How 'Handala' Became the Face of Iran's Hacker Counterattacks

⭐⭐⭐⭐⭐ 5/5 · WIRED · March 12, 2026 · By Andy Greenberg, Matt Burgess, Lily Hay Newman

Source: wired.com/story/handala-hacker-group-iran-us-israel-war/

Summary

Amid a devastating breach of medical technology firm Stryker, the Iranian hacker group Handala has emerged as the most prominent player in Iran's wave of cyberattacks against Western targets. This article explores how a group named after a Palestinian cartoon character became Tehran's primary tool for digital retaliation.

🔑 Key Findings

Stryker Attack: Disabled tens of thousands of computers at the medical device giant
Attribution: Handala is widely believed to be a front for Iran's Ministry of Intelligence (MOIS)
Evolution: Group emerged in late 2023 after October 7 attacks, posing as pro-Palestinian hacktivists
TTP: Combines "noisy, chaotic playbook of a hacktivist group with destructive capabilities of a nation-state"
Void Manticore: Check Point links Handala to a larger Iranian state-sponsored group

Detailed Analysis

The Stryker Breach

Late Tuesday night, Iranian hackers carried out a devastating breach of Stryker that reportedly disabled as many as tens of thousands of computers and paralyzed much of the company's global operations. Handala claimed responsibility, stating it was retaliation for a US Tomahawk missile strike that killed at least 165 civilians at a girl's school in Iran.

Handala's Background

Name Origin: Takes name from Handala character in political cartoons by Palestinian artist Naji al-Ali
First Spotted: Late 2023, after Hamas October 7 attacks and Israel's bombardment of Gaza
Initial Persona: Seemed to have public persona of "pro-Palestinian hacktivist" group
True Identity: Linked to Iranian regime, part of Void Manticore (also known as Red Sandstorm, Cobalt Mystique)

Attack Methods

Handala has engaged in multiple hack-and-leak operations, publishing details from victims in Israel as a "psychological weapon." The group has also used destructive wiper malware to delete victim files:

Phishing emails and fake security updates
Wiper malware: Coolwipe, Chillwipe, Bibiwipe (named for Netanyahu)
Ransomware-style extortion operations
Phone hacking: Claimed to hack iPhones of Israeli officials including Netanyahu's chief of staff

⚠️ Current Threat

With the war in Iran ongoing, Handala is "trying to do whatever they can now to carry out destructive activity." Security researchers warn this doesn't have "the hallmarks of a plan" - they're "thrashing for targets of opportunity."

Historical Operations

2022: As "Homeland Justice," attacked Albanian government with wiper malware
Post-Oct 7: Shifted to attacking Israeli targets under Handala brand
Recent: Exploited vulnerabilities in civilian internet-connected security cameras across Middle East

Expert Analysis

According to Justin Moore of Palo Alto Networks' Unit 42: "They are the main face now" of Iranian cyber retaliation. Check Point's Sergey Shykevich says "They're all in" - trying "whatever they can now to carry out destructive activity."

Why This Matters

This attack demonstrates the escalation of cyber warfare in the context of real-world military conflict. Handala represents a new breed of hybrid threat - combining the public visibility and psychological impact of hacktivism with the technical capability and resources of state-sponsored hacking.

The Stryker breach shows how civilian infrastructure is increasingly becoming a target in geopolitical conflicts, with healthcare organizations particularly vulnerable.