May 12, 2026

First appearing on the scene in December 2023, Handala Hack Team (Handala) established their presence as a pro-Palestinian hacktivist group via a Telegram channel and X account. The group described itself as a “small fighter of Hamas,” suggesting it was formed in response to the October 7 attacks that marked the start of the Israel–Hamas war. It was widely regarded as a front for Iran’s cyberwarfare operations and as one of several personas employed by the Iranian Ministry of Intelligence to claim responsibility for cyberattacks, a conclusion later confirmed by the Justice Department.

Early activity suggested the group primarily targeted the Israeli government and its citizens. Following Operation Epic Fury in February 2026, it carried out two significant attacks targeting the U.S.-affiliated Stryker medical manufacturer and FBI Director Kash Patel.

The Start

The first large scale attack by Handala targeted Israel’s Iron Dome. A high-level target for many hacktivist groups, Handala claimed to have successfully hacked into a “multi-purpose tactical radars company” – DRS RADA. The group shared several screenshots that appear to show internal system interfaces, along with evidence of defaced websites (specifically rada[.]com and rada[.]co[.]il). They also issued a threat to release up to 2 terabytes of data. At first glance, this suggested a potentially serious breach. However, a closer look revealed some important gaps. The official website for DRS RADA (drsrada.com) was not on the list of domains that were defaced. No actual data leaks or downloadable files were made available to support the claim of a large-scale exfiltration leaving researchers with questions of the groups claims to be “taken seriously”.

In 2024, the group also shifted its focus toward disrupting infrastructure targeting Israeli civilians. Using a spear-phishing tactic, residents of the Ma’ala Yosef Regional Council received text messages that appeared to come from the MyCity mobile app, a crisis management platform used by local authorities. The messages urged recipients to click a link and download an application which raised concerns about a targeted attempt to compromise personal devices. In the same month, Handala reportedly carried out a ransomware attack against Ma’agan Michael Kibbutz, exfiltrating approximately 22GB of data and sending more than 5,000 warning text messages. The ransom note included criticism of both the kibbutz and Israel, underscoring the group’s political motivations. Ma’agan Michael is widely regarded as one of the largest and most financially successful kibbutzim in Israel, making it a high-profile target.

Recent Activity

On March 11, 2026, Handala claimed to have wiped tens of thousands of systems and servers belonging to medical technology company, Stryker. In a statement Handala stated “over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,”. The attack allegedly forced offices in 79 countries to shut down. The group did not give details on logistics but declared it targeted the company in “retaliation for the brutal attack on the Minab school” as well as the companies alleged “Zionist” ties. According to media outlets, a Stryker spokesperson announced, “We are currently experiencing a global network disruption affecting the Windows environment.” Originally it was assumed the group used wiper malware but following an investigation Stryker claimed no malware or ransomware was found on their systems.  

Following this attack, the Justice Department officially confirmed the connection between Handala and Iran’s Ministry of Intelligence and Security (MOIS).  According to the department, the MOIS used the Handala-hack[.]to domain to carry out the Stryker attack. This led to seizure of four domains used by the group (Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to).

On March 27, Handala claimed it had breached the personal email account of FBI Director Kash Patel: “All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download.” Watermarked personal photos and documents were subsequently released, including email correspondence from Director Patel’s time prior to assuming the role.

The attack appeared to be carried out in retaliation for the FBI’s seizure of Handala-linked domains after its earlier cyberattack on medical technology company Stryker. In their statement regarding the breach of Director Patel’s personal email account, the FBI reiterated that the Department of State’s Rewards for Justice program is offering up to $10 million “for information leading to the identification of the Handala Hack Team out of Iran.” The seized information appeared to be historical, and the FBI claimed that no government information was acquired or breached.

Tactics, Techniques, and Procedures (TTPs):

Handala’s operations are less about flashy, cutting-edge exploits and more about what works. As seen in their claims regarding the attack on Israel’s Iron Dome, the group appears to have overstated its impact to project capabilities beyond what it actually achieved. This pattern is consistent with broader hacktivist behavior, where exaggerated claims and unverified assertions are used to amplify perceived effectiveness. Similar tactics have been observed among pro-Iranian groups such as Ababil of Minab and APT Iran, both have blended propaganda with cyber operations.

The group blends destructive malware with social engineering and practical intrusion techniques, creating a toolkit that’s both effective and adaptable. Instead of chasing novel vulnerabilities, they rely on a mix of commercially available tools, custom-built payloads, and “living-off-the-land” methods, leveraging legitimate system features to stay under the radar.

This pragmatic approach gives them a high degree of flexibility. They can quickly adjust tactics depending on the target while still achieving their core objective: disruption. As evidenced by their spear-phishing campaigns, the group has reached hundreds of thousands of individuals but achieved minimal success beyond the initial contact stage. Just as importantly, their campaigns are designed to have a psychological edge, amplifying the impact beyond the immediate technical damage.

Conclusion

The activities attributed to the Handala Hack Team highlight the evolving nature of modern cyber warfare. Operating under the appearance of grassroots hacktivism, the group has been linked to actions that blur the line between data theft, psychological pressure, and disruptive digital attacks. Their operations ranging from wiping large numbers of corporate devices to exposing personal information of individuals tied to defense and security sectors. All designed to create both reputational damage and operational disruption.

As geopolitical tensions increasingly extend into cyberspace the broader message is difficult to ignore, digital infrastructure and personal data are becoming central targets. Whether the target is a corporation, a government-affiliated organization, or a high-profile individual, the boundary between physical and digital conflict continues to erode. As the war with Iran persists Handala will remain an active threat.

Check out our recent blog on Handala’s rebrand and target expansion.