{ "id": "1a3cd54f-ee9a-4f29-8bf1-4ee3b78205be", "created_at": "2026-04-06T00:17:00.935912Z", "updated_at": "2026-04-10T13:12:45.44277Z", "deleted_at": null, "sha1_hash": "70037c9ff2008bbeed5553fcda065a55259bd9c1", "title": "Hamsa Wiper - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45315, "plain_text": "Hamsa Wiper - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 10:45:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hamsa Wiper\n Tool: Hamsa Wiper\nNames Hamsa Wiper\nCategory Malware\nType Wiper\nDescription\n(Intezer) After masquerading as a routine update, the script strategically pauses for 30 minutes.\nThis delay creates a deceptive appearance of typical system behavior during this period. In the\nmeantime, the script accomplishes reconnaissance to identify the Linux distribution in use,\nwhether it be Red Hat, Ubuntu, or Debian. Subsequently, it quietly installs necessary tools,\nsuch as xfsprogs, wipe, and parted, which are pivotal for later tasks involving disk partition\nmanipulation and the secure erasure of data.\nLike its Windows variant, this wiper version transmits data to the same Telegram channel. The\nshared information aligns with what’s sent by the Windows variant but adds specific details,\nsuch as the system directory’s drive letter and prepared information on disk space. The data is\norganized with clear headers and separators to facilitate understanding, forming a structured\nlog that allows the attackers to track and assess the impact of their infiltration.\nInformation Last change to this tool card: 16 January 2024\nDownload this tool card in JSON format\nAll groups using tool Hamsa Wiper\nChanged Name Country Observed\nOther groups\n Handala Hack Team [Unknown] 2023-Dec 2023\n1 group listed (0 APT, 1 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1054c22-a722-4645-9807-b4212f86beb0\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1054c22-a722-4645-9807-b4212f86beb0\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1054c22-a722-4645-9807-b4212f86beb0\r\nPage 2 of 2\n\nOther groups Handala Hack Team [Unknown] 2023-Dec 2023\n1 group listed (0 APT, 1 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=e1054c22-a722-4645-9807-b4212f86beb0" ], "report_names": [ "listgroups.cgi?u=e1054c22-a722-4645-9807-b4212f86beb0" ], "threat_actors": [ { "id": "d0fef355-9eb9-4adc-8d90-a8c7494c4a81", "created_at": "2024-01-18T02:02:34.735032Z", "updated_at": "2026-04-10T02:00:05.011663Z", "deleted_at": null, "main_name": "Handala Hack Team", "aliases": [ "Operation HamsaUpdate" ], "source_name": "ETDA:Handala Hack Team", "tools": [ "Hamsa Wiper", "Handala", "Hatef Wiper" ], "source_id": "ETDA", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70037c9ff2008bbeed5553fcda065a55259bd9c1.pdf", "text": "https://archive.orkl.eu/70037c9ff2008bbeed5553fcda065a55259bd9c1.txt", "img": "https://archive.orkl.eu/70037c9ff2008bbeed5553fcda065a55259bd9c1.jpg" } }