
                                            'RDP exploitation',
                                            'Lack of operational security '
                                            '(direct use of Iranian IPs)']},
 'ransomware': {'data_encryption': 'VeraCrypt abuse for drive encryption'},
 'references': [{'source': 'Check Point Research'}],
 'threat_actor': 'Handala Hack (Void Manticore, Red Sandstorm, Banished '
                 'Kitten)',
 'title': 'Iranian Threat Actor Handala Hack Launches Destructive Cyberattacks '
          'Across Israel, Albania, and the U.S.',
 'type': 'Data Destruction / Wiper Attack'}