{ "id": "91cae635-9210-49fb-ae6d-82a6e8d68d52", "created_at": "2026-04-29T02:20:55.315597Z", "updated_at": "2026-04-29T08:21:18.675109Z", "deleted_at": null, "sha1_hash": "82147dccc5d9fade824c1f4aabb9cc56e67aff0c", "title": "Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5867548, "plain_text": "Handala: MOIS Linked Cyber Influence Ecosystem Threat\r\nIntelligence Assessment\r\nBy DomainTools\r\nPublished: 2026-04-06 · Archived: 2026-04-29 02:11:53 UTC\r\nOperational Structure and Attribution\r\nThe activity attributed to Homeland Justice, Karma/KarmaBelow80, and Handala is most accurately assessed as a\r\nsingle, coordinated cyber influence ecosystem aligned with Iran’s Ministry of Intelligence and Security (MOIS;\r\nایران اسالمی جمهوری اطالعات وزارت(, rather than a collection of independent hacktivist groups. These personas function\r\nas interchangeable operational veneers applied to a consistent underlying capability. Their purpose is not to reflect\r\norganizational separation, but to enable segmentation of messaging, targeting, and attribution while preserving\r\ncontinuity of infrastructure and tradecraft.\r\nThe use of the name “Handala” itself reinforces the ideological framing of the campaign. Handala (حنظلة (is a\r\nwell-known Palestinian symbol created by cartoonist Naji al-Ali, depicting a barefoot child who has turned his\r\nback on the world in protest of injustice and dispossession. Within the context of this cyber campaign, the\r\nadoption of the Handala identity serves to anchor operations within a broader “resistance” narrative, signaling\r\nalignment with anti-Israeli and anti-Western themes while providing a culturally resonant and emotionally charged\r\nbrand for influence operations.\r\nAcross all observed phases, the actors exhibit clear temporal continuity, shared infrastructure patterns, and a\r\nrepeatable operational workflow. The persistence of these elements, despite rebranding, indicates centralized\r\ndirection and capability management. The use of multiple identities is therefore best understood as a mechanism\r\nfor narrative flexibility and operational deniability, rather than evidence of distinct actor groups.\r\nEvolution of the Operational Model\r\nThe campaign first became visible under the Homeland Justice brand during the 2022 Albania operations, which\r\nestablished its foundational model: long-term access, structured data exfiltration, destructive or disruptive action,\r\nand immediate public disclosure. From the outset, technical operations were tightly coupled with messaging,\r\nindicating that disruption alone was not the objective. Instead, cyber activity was used to enable narrative\r\nexploitation and psychological impact.\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 1 of 10\n\nHomeland Justice 2023 aka Handala Albanian Operations\r\nSubsequent phases reflect an additive evolution rather than a replacement of capabilities. The Karma phase\r\nintroduced a hybrid execution model combining custom tooling, publicly available utilities, and hands-on-keyboard tradecraft. This increased operational flexibility and reduced reliance on bespoke malware. The Handala\r\nphase further expanded this model into a multi-vector framework integrating destruction, surveillance, and\r\ninfluence operations. The addition of Telegram-based command-and-control and surveillance tooling marked a\r\nshift toward persistent, person-centric targeting, extending the campaign’s reach beyond institutions to individuals.\r\nConvergence of Capabilities\r\nRecent activity demonstrates a convergence of previously distinct operational components into a unified\r\nframework. Intrusion, surveillance, disruption, and influence are no longer sequential phases, but simultaneous\r\nand interdependent functions. The Stryker incident illustrates this evolution, where large-scale data exfiltration,\r\nenterprise-level disruption through administrative control systems, and immediate narrative amplification were\r\nexecuted in a tightly integrated manner.\r\nThis shift reflects a broader transition away from malware-centric operations toward identity and access\r\ncompromise at the control-plane level, enabling rapid, scalable impact with minimal reliance on detectable\r\nartifacts. It also demonstrates an increased ability to align technical execution with strategic messaging in near real\r\ntime.\r\nInfrastructure and Amplification Model\r\nThe ecosystem is supported by a layered infrastructure designed to separate operational functions while\r\nmaintaining resilience. Public-facing domains and Telegram channels act as dissemination and amplification\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 2 of 10\n\nnodes, where messaging is curated, claims are published, and stolen data is selectively exposed. These platforms\r\nare integral to the operational workflow, bridging the gap between technical compromise and public perception.\r\nTwitter April 2026 Amplification acct\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 3 of 10\n\nTelegram Amplification Accounts Over Time\r\nInfrastructure is intentionally ephemeral. Domains are frequently rotated, and personas are rebranded or\r\nreactivated as needed. However, naming conventions, messaging patterns, and distribution channels remain\r\nconsistent, allowing the campaign to maintain coherence despite disruption. This results in a system where\r\ninfrastructure is disposable, but identity and narrative persist.\r\nOperational Effects and Impact\r\nThe observable impact of this ecosystem reveals a consistent divergence between claimed and verified outcomes.\r\nWhile the actors present their operations as large-scale destructive intrusions, confirmed system-level disruption is\r\nrelatively rare. Instead, the majority of activity produces data exposure, reputational damage, and psychological\r\npressure, often targeting both institutions and individuals.\r\nMedia hype cycle of low hanging fruit hack of FBI director’s 2009 email account\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 4 of 10\n\nSensationalized Reward Offer for Trump or Netanyahu 2026\r\nMany claims remain partially verified or unverified, yet still generate significant downstream effects.\r\nOrganizations are compelled to investigate and respond, media coverage amplifies the narrative, and uncertainty is\r\nsustained. In practice, the perception of compromise often produces effects equivalent to confirmed compromise,\r\nenabling the actors to achieve disproportionate impact relative to their demonstrated technical capability.\r\nRole of Telegram and Surveillance Integration\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 5 of 10\n\nTelegram plays a central role within this ecosystem as both a command-and-control channel and a public\r\ndissemination platform. By leveraging a widely trusted service, the actors reduce infrastructure overhead and\r\nincrease operational resilience. Malware can communicate with operator-controlled bots using encrypted channels\r\nindistinguishable from legitimate traffic, while Telegram channels simultaneously serve as hubs for messaging and\r\namplification.\r\nThe integration of surveillance capabilities further expands the campaign’s scope. Trojanized applications and\r\nuser-targeted lures enable persistent monitoring of individuals, particularly dissidents and opposition networks.\r\nThis allows the actors to move seamlessly from covert collection to overt exposure, reinforcing the link between\r\ntechnical activity and psychological pressure.\r\nStrategic Assessment\r\nThis ecosystem represents a state-directed instrument of cyber-enabled influence, in which technical operations\r\nare tightly integrated with narrative manipulation and media amplification dynamics to achieve coercive and\r\nstrategic effects. Intrusion enables access, access enables collection, and collection enables controlled disclosure.\r\nHowever, the decisive phase is the conversion of that disclosure into a high-visibility narrative event. Incidents\r\nsuch as the compromise of Kash Patel demonstrate how relatively limited technical access can be operationalized\r\nthrough the modern news cycle, where rapid reporting, social media propagation, and secondary analysis amplify\r\nthe perceived scale and significance of the breach. In this model, the hype cycle is not incidental; it is a core\r\ncomponent of the operation, transforming modest compromises into strategic effects.\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 6 of 10\n\nThe maintenance of multiple concurrent personas, the rapid regeneration of infrastructure, and the consistent\r\nintegration of cyber and information operations indicate a mature and adaptive capability optimized for this\r\nenvironment. These personas allow the actors to continuously seed new events into the information ecosystem,\r\nwhile disposable domains and Telegram channels ensure persistence of messaging even as infrastructure is\r\ndisrupted. Each operation is effectively designed as a trigger for a predictable amplification loop: initial claim,\r\nmedia pickup, public discourse, and institutional response. This loop imposes reputational and operational costs\r\non targets regardless of the underlying technical depth.\r\nAs a result, the system can be activated, scaled, or redirected in response to geopolitical conditions with minimal\r\nreliance on sustained intrusion capability. Its effectiveness lies in the ability to synchronize cyber activity with the\r\ntempo of the information environment, using the hype cycle to magnify impact across multiple theaters and target\r\nsets. In practical terms, this means that perception, attention, and narrative momentum are treated as operational\r\nobjectives on par with access and disruption, allowing the actors to remain effective even when technical\r\noutcomes are limited.\r\nConclusion\r\nHomeland Justice, Karma, and Handala should be treated as components of a unified operational apparatus, not\r\ndiscrete threat actors. Their effectiveness does not derive from sustained technical superiority or advanced\r\nintrusion tradecraft, but from their ability to fuse low-to-moderate cyber capability with disciplined psychological\r\nand informational operations to create a cohesive and scalable system.\r\nAcross observed incidents, the underlying modus operandi is consistent with opportunistic, identity-layer\r\ncompromise rather than sophisticated exploitation. Initial access is frequently achieved through relatively low-complexity methods such as password guessing, credential stuffing, phishing, exploitation of weak or reused\r\ncredentials, and poor security hygiene in externally exposed services. Even in higher-impact cases such as Stryker\r\nCorporation, the available indicators suggest that compromise likely originated from weak identity and access\r\ncontrols or misconfigured management infrastructure, rather than novel vulnerabilities or advanced malware\r\ndeployment. This aligns with a broader pattern in which targets are selected not for hardened defenses, but for\r\naccessible attack surfaces and exploitable operational gaps.\r\nIn this sense, these actors operate closer to low-tier intrusion crews or access brokers in their technical execution.\r\nHowever, what differentiates them is not how they gain access, but what they do with it. Limited footholds – often\r\nno more than a compromised account, exposed dataset, or peripheral system – are systematically transformed into\r\nhack-and-leak operations designed for maximum psychological and media impact. Small or ambiguous datasets\r\nare framed as large-scale breaches; partial access is presented as systemic compromise; and unverified claims are\r\nreleased in ways that ensure rapid amplification.\r\nThis is where the integration with influence operations becomes decisive. The ecosystem relies heavily on timing,\r\nnarrative construction, and media exploitation to convert low-level technical events into high-visibility incidents.\r\nThe breach and leak involving Kash Patel is illustrative: a compromise of a personal account technically limited in\r\nscope was rapidly elevated into a widely covered event, generating disproportionate attention relative to its\r\ntechnical impact. This reflects a deliberate strategy in which the news cycle functions as an extension of the\r\noperation, amplifying reach and reinforcing perceived capability.\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 7 of 10\n\nTargets are therefore often targets of opportunity, selected for their symbolic value, media relevance, or potential\r\nto generate secondary effects. The objective is not persistent access or long-term control, but event generation\r\ncreating moments that can be exploited for narrative gain. Each operation is structured to trigger a predictable\r\nresponse cycle: disclosure, media coverage, public reaction, and institutional response. This cycle imposes real\r\ncosts on victims and defenders, regardless of the underlying technical depth of the compromise.\r\nThe result is a model in which technical simplicity coexists with strategic effectiveness. Low-level intrusions,\r\nwhen paired with coordinated amplification and ambiguity, produce outcomes typically associated with more\r\nadvanced actors. The distinction between hacking and influence is therefore not incidental but intentional. Cyber\r\nactivity provides the entry point, but the primary objective is the shaping of perception, the erosion of confidence,\r\nand the projection of capability.\r\nThis approach reflects a broader evolution in state-aligned cyber operations. Rather than investing exclusively in\r\nhigh-end capabilities, actors can achieve comparable strategic effects by combining accessible intrusion\r\ntechniques with sophisticated information operations. In this framework, success is measured not by the depth of\r\ncompromise, but by the ability to control the narrative surrounding that compromise.\r\nAccordingly, Homeland Justice, Karma, and Handala should be understood not as elite intrusion actors, but as\r\nhybrid operators leveraging low-cost cyber access to generate high-impact psychological effects. Their\r\nsignificance lies in demonstrating that, in the current information environment, perception can be weaponized as\r\neffectively as technical capability. Furthermore, it demonstrates that even modest breaches can be scaled into\r\nstrategic events when amplified through media and narrative control.\r\nResearch\r\nMOIS Linked MOIST GRASSHOPPER / Homeland Justice / KarmaBelow80 / Handala Hackers / Campaigns and\r\nEvolution\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 8 of 10\n\nExplore the evolution of MOIS-linked actors Homeland Justice, Karma, and Handala. Analysis of destructive\r\nmalware, surveillance integration, and the 2026 Stryker incident.\r\nLearn More\r\nResearch\r\nDPRK Malware Modularity: Diversity and Functional Specialization\r\nExplore the DPRK’s modular malware architecture. Analyze how North Korea uses compartmentalized toolchains\r\nfor espionage, crypto theft, and strategic signaling.\r\nLearn More\r\nResearch\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 9 of 10\n\nExposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform\r\nDTI analysis of a leaked TLS private key from Qihoo 360's AI security platform, covering cryptographic\r\nvalidation, threat scenarios, and incident response.\r\nLearn More\r\nSource: https://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nhttps://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment" ], "report_names": [ "handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment" ], "threat_actors": [ { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-29T06:58:56.933227Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4", "created_at": "2026-04-29T02:00:04.621965Z", "updated_at": "2026-04-29T06:58:57.779286Z", "deleted_at": null, "main_name": "VOID MANTICORE", "aliases": [ "VOID MANTICORE", "COBALT MYSTIQUE", "Handala Hack", "Homeland Justice", "Karma", "Karmabelow80", "BANISHED KITTEN", "Red Sandstorm" ], "source_name": "MITRE:VOID MANTICORE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-29T06:58:56.744414Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-29T06:58:57.946937Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-29T06:58:57.629299Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777429255, "ts_updated_at": 1777450878, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82147dccc5d9fade824c1f4aabb9cc56e67aff0c.pdf", "text": "https://archive.orkl.eu/82147dccc5d9fade824c1f4aabb9cc56e67aff0c.txt", "img": "https://archive.orkl.eu/82147dccc5d9fade824c1f4aabb9cc56e67aff0c.jpg" } }