Back to threat alerts

Threat Actor: Handala Hack (Void Manticore)

Unlike traditional state-sponsored espionage actors who remain dormant to ensure long-term intelligence collection, Handala’s operational doctrine is defined by a rapid "disrupt, leak, and amplify" lifecycle. The group prioritises immediate visibility, psychological warfare, and the maximisation of organisational and repetitional damage.

Threat alert
March 13, 2026

Infiltration Strategies and Access Vectors

Handala’s infiltration strategies emphasise speed and exploiting the "path of least resistance." The group demonstrates a highly sophisticated understanding of human psychology, utilising social engineering lures meticulously timed to capitalise on ongoing crises.

A prime example of this tradecraft was observed during the July 2024 global CrowdStrike outage. Handala distributed emails masquerading as official communications from security vendors, attaching a PDF titled "outage fix." This document directed users to a malicious ZIP archive, which launched a destructive wiper upon execution. Handala also frequently utilizes SMS phishing (smishing) and voice-based social engineering (vishing) to harvest credentials.

Beyond social engineering, the group increasingly relies on compromised third-party service providers to bypass hardened enterprise perimeters. Handala has been observed targeting the VPN infrastructure of IT service providers, utilising stolen administrative accounts to gain downstream access to multiple customer networks. While they heavily favour credential-based access, they actively monitor for and exploit unpatched public-facing vulnerabilities  to breach misconfigured servers.


Access Vector
Mechanism of Action
Mitigation Priority

Spear-Phishing
PDF/ZIP lures themed around current events (e.g., CrowdStrike outage).
Robust email filtering, attachment sandboxing, and user awareness training.

Credential Abuse
Exploitation of stolen VPN credentials and dark-web purchased accounts.
Phishing-resistant Multi-Factor Authentication (MFA) and conditional access.

Cloud MDM Abuse
Infiltration of Microsoft Intune to issue global remote device wipes.
Just-In-Time (JIT) administrative access and strict management plane auditing.

Vulnerability Exploitation
Targeting public-facing vulnerabilities (e.g., SharePoint, Exchange).
Rapid patch management and external attack surface reduction.

Technical Execution and the Multi-Stage Loading Process

Handala's technical tradecraft relies heavily on multi-stage loading sequences and the abuse of legitimate software interpreters to evade Endpoint Detection and Response (EDR) platforms.

  • NSIS Droppers and the "Carroll" Batch Script: The initial stage of a Handala infection often involves a seemingly benign Nullsoft Scriptable Install System (NSIS) executable. This installer extracts several components into the victim's temporary directory, including a heavily obfuscated batch script commonly named Carroll.cmd.
  • Command-Line Obfuscation: The Carroll.cmd script employs a unique evasion technique by scattering "garbage" commands amongst valid code. The Windows operating system ignores these invalid commands, allowing the underlying malicious script to execute, while traditional static analysis tools struggle to parse the file.
  • AutoIt Injection and Memory Decompression: Following anti-analysis checks, the script reconstructs a malicious AutoIt executable by concatenating various file segments extracted by the NSIS installer. This reconstruction process ensures the malicious payload is never present as a complete, recognisable file on disk during the initial stages of the infection.

Destructive Operations and Cloud-Native Wiping

Handala’s primary destructive toolset consists of the BiBi family of wipers and custom AI-assisted PowerShell scripts. These tools are not designed for financial extortion, but for permanent organisational damage. Their custom wipers operate by iterating through the file system, terminating processes that are locking files, and overwriting file contents in 4096-byte chunks with random data.

The Shift to Cloud-Native Destruction

In recent campaigns, notably the attack against medical technology giant Stryker, Handala demonstrated a devastating shift in tactics: Cloud-Native Destruction.

Rather than deploying traditional wiper malware endpoint-by-endpoint, the group gained administrative access to the victim's Microsoft Intune console—a cloud-based mobile device management (MDM) platform. By hijacking this central management plane, Handala effectively weaponised the organisation's own administrative tools to issue a simultaneous "Remote Wipe" command, reportedly wiping over 200,000 corporate laptops and mobile devices globally without needing to deploy a single piece of custom malware.

Recommendations

To defend against Handala's rapid intrusion and cloud-native destruction capabilities, organisations should prioritise the following mitigations:

  1. Secure Identity and Central Management Platforms: Treat cloud management portals (like Intune and Azure/Entra ID) as Tier-0 assets. Ensure "Global Admin" and "Intune Admin" roles are strictly protected by FIDO2 or phishing-resistant MFA.
  2. Restrict Wipe Permissions: Implement Multi-Admin Approvals in Intune. Limit who can issue "Wipe" or "Retire" commands and require Privileged Identity Management (PIM) for these highly sensitive roles.
  3. Maintain Offline/Immutable Backups: Because this actor focuses purely on destruction rather than extortion, having an offline, air-gapped, and immutable backup that is completely disconnected from your Entra ID/Intune environment is critical for recovery.
  4. Zero-Trust for Partner Updates: Treat urgent "security updates" or software patches arriving via email with zero-trust, adding strict verification workflows even if they appear to originate from known suppliers.
  5. Vulnerability Management: Ensure all internet-facing appliances (especially VPNs and Exchange servers) are patched rapidly, as the group actively targets known CVEs for initial footholds.