Handala is a pro‑Palestinian hacktivist group that first emerged in December 2023. Self‑identified as the “Handala Hack Team,” it claims responsibility for politically motivated cyber operations targeting Israeli entities—and sometimes those associated with Israel globally. While its rhetoric suggests grassroots activism, some intelligence sources believe its activities are aligned with Iranian interests, possibly coordinated through Tehran-linked channels .
The group typically begins campaigns with phishing lures—often masquerading as legitimate updates (e.g., spoofed CrowdStrike fixes)—leading to deployment of multi-stage wiper malware, such as Delphi loaders and AutoIt injectors. This malware is designed to avoid detection, wipe files, and exfiltrate system data (via Telegram API or cloud storage). Victims include major corporations (e.g., Delek Group), government agencies (e.g., Israeli Police), infrastructure providers (e.g., PA systems in kindergartens), and military‑linked firms.
Handala maintains an active leak site, broadcasting stolen data to the public. Its operations have grown root-to-tip—from initial DDoS and data exfiltration—to complex, credential‑based infiltrations and persistent malware deployment.