Update to CA-A-26-01Handala | Iran-Nexus | MDM Abuse | Wiper | Data Exfiltration
Source Material: Stryker | Krebs on Security| Technology: Microsoft Intune (MDM); IoT Security Cameras; Microsoft Entra ID | Targeted Industries: All
Executive Summary
This advisory serves as a critical update to CA-A-26-01 Elevated Risk of Iranian Cyber Activity. Following the geopolitical escalations of late February 2026, the Iranian-nexus threat actor Handala Hacking Team (associated with BANISHED KITTEN / Void Manticore) has intensified its disruptive operations. Deepwatch identifies a heightened and immediate threat to all U.S. and Israeli entities, especially those spanning healthcare, finance, manufacturing, and critical infrastructure.
Recent evidence, including the major disruption at Stryker Corporation, confirms that the group is weaponizing legitimate management tools like Microsoft Intune to trigger mass remote wipes of corporate and BYOD devices. Simultaneously, Handala is hijacking civilian IoT security cameras for real-time military reconnaissance and damage assessment.
Threat Overview and Strategic Impact
Since the publication of CA-A-26-01, Handala has shifted from traditional “hack-and-leak” tactics to high-impact data destruction and surveillance:
- MDM Hijacking & Data Wipe: Handala compromised administrative credentials for Microsoft Intune to trigger remote wipe commands. This resulted in the factory-reset of over 200,000 devices, including Windows laptops and personal BYOD mobile phones, erasing personal data and cellular eSIMs.
- Custom Destructive Wiper: The group has historically utilized a custom AutoIT-based wiper delivered via NSIS-packaged installers. The wiper overwrites files with random data and uses Bring Your Own Vulnerable Driver (BYOVD) techniques to facilitate kernel-level access.
- IoT Reconnaissance: Handala is exploiting unpatched vulnerabilities in Hikvision and Dahua cameras to provide live feeds during military strikes, moving beyond digital disruption into active support for physical warfare.
Security Hardening and Recommendations
Deepwatch recommends the following immediate priorities:
- Harden MDM & Admin Portals: Enforce phishing-resistant MFA (FIDO2) for all Microsoft Intune and Entra ID Global Admin accounts. Properly implement MFA across all access points to mitigate MFA fatigue and credential harvesting. Utilize Just-in-Time Administrative Access using Entra Privileged Identity Management (PIM) to ensure MDM roles are only active when needed and require a second person to approve the activation, rather than having permanent administrators . Implement location-Based Access Controls to restrict administrative logins to only come from verified, compliant company hardware and known, secure office networks rather than general internet locations.
- High-Volume Wipe Triggers: Implement automated alerts that fire whenever a threshold of remote wipe commands (e.g., more than three in a short window) is reached, allowing for immediate intervention.
- Restrict Privileges: Enforce the Principle of Least Privilege. Limit administrative permissions to the absolute minimum necessary to reduce the “blast radius” of a single account compromise.
- Targeting-Based Risk Assessments: Update vendor risk profiles to include geopolitical factors. Evaluate partners not just on their security tools, but on whether their international business ties or recent acquisitions (specifically those involving Israeli or Western entities) might make them a primary target for geopolitically motivated actors..
- Partner Device Isolation: Isolate any equipment that must communicate back to a vendor’s cloud (like managed medical or manufacturing devices) on its own dedicated network segment to prevent a compromise from spreading to core systems.
- IoT Isolation & Patching: Audit all internet-facing cameras. Ensure IoT devices are patched and isolated on separate VLANs with restricted outbound internet access.
- Wiper-Specific Response Plans: Create a dedicated playbook for a “zero-access” scenario where all standard IT systems (email, chat, and workstations) are wiped at once. This includes establishing out-of-band communication methods and ensuring hardware imaging tools are ready to deploy at scale.
- Password Hygiene: Implement automated password rotation for administrative accounts. Prohibit password reuse and enforce strong, unique password requirements.
- User Education: Conduct phishing and smishing awareness training, specifically highlighting the risk of “fix-it tools” delivered via ZIP or PDF during crisis events. Additionally, train staff to look for lures mimicking “emergency security updates”, “device re-enrollment” notices, and other topics relating to recent geopolitical activity, which the group uses to capitalize on the chaos following a major public breach.
- Offline Data Safeguards: Ensure that at least one copy of critical data is physically disconnected or air-gapped from the main network, as even cloud-connected backups can be targeted during an MDM-level compromise.
- Admin Account Monitoring: Implement enhanced monitoring and alerting for accounts with admin and/or Intune permissions. For Deepwatch customers, review the internal version of this report in Security Center for guidance on how to inform Deepwatch of related account updates.
How Deepwatch Protects Its Customers
- Detection: We have reviewed existing detections associated with known TTPs used by Iranian threat actors and raised awareness around related alerting to our SOC.
- Threat Hunting: Our teams are actively hunting for known Handala Hack Group TTPs.
- Threat Intelligence: Our teams are reviewing known IOCs, TTPs, and reporting related to Handala Hack Group to feed into our detection platform.
Threat Hunting Leads
- First-Time Administrative Logins: Audit for successful logins to administrative portals (Entra, Intune, AWS) from new geolocations or Starlink IP ranges, which the group uses to bypass traditional geolocation blocks.
- MFA Fatigue & Failed Logins: Look for patterns of multiple failed login attempts followed by a single success and a subsequent new device registration, indicating a potential credential harvest or MFA bypass.
- Staged Batch Script Obfuscation: Identify execution of batch scripts (often named “Carrol”) that perform AV-checking loops (searching for wrsa.exe or sophoshealth.exe) and utilize ping -n parameters to induce execution delays of 90–180 seconds.
- Suspicious AutoIT Compilations: Hunt for unauthorized autoit3.exe activity or .a3x files, particularly those dropped in \users\public\ or \windows\fonts\. The group often renames these binaries to deceptive names like Champion.pif.
- Regasm Process Anomalies: Monitor for regasm.exe processes that have no command-line arguments or are making external network connections, as this is a primary injection target for the final wiper payload.
- Kernel-Level Driver Loads: Alert on the loading of unsigned or known vulnerable drivers, specifically ListOpenedFileDrv_32.sys, which facilitates the BYOVD (Bring Your Own Vulnerable Driver) technique for kernel access.
Technical Artifacts
At this time, IOCs for the current activity are not available. Deepwatch recommends reviewing all historical IOCs associated with this actor and implementing blocking and/or alerting capabilities as appropriate. For Deepwatch customers, the Deepwatch Threat Intel team is actively reviewing known IOCs, TTPs, and reporting related to Handala Hack Group to feed into our detection platform.
Threat Object Mapping
Intrusion Set:
- Handala Hack Group, also known as BANISHED KITTEN, DEV-0842, Void Manticore, Red Sandstorm
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | ID | Context/Evidence |
| Initial Access | Spearphishing Attachment | T1566.001 | Delivery of malicious ZIP or PDF files containing NSIS-packaged installers. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of unpatched Hikvision and Dahua cameras for reconnaissance. |
| Execution | Software Deployment Tools | T1072 | Abuse of Microsoft Intune to issue mass “Remote Wipe” commands. |
| Execution | Windows Command Shell | T1059.003 | Use of obfuscated batch scripts (e.g., “Carrol”) for initial staging. |
| Persistence | Cloud Accounts | T1078.004 | Maintaining access via compromised Entra ID/Intune administrative accounts. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | BYOVD (Bring Your Own Vulnerable Driver) using ListOpenedFileDrv_32.sys to gain kernel access. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Heavy use of AutoIT compilation and custom script packing to bypass AV. |
| Defense Evasion | Process Injection | T1055 | Injecting the final wiper payload into regasm.exe to hide malicious execution. |
| Command & Control | Web Service: Bidirectional Communication | T1102.002 | Utilizing the Telegram Bot API for exfiltrating victim logs and metadata. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Performing large-scale data exfiltration (purportedly 50TB) immediately prior to the destructive phase. |
| Impact | Data Destruction | T1485 | Overwriting files with random data using custom wipers. |
| Impact | Disk Structure Wipe | T1561.002 | Corrupting the Master Boot Record (MBR) to render systems unbootable. |
Vulnerabilities:
- CVE-2023-6895: A remote code execution (RCE) vulnerability in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK).
- CVE-2017-7921: An old but effective credential-bypass vulnerability affecting a variety of Hikvision devices.
Malware/Tools:
- Rhadamanthys
- MisleadingAxe
- PhantomBlade
- BiBiWiper
- ZeroShred
- WovenMist
- LowEraser
- GoneXML
Additional Sources
- Initial Advisory: CA-A-26-01 Elevated Risk of Iranian Cyber Activity
- WIRED: Hacking Security Cameras Is Now Part of War’s Playbook
- Splunk: Handala’s Wiper Threat Analysis
- WION: Understanding the Stryker/Intune Cyberattack
Share