From Threat Report to Detection Scenario: Simulating Iran’s Handala Hack

In March 2026, Check Point Research published a deep-dive on Handala Hack, the public-facing persona of Void Manticore, an Iranian destructive actor affiliated with the Ministry of Intelligence and Security (MOIS). GBHackers reinforced the reporting days later with operational color on the group’s RDP-heavy intrusions.

Two facts made this group a priority for BlackNoise’s catalog. First, Handala’s targeting has expanded westward: where Void Manticore historically focused on Israel and Albania, recent intrusions hit US-based medical-technology vendor Stryker. Customers who once considered Iran-nexus actors a regional problem now need coverage. Second, the tradecraft is built on widely available techniques, no zero-day, no novel implant. Every step blends into administrative noise individually. The question this scenario answers: does your detection stack correlate the low-noise phases into a single incident before the destructive finale fires?

The Check Point report begins with VPN brute force and ends with manual hypervisor deletion. BlackNoise operates in assume-breach mode: initial access is out of scope. The scenario starts with Domain Administrator credentials already obtained, consistent with the multi-month dwell time Check Point documents before destructive activity.

Two rules drove event selection.

• Every event anchors to a specific quote or IOC from the source, generic Iran-nexus intuition was rejected.
• Events split into Tier 1 (verbatim source anchor) and Tier 2 (operational prerequisite implied but not cited, such as enabling Restricted Admin before Pass-the-Hash over RDP).

The 18 events cluster into six phases, each mapping to a paragraph in the Check Point report.

Two mapping decisions deserve note.

• ADRecon coverage: we chained four discrete Discovery primitives (accounts, groups, computers, dsquery) plus Group Policy Discovery. Together they reproduce the telemetry footprint of a real ADRecon run.
• Lateral movement: phase 5 models the preparation, scanning for live RDP listeners, enabling Restricted Admin for PTH-over-RDP, enabling RDP on hosts where it was off. The detectable signal lives in these steps, not in the RDP sessions themselves.

1. Defender tampering detection. Does the EDR alert on PowerShell-driven ATP and AMSI disable operations?
2. Credential dumping correlation. Are LSASS access via comsvcs.dll, Shadow Copy hive extraction, and SAM dump correlated as a single credential access campaign, or treated as three isolated findings?
3. Reconnaissance signal-to-noise. Does mass Active Directory enumeration, accounts, groups, computers, GPOs, within minutes raise a reconnaissance alert, or blend into normal administrative activity?
4. Pre-impact warning. Does Volume Shadow Copy deletion via vssadmin trigger preemptive wiper/ransomware alerting before file overwrite begins?
5. Kill-chain correlation. Are these 18 events stitched into a single incident timeline, or surfaced as 18 disconnected tickets?

The fifth question matters most. A SOC that catches every event but presents them as separate tickets has recorded Handala, not detected it.

Handala Hack is not technically sophisticated, and that is the point. The group succeeds because the kill chain hides in administrative noise until the wiper fires. Defenders who measure their stack against this scenario are not testing whether they can detect one exotic technique, they are testing whether they can recognize an ordinary one repeated eighteen times. Run it, measure where correlation breaks, and tune accordingly.

Sources for this scenario:

“Handala Hack” – Unveiling Group’s Modus Operandi: https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi

Handala Hackers Exploit RDP and NetBird in Coordinated Wiper Attacks: https://gbhackers.com/coordinated-wiper-attacks