US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites

Summary

The US government officially confirmed that the Handala hacker group is linked to Iran's Ministry of Intelligence and Security (MOIS), operating as a cover for state-sponsored threat actor Void Manticore. The Justice Department seized four domains used by Handala for psychological operations targeting adversaries of the Iranian regime, including attacks on critical infrastructure like Stryker medical systems and Israeli entities.

Full text

The United States government has for the first time officially linked the notorious Handala hacker group to the Iranian government. The announcement came amid the takedown of several websites used by Handala. Handala has been on the radar of cybersecurity firms for years, but it gained widespread attention in recent days after ramping up its activity following the start of the US-Israel-Iran conflict. Handala has allegedly launched many attacks against Israel, including wiping military weather servers, hijacking security camera feeds, exfiltrating and deleting corporate data, publicly exposing details of intelligence personnel, and compromising an oil and gas exploration firm. However, its best-known attack targeted the US-based medical technology giant Stryker, causing significant disruption after wiping thousands of its systems. Handala portrays itself as a pro-Palestinian hacktivist group motivated by anti-Israeli ideology. The cybersecurity community, however, widely regards it as a cover for Void Manticore, an Iranian state-sponsored threat actor believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS). The Justice Department has now confirmed the connection between Handala and Iran’s MOIS, after it took down four websites used by the hacker group for psychological operations.Advertisement. Scroll to continue reading. Specifically, authorities seized four domains: Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to. The Justice Department said Iran’s MOIS used the seized websites “in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons”. An X account used by the hacker group was also suspended in recent days. The US Department of State is offering a reward of up to $10 million for information on foreign hackers who target critical infrastructure. Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: Tycoon 2FA Phishing Platform Dismantled in Global Takedown Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Marquis Data Breach Affects 672,000 IndividualsCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Google, Meta, Microsoft Among Signatories of Pact to Combat ScamsOracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Latest News Cape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public DisclosureAisuru and Kimwolf DDoS Botnets Disrupted in International OperationOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in Funding Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveKai has named Alfredo Hickman as Chief Information Security Officer.Gleb Reznik is replacing Fred Gibbins as the CISO at American Express.HITRUST has appointed Sean Foster as CRO and Marc Solomon as CMO.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• domain — Justicehomeland.org
• domain — Handala-Hack.to
• domain — Karmabelow80.org
• domain — Handala-Redwanted.to
• malware — Void Manticore
• malware — Handala