Multiple breaches announced, vulnerabilities exploited ITW, attacks in Italy

NoName057(16) targets Italy, new cybercrime offensives, the latest from Moscow and Pyongyang

 View all
Threat Intelligence

Handala: one of the faces of pro-government hacktivism in Iran

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

During the first month of the war launched by Israel and the United States against Iran, two groups—Handala and Homeland Justice—stood out among pro-Tehran collectives. Analysts have long linked both to Void Manticore, an adversary affiliated with the MOIS (Ministry of Intelligence and National Security), which uses them as monikers in specific campaigns.

The two groups present themselves as hacktivist forces, highly specialized and clearly identifiable, operating in PsyOps contexts. Homeland Justice, which has been discussed previously, appears to focus almost exclusively on the MEK (Mojahedin-e Khalq) and has repeatedly targeted Albania, where the dissident militia has been compelled to establish its fortified enclave.

Handala, on the other hand, has recently shown a preference for hack-and-leak operations targeting major industrial and government entities.

 

Handala targets Stryker, the FBI, and Lockheed Martin

Active since at least December 2023, Handala takes its name from a character created by Palestinian artist Naji al-Ali: a 10-year-old boy with spiky hair, bare feet, and patched clothes, typically depicted from behind with his hands clasped behind his back.

The group came into the spotlight following a destructive attack on March 11 against the American giant Stryker. The offensive initially targeted the company’s mobile device management platform (Microsoft Intune), aiming to trigger remote wiping across all corporate endpoints using the legitimate Remote Wipe command. At the same time, the group reportedly deployed its custom wiper (FuxSocy). Access to Stryker’s Microsoft environment was allegedly achieved through an adversary-in-the-middle (AitM) phishing campaign aimed at administrative session tokens, effectively bypassing multi-factor authentication (MFA).

The company—one of the world’s leading medical device manufacturers, with over 56,000 employees across more than 60 countries—reportedly suffered the deletion of 200,000 systems, servers, and mobile devices, along with the breach of 50 TB of critical data, leading to a global disruption of operations.

In its claim of responsibility, Handala stated it acted in response to the brutal attack on the Minab school (during the early phase of “Epic Fury”) and to cyberattacks against the infrastructure of the so-called Axis of Resistance. It also accused Stryker of having “Zionist roots” (Bloomberg notes that in 2019 Stryker acquired the Israeli company Orthospace and last year signed a $450 million military contract with the United States).

Subsequently, the FBI seized and shut down two websites linked to Handala, triggering a series of retaliatory actions. The group posted a threatening message on Telegram directed at the agency, announcing an imminent breach and using intimidating rhetoric to challenge the FBI’s cybersecurity capabilities.

Shortly afterward, the group’s Telegram channel became inaccessible. However, Handala quickly launched a new channel, claiming to possess information belonging to FBI Director Kash Patel. The claim referenced emails, conversations, and documents, along with an alleged proof-of-concept of the breach. The FBI confirmed it was aware of malicious activity targeting Director Patel’s personal email account.

At the end of March, Handala carried out another hack-and-leak operation with explicit intimidation goals against Lockheed Martin, targeting U.S. engineers working in Israel on advanced military programs (F-35, F-22, THAAD).

In the initial phase, the group released a teaser message to amplify media impact and suggest a compromise. It later claimed a data breach involving the exposure of sensitive personal data of around thirty individuals. According to the group, the data were used to directly contact some victims, demonstrating access and increasing psychological pressure. The operation included calls to cease activities and leave Israel, along with explicit threats of physical retaliation extending to family members in the United States.

 

Between “infrastructure warfare” and PsyOps

The attack on Stryker is significant for several reasons. Technically, it stands out for its use of legitimate native tools, allowing it to evade detection by major security solutions. It is also notable for the scale and nature of the target, which serves over 150 million patients through medical devices and healthcare services.

These elements confirm the group’s strong inclination toward psychological operations, a characteristic already associated with pro-Iranian cyber actors more broadly. They also point to a concerning evolution in Iranian doctrine toward “infrastructure warfare,” based on a hybrid model combining digital intrusion with physical disruption.

According to some reports, the most serious impact may have been the disruption of the LifeNet ECG transmission platform, used by paramedics to send cardiac data to emergency departments before patient arrival. Its temporary shutdown reportedly forced emergency teams to rely on manual radio communication, potentially putting patients’ lives at risk.

 

TS-Intelligence

TS Intelligence_Telsy_Platform 2_LUG25

The information reported is the result of the collection and analysis work carried out by the specialists of Telsy’s Threat Intelligence & Response team with the support of the TS-Intelligence platform, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

Discover more about our Cyber Threat Intelligence services.