Threat actors with ties to Iran successfully broke into the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of photos and other documents to the internet.
Handala Hack Team, which carried out the breach, said on its website that Patel “will now find his name among the list of successfully hacked victims.” In a statement shared with Reuters, the FBI confirmed Patel’s emails had been targeted, and noted necessary steps have been taken to “mitigate potential risks associated with this activity.”
The agency also said the published data was “historical in nature and involves no government information.” The leak includes emails from 2010 and 2019 allegedly sent by Patel.
Handala Hack is assessed to be a pro-Iranian, pro-Palestinian hacktivist persona adopted by Iran’s Ministry of Intelligence and Security (MOIS). It’s tracked by the cybersecurity community under the monikers Banished Kitten, Cobalt Mystique, Red Sandstorm, and Void Manticore, with the group also operating another persona called Homeland Justice to target Albanian entities since mid-2022.
A third persona linked to the MOIS-affiliated adversary is Karma, which is said to have been likely completely replaced by Handala Hack since late 2023.
Data gathered by StealthMole has revealed that Handala’s online presence extends beyond messaging platforms and cybercrime forums like BreachForums to publicize its activities, maintaining a layered infrastructure that includes surface web domains, Tor-hosted services, and external file-hosting platforms such as MEGA.
“Handala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access,” Check Point said in a report published this month. “Throughout the last months, we identified hundreds of logon and brute-force attempts against organizational VPN infrastructure linked to Handala-associated infrastructure.”
Attacks mounted by the proxy group are known to leverage RDP for lateral movement and initiate destructive operations by dropping wiper malware families such as Handala Wiper and Handala PowerShell Wiper via Group Policy logon scripts. Also used are legitimate disk encryption utilities like VeraCrypt to complicate recovery efforts.
“Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling,” Flashpoint said. “Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.”
The development comes against the backdrop of the U.S.-Israel-Iran conflict, prompting Iran to go on a retaliatory cyber offensive against Western targets. Notably, Handala Hack claimed credit for crippling the networks of medical devices and services provider Stryker by deleting a huge trove of company data and wiping thousands of employee devices. The attack is the first confirmed destructive wiper operation targeting a U.S. Fortune 500 company.
In an update issued on its website this week, Stryker said “the incident is contained,” adding it “reacted quickly to not only regain access but to remove the unauthorized party from our environment” by dismantling the persistence mechanisms installed. The breach, it stated, was confined to its internal Microsoft environment.
The threat actors have been found to use a malicious file to run commands that allowed them to conceal their actions. However, the file does not possess any capabilities to spread across the network, Stryker pointed out.
Palo Alto Networks Unit 42 said the primary vector for recent destructive operations from Handala Hack likely involves the “exploitation of identity through phishing and administrative access through Microsoft Intune.” Hudson Rock has found evidence that compromised credentials associated with Microsoft infrastructure obtained via infostealer malware may have been used to pull off the hack.
In the wake of the breach, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance on hardening Windows domains and fortifying Intune to defend against similar attacks. This includes using the principle of least privilege, enforcing phishing-resistant multi-factor authentication (MFA), and enabling multi-admin approval in Intune for sensitive changes.
Flashpoint has characterized the attack on Stryker as a dangerous shift in supply chain threats, as state-linked cyber activity targeting critical suppliers and logistics providers can have cascading impacts across the entire healthcare ecosystem.
DoJ Takes Down Pro-Iranian Hacker Domains
Handala Hack’s leak of Patel’s personal emails comes in response to a court-authorized operation that led to the seizure of four domains operated by MOIS since 2022 as part of an effort to disrupt its malicious activities in cyberspace. The U.S. government is also offering a $10 million reward for information on members of the group. The names of the seized domains are listed below –
- justicehomeland[.]org
- handala-hack[.]to
- karmabelow80[.]org
- handala-redwanted[.]to
“The seized domains […] were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons,” the U.S. Department of Justice (DoJ) said.
This included the names and sensitive information of about 190 individuals associated with or employed by the Israeli Defense Force (IDF) and/or Israeli government, and 851 GB of confidential data from members of the Sanzer Hasidic Jewish community. In addition, an email address linked to the group (“handala_team@outlook[.]com”) is alleged to have been used to send death threats to Iranian dissidents and journalists living in the U.S. and elsewhere.
In a separate advisory, the FBI revealed that Handala Hack and other MOIS cyber actors have employed social engineering tactics to engage with prospective victims on social messaging applications to deliver Windows malware capable of enabling persistent remote access using a Telegram bot by masquerading the first-stage payload as commonly used programs like Pictory, KeePass, Telegram, or WhatsApp.
Using Telegram (or other legitimate services) as C2 is a common tactic by threat actors to hide malicious activity among normal network traffic, and significantly reduce the likelihood of detection. Related malware artifacts found on compromised devices have revealed added capabilities to record audio and screen while a Zoom session was active. The attacks have targeted dissidents, opposition groups, and journalists, per the FBI.
“MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world,” the bureau said. “This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties.”
Handala Hack has since resurfaced on a different clearnet domain, “handala-team[.]to,” where it described the domain seizures as “desperate attempts by the United States and its allies to silence the voice of Handala.”
The ongoing conflict has also prompted fresh warnings that it risks turning critical infrastructure sector operators into lucrative targets, even as it has triggered a surge in DDoS attacks, website defacements, and hack-and-leak operations against Israel and Western organizations. Hacktivists entities have also engaged in psychological warfare and influence operations with an aim to sow fear and confusion among the targeted populations.
In recent weeks, the energy sector in the Middle East has drawn the attention of a relatively new cybercriminal group called Nasir Security. The group, instead of directly targeting energy companies, has gone after their contractors and third-parties to leak internal data, leading to “incorrect assumptions” about the origin of hacks. “The group is attacking supply chain vendors involved in engineering, safety, and construction,” Resecurity said. “The supply chain attacks attributed to Nasir Security are likely carried out by cyber-mercenaries or individuals hired or sponsored by Iran or its proxies.”
“The cyber activity tied to this conflict is becoming increasingly decentralized and destructive,” Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions at Flashpoint, said in a statement.
“Groups like Handala and Fatimion are targeting private-sector organizations with attacks designed to erase data, disrupt services, and introduce uncertainty for both businesses and the public. At the same time, we’re seeing a greater use of legitimate administrative tools in these cyber operations, making it significantly harder for traditional security controls to detect.”
That’s not all. MOIS-linked actors have been increasingly engaging with the cybercrime ecosystem to support its objectives and provide a cover for its malicious activity. This includes Handala’s integration of Rhadamanthys stealer into its operations and MuddyWater’s use of the Tsundere botnet (aka Dindoor) and Fakeset, the latter of which is a downloader used to deliver CastleLoader.
“Such engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal tooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around Iranian threat activity,” Check Point said.
“The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related. This demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.”
