Iran-Nexus Update, Handala, Void Manticore, Banished Kitten, Wiper, Intune, Entra ID, Microsoft Graph API
Source Material: Stryker, Krebs on Security, Palo Alto Networks, Check Point | Technology: Microsoft Intune, Entra ID, Microsoft Graph API | Targeted Industries: Healthcare, Finance, Manufacturing, Critical Infrastructure, and entities with Western or Israeli business ties
Executive Summary
This advisory serves as a critical update to our previously published Customer Advisories, Elevated Risk of Iranian Cyber Activity and Iranian-Nexus Handala Hacking Group Escalates Disruptive Operations.
Recent intelligence reveals that the Iranian-nexus Handala group (Void Manticore) collaborated with espionage actors before utilizing Microsoft Intune to remotely wipe approximately 80,000 corporate and BYOD devices. While the threat actors claim to have exfiltrated 50TB of data prior to the wipe, this assertion currently remains unverified. Geopolitically motivated to target organizations with Israeli business ties, the adversaries likely utilized Adversary-in-the-Middle (AiTM) phishing and historical infostealer logs to steal session tokens, bypassing standard MFA. After compromising an Intune administrator and establishing a new Global Administrator account, the actors used automated Microsoft Graph API requests to execute the mass factory resets. This inherent OS-level wipe bypassed EDR tools and erased cellular eSIMs on personal devices, severely hindering account recovery. To mitigate this threat, organizations must enforce Multi-Admin Approval (MAA), deploy phishing-resistant MFA (FIDO2), and utilize Privileged Identity Management (PIM) for Just-in-Time administrative access.
Threat Overview and Strategic Impact
On March 11, 2026, the Iranian-linked threat group Handala initiated a massive destructive wiping event targeting a major medical device manufacturer. Handala is a hacktivist persona operated by “Void Manticore” (also known as Storm-0842), a state-directed cyber warfare unit acting on behalf of Iran’s Ministry of Intelligence and Security (MOIS). This operation was geopolitically motivated, targeting the manufacturer due to its historical acquisition of an Israeli medical technology firm.
Void Manticore operates using a highly structured hybrid warfare model. They frequently collaborate with an affiliated espionage group known as “Scarred Manticore,” which establishes persistent network access and conducts stealthy data exfiltration. Once intelligence gathering concludes, Scarred Manticore hands the access over to Void Manticore for the destructive phase, with the threat actors claiming to have stolen 50TB of data prior to the wipe.
Initial access was likely achieved using a combination of older credentials harvested by infostealer malware and highly sophisticated Adversary-in-the-Middle (AiTM) phishing attacks, which intercept authenticated session tokens to completely bypass standard SMS or push-based MFA. Upon compromising an existing Intune administrator, the adversaries established persistence by creating a new Global Administrator account. Using automated PowerShell scripts interacting with the Microsoft Graph API, they issued approximately 80,000 individual wipe commands over a three-hour window.
The strategic impact of this event is severe. Because the destructive commands originated from Microsoft’s trusted management plane and were processed natively by the devices, the activity completely bypassed traditional Endpoint Detection and Response (EDR) inspection. Furthermore, the wiping of BYOD mobile phones resulted in the deletion of personal data and cellular eSIMs, which critically delayed IT recovery as users were unable to receive MFA authentication codes on their erased devices.
Security Hardening and Recommendations
To defend against this specific operational method, organizations must prioritize hardening the Microsoft Intune and Entra ID administrative planes:
- Implement Privileged Identity Management (PIM): Eliminate standing administrative access by requiring Just-in-Time (JIT) role activation for Global and Intune Administrators.
- Enforce Phishing-Resistant MFA: Require FIDO2 security keys or Windows Hello for Business for all administrative accounts, as these cryptographically prevent the AiTM token theft utilized in this attack.
- Enforce Multi-Admin Approval (MAA): Require multiple administrators to approve destructive actions in Microsoft Intune, such as device wipes, retires, and app deployments. As a reference guide, please consult this Microsoft guide: Use Access Policies to Require Multi-Admin Approval
- Restrict BYOD Policies: Implement Mobile Application Management (MAM) without full MDM enrollment to limit the blast radius to corporate data only.
- Review and implement additional best practices recommended by Microsoft such as:
How Deepwatch Protects Our Customers
- Detection: We are reviewing existing detections associated with identified TTPs to ensure coverage, developing new detections as applicable, and we have raised awareness around related alerting to our SOC. Deepwatch customers are encouraged to visit Security Center, where the customer version of this report contains specific detection details.
- Threat Hunting: Our teams are actively hunting for known Handala Hack Group TTPs.
- Threat Intelligence: Our teams are reviewing newly identified IOCs, TTPs, and reporting related to Handala Hack Group to feed into our detection platform.
Threat Hunting Leads
- Hunt for AiTM phishing indicators, such as sign-ins from new IP locations immediately following an MFA completion, or concurrent sessions with anomalous device fingerprints.
- Search for network connections to known Handala Telegram bot APIs or the deployment of tunneling tools like NetBird (netbird[.]io).
Technical Artifacts
The primary artifacts associated with this specific attack phase involve the abuse of legitimate administrative APIs.
| Indicator Type | Value | Description |
| Domain | justicehomeland[.]org | Domain associated with Handala |
| Domain | handala-hack[.]to | Domain associated with Handala |
| Domain | karmabelow80[.]org | Domain associated with Handala |
| Domain | handala-redwanted[.]to | Domain associated with Handala |
| API Endpoint | POST /deviceManagement/managedDevices/{managedDeviceId}/wipe | Microsoft Graph API endpoint abused in automated loops to issue mass device wiping commands. |
| Log Event | wipe ManagedDevice / retire ManagedDevice | Logged actions in the IntuneAuditLogs table indicating the destructive command was successfully issued. |
Threat Object Mapping
Intrusion Set:
- Handala / Void Manticore / STORM-0842 / BANISHED KITTEN
- Scarred Manticore (Espionage Partner)
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Valid Accounts | T1078 | Use of old credentials harvested by infostealers. |
| Credential Access | Steal Application Access Token | T1528 | Using AiTM phishing to steal authenticated Entra ID session tokens. |
| Persistence | Account Manipulation | T1098 | Creation of a new Global Administrator account to maintain tenant control. |
| Defense Evasion | Impair Defenses | T1562 | Utilizing trusted MDM commands to inherently bypass EDR/AV inspection. |
| Execution | Software Deployment Tools | T1072 | Abuse of Microsoft Intune to issue mass remote wipe commands. |
| Exfiltration | Exfiltration Over Web Service | T1567 | Exfiltrating large volumes of data (claimed 50TB) before executing the destructive wipe. |
| Impact | Data Destruction | T1485 | Remotely wiping tens of thousands of corporate and BYOD devices. |
Vulnerability:
- No specific CVE exploited for the wipe; represents feature abuse of legitimate Microsoft Intune administrative capabilities.
Malware/Tools:
- Microsoft Intune (MDM Abuse)
- Microsoft Graph API (API Abuse)
- Tycoon 2FA (AiTM Phishing Kit)
Additional Sources
- https://www.linkedin.com/pulse/stryker-handala-attack-comprehensive-security-review-hendricks-pfx5e/
- https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117
- https://learn.microsoft.com/en-us/intune/intune-service/protect/zero-trust-secure-devices
- https://learn.microsoft.com/en-us/security/zero-trust/sfi/eliminate-identity-lateral-movement
- https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/multi-admin-approval
- https://hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/
- https://www.lumos.com/blog/stryker-hack
Share