The Face of Destruction: Inside Void Manticore’s ‘Handala Hack’ AI-Assisted Wiping Operations

Cybersecurity researchers at Check Point Research have released a detailed expose on Handala Hack, a prominent online persona used to mask the destructive operations of the Iranian threat actor Void Manticore. Affiliated with Iran’s Ministry of Intelligence and Security (MOIS), this group has built a reputation for high-impact “hack and leak” operations and relentless wiping attacks across the globe.

Void Manticore (also known as Red Sandstorm or Banished Kitten) doesn’t rely on a single identity. Instead, it maintains a fleet of online personas to target specific geopolitical rivals. While Homeland Justice has been the face of campaigns against Albania since 2022, the Handala persona has focused its sights on Israel and recently expanded to target U.S.-based enterprises, including medical technology giant Stryker.

The researchers highlight the group’s dual nature:

“Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with ‘hack and leak’ operations“.

Evolution of the Arsenal: AI and Persistence

While Void Manticore is known for “quick, opportunistic wins,” its tactics are far from stagnant. Recent investigations show the group is modernizing its toolkit to bypass increasingly sophisticated defenses.

• AI-Assisted Destructive Scripts: In a notable shift, researchers observed the use of an AI-assisted PowerShell script designed for wiping activity, showing how state-sponsored actors are beginning to integrate artificial intelligence into their offensive workflows.
• NetBird Tunneling: To maintain a foothold in victim networks, the group has begun deploying NetBird to tunnel traffic, allowing them to move laterally and sustain access even as defenders try to close the gates.
• Layered Destruction: The group often employs “multiple wiping methods simultaneously”. This includes a particularly destructive process of disk encryption that can render a system inaccessible even if other wiping components fail to execute.

Hands-On Havoc

Despite the new tech, the group still favors a “hands-on” approach. Once initial access is gained—often through compromised credentials—the operators move laterally via Remote Desktop Protocol (RDP) and basic tunneling tools.

In some cases, the destruction is surprisingly manual:

“Handala Hack operators manually delete virtual machines directly from the virtualization platform or files from compromised machines. This straightforward process involves logging in via RDP, selecting all files, and deleting them“.

Strengthening the Perimeter

The core of the Handala strategy remains opportunistic. By focusing on fundamental security hygiene, organizations can significantly raise the cost of an attack for these MOIS-affiliated actors.

Key Defense Strategies:

• Enforce Multi-Factor Authentication (MFA): Since the group heavily relies on compromised credentials for initial entry, robust MFA is the first line of defense.
• Restrict RDP Access: Limit lateral movement by securing or disabling RDP wherever it is not strictly necessary.
• Robust Backup Protocols: Given the group’s reliance on disk encryption and manual file deletion, offline and immutable backups are essential for recovery.

As the boundary between state espionage and criminal-style destruction continues to blur, the question remains: is your organization prepared for an adversary that doesn’t just want your data, but wants to ensure it never exists again?