{
	"id": "997ded77-9017-4048-9468-3301e2553eb2",
	"created_at": "2026-04-06T00:18:35.41445Z",
	"updated_at": "2026-04-10T03:28:03.184101Z",
	"deleted_at": null,
	"sha1_hash": "e74f097674517d2e8a12edaecaaef0fbec857ec5",
	"title": "Handala’s Wiper: Threat Analysis and Detections | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11000806,
	"plain_text": "Handala’s Wiper: Threat Analysis and Detections | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2024-09-06 · Archived: 2026-04-05 19:00:51 UTC\r\nOn July 19, 2024, CrowdStrike released configuration updates for its Windows sensor, aiming to enhance security\r\nand performance. Unfortunately, this update inadvertently led to widespread downtime, manifesting as Blue\r\nScreen of Death (BSOD) on millions of machines worldwide. The BSOD, a critical system error screen, halts all\r\noperations, rendering affected systems inoperable until resolved.\r\nThis event was subsequently exploited by threat actors to launch malicious campaigns, one in particular looking to\r\ndeploy destructive wiper payloads to targeted hosts and network systems. Unlike typical cybercrime activities\r\nfocused on stealing information, these attacks were specifically designed to cause damage.\r\nOn July 20, 2024, a malware analysis platform shared a phishing attachment and a destructive wiper payload\r\nassociated with this campaign. Cisco Talos and others have reported this to be the Handala Hacking Team, which\r\nhas been active since at least December 2023.\r\nIn this blog, Cisco Talos and the Splunk Threat Research Team provide a comprehensive analysis that expands on\r\nexisting coverage and offers unique insights. We’ll cover:\r\nHandala wiper attribution details\r\nAn overview of Handala Hacking Team\r\nAn in-depth analysis of the campaign's attack chain, including:\r\nMapping each component of the attack chain to MITRE ATT\u0026CK Tactics and Techniques to\r\ncontextualize the threat within the broader cybersecurity landscape\r\nAn overview of the simple yet effective batch script obfuscation techniques used by the attacker to\r\nevade detection\r\nAn overview of the unconventional use of no-file-extension files in the Nullsoft Scriptable Install\r\nSystem (NSIS) package, shedding light on lesser-known attack vectors\r\nDetection strategies using Splunk's out-of-the-box security content, empowering organizations to protect\r\nagainst this wiper malware\r\nAtomic Red Team simulations for proactive testing and validation of defenses\r\nHandala Wiper Attribution Details\r\nAlthough the Handala Hacking Team claimed responsibility for the attacks on July 21, 2024, on their data leak\r\nsite, there was some overlap with previously observed Handala Hacking Team activity. The group used a Telegram\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 1 of 23\n\nchannel as a command and control (C2) server and used AutoIT to inject the wiper payload into a new Windows\r\nprocess.\r\nGroup Overview\r\nActive since at least December 18, 2023, Handala Hacking Team is a pro-Palestinian hacktivist group that heavily\r\ntargets Israeli organizations, including organizations who support or conduct business within Israel since emerging\r\nin the threat landscape. Handala refers to the name of a character that was created in 1969 by political cartoonist\r\nNaji al-Ali that later became a symbol of identity and defiance of the Palestinian people. The Handala character is\r\nused by the hacktivist group across their social media accounts on Telegram, Tox and X. (1) (2) (3)\r\nThe Handala Hacking Team is notable for employing a wide range of sophisticated tactics and techniques,\r\nincluding data theft, phishing, extortion, website defacement and destructive attacks leveraging custom wiper\r\nmalware that targets Windows and Linux environments.\r\nThe group also operates a data leak site where data allegedly stolen during attacks is leaked. At least one\r\norganization publicly dismissed claims that the Handala Hacking Team attacked them or exfiltrated data from their\r\nenvironment. This indicates the group may be exaggerating claims of attacks, which is commonly observed within\r\nthe hacktivism landscape.\r\nHandala Hacking Team primarily uses phishing, including SMS, as a means of gaining initial access for their\r\nattacks. Within the phishing messages, the hacktivist group masquerades as legitimate organizations offering\r\nsupport or solutions to known issues with malicious links or attachments. The Handala Hacking Team takes\r\nadvantage of major events and newly disclosed critical vulnerabilities to opportunistically create phishing\r\ncampaigns using advanced social engineering techniques.\r\nCisco Talos assesses with moderate confidence that at least one member of the group is fluent in Hebrew due to\r\nthe well-crafted emails and text messages used within their attacks.\r\nAttack Chain Tactics and Techniques\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 2 of 23\n\nFigure 3 is a simple diagram to visually depict the attack chain of this malicious campaign to deliver destructive payload.\r\nFigure 3: Wiper Execution Flow(For a larger resolution of this diagram visit this link)\r\nSpear Phishing Attachment (T1566.001)\r\nThe phishing campaign utilizes a .PDF attachment to deceive users. As depicted in Figure 4, threat actors craft the\r\nPDF to entice users by presenting it as a solution to the recent downtime issue. The document contains a link,\r\nwhich, when clicked, purportedly downloads a fix tool to resolve the BSOD problem, but actually, this link directs\r\nusers to malicious software that wipes the compromised systems. This tactic underscores the social engineering\r\nstrategies used by threat actors to exploit issues during crisis events.\r\nBy examining the PDF's URI object, you can identify the malicious URL link designed to download the fake fix\r\ntool or malicious payload.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 3 of 23\n\nFigure 4: Malicious URL\r\nCommand and Scripting Interpreter (T1059)\r\nThe phishing campaign leverages a Nullsoft Scriptable Install System (NSIS) installer to help execute malicious\r\npayloads. The following is a breakdown of the NSIS installer:\r\nA user downloads what appears to be a legitimate update file (e.g., update.zip).\r\nUpon extraction, it produces an executable:- a compiled NSIS installer.\r\nInitially, the extracted files may appear as meaningless or blob-like data.\r\nHowever, the NSIS script controlling the installation process often contains obfuscated commands and\r\npayloads.\r\nThe NSIS script can be crafted to implement various malicious activities, e.g.:\r\nComplex evasion techniques to avoid detection\r\nMulti-stage payload delivery\r\nPersistent infection strategies\r\nSilent installation modes for stealthy compromise\r\nCustomized user interfaces for convincing social engineering tactics\r\nThe dual nature of NSIS highlights an ongoing challenge in cybersecurity: distinguishing between legitimate\r\nsoftware and malicious payloads. Its plug-in system and web installation capabilities, while beneficial for modular\r\nsoftware design and updates, could potentially be misused for malware distribution or command-and-control\r\ncommunication.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 4 of 23\n\nFigure 5: Preview of NSIS Package Files\r\nThe NSIS script contains obfuscated or \"garbage\" code to hinder static analysis and make it challenging to analyze\r\nthe scripts. It also employs stack-based techniques to initialize variables critical for its operations.\r\nFigure 6 demonstrates how the stack is leveraged to assemble and execute commands that copy the \"Carroll\" file\r\nto \"Carroll.cmd\" and subsequently execute it.\r\ncmd /k copy Carroll Carroll.cmd \u0026 Carroll.cmd \u0026 exit\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 5 of 23\n\nFigure 6: NSIS Script\r\nObfuscated Files or Information (T1027)\r\nThe \"Carroll\" file mentioned above employs a simple yet clever obfuscation technique for Windows Command\r\nShell scripts, making them challenging to analyze at first glance. This method scatters garbage or invalid Windows\r\ncommands among legitimate batch script instructions. Despite the presence of these invalid commands, the\r\nWindows Operating System can still execute the underlying valid script. This approach effectively masks the true\r\nfunctionality of the script while allowing it to run as intended, creating a layer of complexity for analysts\r\nattempting to understand its purpose.\r\nFigure 7: Obfuscated Batch Script\r\nTime Based Evasion (T1497.003)\r\nThe batch script begins by checking for the presence of two antivirus processes—wrsa.exe (Webroot Antivirus\r\nComponent) and opssvc.exe (Quick Heal Antivirus Component)—using the tasklist command. If these processes\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 6 of 23\n\nare not detected, the script instructs the system to pause execution for approximately 90 to 180 seconds by using\r\nthe “ping -n” parameter.\r\nThe script performs an additional check for the presence of various antivirus processes on the targeted host,\r\nincluding `avastui.exe` (AVAST), `avgui.exe` (AVG), `bdservicehost.exe` (Bitdefender), `nswscsvc.exe` (Norton\r\nAV), and `sophoshealth.exe` (Sophos). If these processes are not found, the script creates a directory named\r\n`564784` and drops two files within it, which are the AutoIt components of this malware.\r\nFigure 8 presents code snippets from the de-obfuscated “Carroll” batch script, showing the purpose of the\r\nseemingly random or \"garbage\" commands shown in Figure 7. The code reveals that the script searches for the\r\nstring “locatedflatrendsoperating” in a file from Ukraine, followed by concatenating several files designated as\r\n`AutoIt3.exe` and a `.a3x` file named “L.” This reveals how the malware obfuscates its actions and components\r\nwhile preparing for execution.\r\nFigure 8: De-obfuscated Batch Script\r\nUpon investigating the concatenated files, the Splunk Threat Research Team discovered that they consist of\r\nexecutable code segments assembled like a puzzle. This is similar to the .a3x file that contains a malicious\r\ncompiled AutoIt script responsible for loading the final payload, which is the wiper. This multi-component\r\napproach serves as an effective defense evasion strategy against Endpoint Detection and Response (EDR) and\r\nantivirus (AV) products. By distributing the payload across several files and utilizing obfuscation, the malware can\r\nbypass detection mechanisms that monitor NSIS components for potentially harmful executables or embedded\r\nmodules.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 7 of 23\n\nFigure 9: Multi-executable Code Fragments\r\nAutoHotKey \u0026 AutoIT (T1059.010)\r\nThe decompressed script of the dropped `.a3x` file reveals the use of simple obfuscation techniques to conceal its\r\nstrings and AutoIt commands from static analysis and detection. Upon decoding, the Splunk Threat Research\r\nTeam observed that this AutoIt component is designed to load shellcode tailored to the machine's architecture (x32\r\nor x64). This shellcode then uses the `RtlDecompressFragment()` API to decompress the actual wiper payload and\r\ninject it into a Regasm.exe process. Figures 10 and 11 show screenshots of the decrypted command that we\r\nobserved during our analysis.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 8 of 23\n\nFigure 10: Autoit Shellcode Setup\r\nFigure 11: The Snippet of Compressed Wiper Payload Setup\r\nGather Victim Information (T1590, T1589)\r\nThe wiper payload collects network and system information from the targeted or compromised host, including IP\r\naddress, hostname, username, domain, and disk space. This information is sent to a Telegram bot server, which\r\nacts as the C2 center for the destructive malware.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 9 of 23\n\nFigure 12: Gather System Information\r\nWe also discovered an interesting public IP check web service used to retrieve the public IP address of the\r\ncompromised host. Figure 13 shows a screenshot demonstrating how http[:]//icanhazip[.]com is used to obtain the\r\nIP address.\r\nFigure 13: GET IP Function\r\nAutomated Exfiltration (T1020)\r\nUsing the Telegram application, the threat actor created a bot to serve as the C2 for the malware. This bot is\r\nresponsible for sending information from the compromised host, including undeleted files and the victim's details\r\nas mentioned earlier.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 10 of 23\n\nFigure 14: Telegram Bot\r\nDisk Structure Wipe (T1561.002)\r\nThe wiper starts with a deceptive message box, claiming that it will install an update to fix the issue. However, in\r\nreality, it executes a function to wipe or overwrite all the files on the system.\r\nFigure 15: Luring Update MessageBox\r\nFigure 16 illustrates the function responsible for overwriting files with 4,096 bytes of random data. This\r\ndestructive code can render the compromised host unbootable and unrecoverable. If the file size is less than 4,096\r\nbytes, a new array will be created to overwrite that portion but this time it is filled with zeroes.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 11 of 23\n\nFigure 16: Overwrite Files\r\nExploitation for Privilege Escalation BYOVD (T1068)\r\nWe also observed that after overwriting a file, the wiper will delete it. Additionally, the wiper employs a technique\r\nknown as \"Bring Your Own Vulnerable Driver\" (BYOVD), utilizing a driver named ListOpenedFileDrv_32.sys.\r\nThis driver is loaded as a service by the wiper's .DLL component, named OpenFileFinder.dll.\r\nIt's important to note that this driver is not inherently malicious. Rather, it's a simple tool designed for a specific\r\nmemory access task: to access kernel memory and retrieve file names. The driver accomplishes this by using the\r\nDeviceIoControl function to receive a memory address, then copying the file name from the FILE_OBJECT at\r\nthat address and returning it as an output parameter.\r\nThis driver may not work with the latest Windows operating systems due to being unsigned and 32-bit. However,\r\nit is likely to load properly on older versions of Windows, such as Windows XP, Windows Vista, and early\r\nversions of Windows 7 (32-bit).\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 12 of 23\n\nWe pivoted on the sample shared by VirusTotal\r\n(9e519211947c63d9bf6f4a51bc161f5b9ace596c2935a8eedfce4057f747b961) and found that this is not the first\r\ntime this driver has been utilized in campaigns. One artifact that stood out was the debug artifacts path:\r\nt:\\naveen\\pgms\\cpp\\openfilefinder_src_vc8\\listfiledrv\\objfre_wxp_x86\\i386\\ListOpenedFileDrv.pdb\r\nThis path leads to samples that are both signed and unsigned. At times, based on upload paths of other samples\r\nwhen pivoting on authentihash or impash, it appears the file is shipped with various different applications. While\r\ninvestigating the driver and DLL, we found the source which confirms the driver's simple functionality: \"The only\r\nthing the driver does is copy the file name in the kernel memory and pass it to the user mode. Using the function\r\nDeviceIoControl, the pAddress is passed to the driver. The driver accepts this address and copies the file name\r\nfrom FILE_OBJECT, setting it in the out parameter of the DeviceIoControl function.\"\r\nFigure 17: Bring Your Own Vulnerable Driver\r\nDetections\r\nSuspicious Process File Path\r\nThe following analytic identifies processes running from file paths not typically associated with legitimate\r\nsoftware. It leverages data from EDR agents, focusing on specific process paths within the endpoint data model.\r\nThis activity is significant because adversaries often use unconventional file paths to execute malicious code\r\nwithout requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to\r\nbypass security controls, leading to unauthorized software execution, potential system compromise, and further\r\nmalicious activities within the environment.\r\n| tstats `security_content_summariesonly` count values(Processes.process_name)\r\n as process_name values(Processes.process) as process min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\"\r\n OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\"\r\n OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\r\n OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path\r\n = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path\r\n = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path\r\n = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name\r\n Processes.parent_process Processes.process_path Processes.dest Processes.user |\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 13 of 23\n\n`drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `suspicious_process_file_path_filter`\r\nFigure 18: Detection for Suspicious Process File Path\r\nExecutables Or Script Creation In Suspicious Path\r\nThe following analytic identifies the creation of executables or scripts in suspicious file paths on Windows\r\nsystems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll,\r\n.ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public). This activity is significant as\r\nadversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this\r\nbehavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the\r\nenvironment, posing a significant security threat.\r\n|tstats `security_content_summariesonly` values(Filesystem.file_path) as\r\n file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem\r\n where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name\r\n = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name\r\n = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name\r\n = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path\r\n = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path\r\n = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path\r\n = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\*\r\n OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin*\r\n OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\*\r\n OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*)\r\n by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user\r\n | `drop_dm_object_name(Filesystem)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `executables_or_script_creation_in_suspicious_path_filter`\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 14 of 23\n\nFigure 19: Detection for Executables Or Script Creation In Suspicious Path\r\nWindows AutoIt3 Execution\r\nThe following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows\r\nGUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for\r\nprocess names or original file names matching 'autoit3.exe'. This activity is significant because attackers\r\nfrequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this\r\nactivity could lead to unauthorized code execution, system compromise, or further propagation of malware within\r\nthe environment.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"autoit3.exe\",\r\n \"autoit*.exe\") OR Processes.original_file_name IN (\"autoit3.exe\", \"autoit*.exe\")\r\n by Processes.dest Processes.user Processes.parent_process_name Processes.process_name\r\n Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_autoit3_execution_filter`\r\nFigure 20: Detection for Windows Autoit3 Execution\r\nWindows Gather Victim Network Info Through Ip Check Web Services\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 15 of 23\n\nThe following analytic detects processes attempting to connect to known IP check web services. This behavior is\r\nidentified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like\r\n\"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot,\r\nfor reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow\r\nattackers to gather network information, aiding in further attacks or lateral movement within the network.\r\nsysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.*\", \"*ipecho.net\",\r\n \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\",\r\n \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\r\n \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\",\r\n \"*geoip.*\", \"*icanhazip*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image\r\n ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer\r\n as dest\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 21: Detection for Windows Gather Victim Network Info Through Ip Check Web Services\r\nDetect Regasm with no Command Line Arguments\r\nThe following analytic detects instances of regasm.exe running without command line arguments. This behavior\r\ntypically indicates process injection, where another process manipulates regasm.exe. The detection leverages EDR\r\ndata, focusing on process names and command-line executions.\r\n| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _ti\r\n| `drop_dm_object_name(Processes)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| regex process=\"(?i)(regasm\\.exe.{0,4}$)\"\r\n| `detect_regasm_with_no_command_line_arguments_filter`\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 16 of 23\n\nFigure 22: Detection for Regasm with No Command Line Arguments\r\nDetect Regasm with Network Connection\r\nThe following analytic detects the execution of regasm.exe establishing a network connection to a public IP\r\naddress, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior.\r\nThis activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass\r\napplication control mechanisms.\r\n`sysmon` EventID=3 dest_ip!=10.0.0.0/8 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe\r\n| stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| `detect_regasm_with_network_connection_filter`\r\nFigure 23: Detection for Regasm with Network Connection\r\nWindows High File Deletion Frequency\r\nThe following analytic identifies a high frequency of file deletions by monitoring Sysmon Event ID 23 and 26 for\r\nspecific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names,\r\nand process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted\r\nand the originals are deleted.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 17 of 23\n\n`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps\r\n| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user,\r\n| rename Image as process\r\n| where count \u003e=100\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| `windows_high_file_deletion_frequency_filter`\r\nFigure 24: Detection for Windows High File Deletion Frequency\r\nWindows Data Destruction Recursive Exec Files Deletion\r\nThe following analytic identifies a suspicious process that is recursively deleting executable files on a\r\ncompromised host. It leverages Sysmon Event IDs 23 and 26 to detect this activity by monitoring for a high\r\nvolume of deletions or overwrites of files with extensions like .exe, .sys, and .dll.\r\n`sysmon` EventCode IN (\"23\",\"26\") TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\")\r\n| bin _time span=2m\r\n| stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user,\r\n| rename Image as process\r\n| where count \u003e=100\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| `windows_data_destruction_recursive_exec_files_deletion_filter`\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 18 of 23\n\nFigure 25: Detection for Windows Data Destruction Recursive Exec Files Deletion\r\nSimulation\r\nBy simulating techniques employed by the adversary in this real-world campaign, security teams can assess their\r\ndetection and response capabilities against tactics that have been observed in actual malicious operations. This\r\napproach allows organizations to proactively identify gaps in their defenses and improve their overall security\r\nposture against current and emerging threats.\r\nTo specifically support teams looking to test their defenses against this particular wiper threat, we generated an\r\nNSIS script that performs three main Atomic Tests that simulate different techniques that adversaries might use:\r\nan AutoIT test, a RegAsm.exe test, and a driver loading test.\r\nYou may retrieve the NSIS script here. Below, we’ll provide an overview of how each test works.\r\nAutoIt Test\r\nThis test demonstrates how an attacker might use AutoIt to run arbitrary scripts on a system.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 19 of 23\n\nAutoIt is a scripting language designed for automating Windows GUI and general scripting. It's sometimes\r\nmisused by attackers to evade detection. The script performs the following steps:\r\n1. Downloads AutoIt from the official website:\r\n NSISdl::download \"https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip\" \"$INSTDIR\\autoit-v3\r\n2. Extracts the downloaded AutoIt package:\r\n nsExec::ExecToLog 'powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Expand-Archive -Path \\\"$INSTD\r\n3. Creates a simple AutoIt script:\r\n FileWrite $0 'MsgBox(0, \"Atomic Message\", \"hello from Atomic Red Team\")'\r\n4. Executes the AutoIt script and spawns a message box:\r\n ExecWait '\"$AutoItExe\" \"$INSTDIR\\atomic_script.au3\"'\r\nRegAsm.exe Test (T1218.009)\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 20 of 23\n\nRegAsm.exe is a legitimate Windows tool that can be abused for DLL execution. This test showcases how an\r\nattacker might abuse RegAsm.exe to run malicious code. The script does the following:\r\n1. Writes a C# source code file (T1218.009.cs) to disk:\r\n !insertmacro T1218_009_CS_CONTENT\r\n2. Compiles the C# code into a DLL:\r\n nsExec::ExecToLog 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /o\r\n3. Executes RegAsm.exe with the compiled DLL, showcasing in the NSIS Show Details window:\r\n nsExec::ExecToLog 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U \"$INSTDIR\\T1218.009.dll\"'\r\nDriver Loading Test\r\nThis test simulates an attempt to load a malicious kernel driver, which could be used by attackers to gain deep\r\nsystem access.\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 21 of 23\n\nThe script performs these steps:\r\n1. Extracts the driver file:\r\n File \"/oname=$INSTDIR\\driver.sys\" \"path\\to\\your\\ListOpenedFileDrv_32.sys\"\r\n2. Attempts to create a service for the driver:\r\n nsExec::ExecToLog 'sc.exe create TestDriver type= kernel binPath= \"$INSTDIR\\driver.sys\"'\r\n3. Tries to start the service:\r\n nsExec::ExecToLog 'sc.exe start TestDriver'\r\nIOCs\r\nLearn More\r\nThis blog helps security analysts and Splunk customers enhance their threat detection capabilities and strengthen\r\ntheir defenses against sophisticated malware campaigns like Handala's Wiper. You can implement the detections in\r\nthis blog in Splunk Enterprise Security using the Splunk Enterprise Security Content Update app. To view the\r\nSplunk Threat Research Team’s complete security content repository, visit research.splunk.com.\r\nFeedback\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 22 of 23\n\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras, Michael Haag, Jose Hernandez, Nicole Hoffman and Eric Kuhla,\r\nNick Biasini and Cisco Talos for authoring this post and the entire Splunk Threat Research Team for their\r\ncontributions.\r\nSource: https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nhttps://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html"
	],
	"report_names": [
		"handalas-wiper-threat-analysis-and-detections.html"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4",
			"created_at": "2024-10-04T02:00:04.766263Z",
			"updated_at": "2026-04-10T02:00:03.715945Z",
			"deleted_at": null,
			"main_name": "Handala",
			"aliases": [],
			"source_name": "MISPGALAXY:Handala",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775791683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e74f097674517d2e8a12edaecaaef0fbec857ec5.pdf",
		"text": "https://archive.orkl.eu/e74f097674517d2e8a12edaecaaef0fbec857ec5.txt",
		"img": "https://archive.orkl.eu/e74f097674517d2e8a12edaecaaef0fbec857ec5.jpg"
	}
}