Adversary Intelligence
7
mins read

Part 2: The Iran-Israel Cyber Standoff - The State's Silent War

CloudSEK uncovered a surge in Iran-linked cyberattacks targeting Israel and its allies. Groups like APT42, APT34, MuddyWater, and hacktivist Handala are conducting espionage, data theft, and DDoS attacks. These actors use phishing, credential theft, and stealthy tools to infiltrate sensitive sectors. CloudSEK advises organizations to patch vulnerabilities, monitor DNS traffic, and enforce zero-trust security policies.

Koushik Pal
June 19, 2025
Green Alert
Last Update posted on
June 20, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Nivya Ravi

Executive Summary

This report outlines the evolution and current capabilities of Iran-aligned cyber threat actors, particularly in the context of heightened Iran-Israel geopolitical tensions. Iran's offensive cyber operations are orchestrated primarily by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), often executed through contractors and proxies like Emennet Pasargad and Afkar System. While there are numerous actors affiliated with the Iranian-state, key actors include APT42, focused on espionage via social engineering and cloud compromise; MuddyWater, leveraging PowerShell and public exploits under MOIS direction; and APT34, a stealthy group employing DNS tunneling and supply chain attacks. Recent escalations have also seen the emergence of Handala, a politically motivated hacktivist group targeting Israeli-linked entities with DDoS and data leaks. Despite varied sophistication levels, all groups display consistent patterns of phishing-based initial access, persistence via credential theft and LOLBins, and data exfiltration through covert channels. These actors continue to evolve in alignment with Iran’s regional strategic interests and retaliatory agendas.

ALSO READ: Part 1: The Iran-Israel Cyber Standoff - The Hacktivist FrontPart 1: The Iran-Israel Cyber Standoff - The Hacktivist Front

Analysis 

Iran’s cyber operations are primarily driven by two main state-aligned entities, both playing distinct yet sometimes overlapping roles in advancing national objectives in cyberspace:

  • Islamic Revolutionary Guard Corps (IRGC)
    The IRGC is a powerful military organization that reports directly to Iran’s Supreme Leader, Ayatollah Ali Khamenei. The IRGC oversees offensive cyber activities aimed at both external adversaries and internal dissidents. It leverages a network of contractors and front companies to carry out operations while maintaining plausible deniability.
  • Ministry of Intelligence and Security (MOIS) (also known as VEVAK in Farsi)
    MOIS is Iran’s main civilian intelligence agency, reporting to the President. Its cyber operations are often focused on espionage, internal security, and influence operations targeting political opponents and foreign states.

Both the IRGC and MOIS coordinate through the Supreme Council of Cyberspace, which helps align cyber strategy with national security objectives.

Contractors and Proxies:
Iran frequently outsources cyber operations to private contractors, front companies, and proxy groups to obscure attribution and expand operational capacity. 

  • Emennet Pasargad (formerly EIP; linked to Cotton Sandstorm)
  • Afkar System
  • Najee Technology (associated with Nemesis Kitten / APT35 cluster)

These groups enable Iran to conduct deniable operations while scaling their reach and sophistication.

Threat Actor Profile: APT42 (Charming Kitten)

Threat Actor Aliases:
CrowdStrike Mandiant Microsoft (New) Proofpoint Secureworks
Charming Kitten APT42, TA453 Mint Sandstorm TA453 Cobalt Illusion (SPHYNX)

APT42 is a state-sponsored cyber espionage group attributed to Iran's Islamic Revolutionary Guard Corps (IRGC). The group specializes in highly targeted reconnaissance and social engineering campaigns against individuals and organizations of strategic interest to Iran. Their campaigns are not typically wide-ranging "spray and pray" attacks; instead, they are patient, bespoke operations focused on compromising specific accounts for intelligence gathering. Based on their meticulous impersonation techniques, custom malware development (e.g., PowerKitten), and persistence, APT42 is assessed as a highly sophisticated and resourceful threat actor. Their notable technical observations include the use of fake login pages, tailored malware droppers delivered via spear-phishing, and extensive reconnaissance to make their social engineering lures highly credible.

Targets of APT42:

  • Sectors/Verticals: APT42 primarily targets academia, human rights organizations, journalists, non-governmental organizations (NGOs), and governmental entities. Their focus is on individuals involved in research, policy, or activism related to Iranian interests.
  • Post-Intrusion Activity: Once inside a victim's environment, APT42 focuses on data exfiltration. They seek out and steal emails, contact lists, documents, and any other sensitive information stored in compromised accounts (e.g., Google Workspace, Microsoft 365).
  • Persistence: The group is known to maintain persistence for long periods, often using stolen credentials to maintain access to email accounts and cloud storage, continuously monitoring communications.
  • Target Relationship: Targets are often related through their work, such as being researchers in the same field or attendees of the same international conferences on foreign policy.

APT42 Diamond Model Attributes:

APT42 Modus Operandi:

At a high level, APT42's operations follow a clear pattern. IN: They gain initial access almost exclusively through hyper-targeted spear-phishing campaigns that impersonate trusted contacts or services. THROUGH: They move laterally by using the compromised account to target the victim's contacts and deploy lightweight reconnaissance scripts or backdoors. OUT: Their primary goal is achieved by exfiltrating data directly from the victim's cloud or email account.

Threat Actor Profile: MuddyWater

Threat Actor Aliases:

CISA Symantec Trend Micro Palo Alto Networks PwC
MuddyWater Seedworm TEMP.Zagros OilRig* (disputed overlap) Boggy Serpens

Note: There is industry debate about the exact boundaries between MuddyWater and APT34 (OilRig), with some researchers assessing them as distinct groups with occasional tool sharing.

MuddyWater is a state-sponsored group acting in support of the Iranian MOIS. It is classified as an espionage actor but has demonstrated capabilities for disruptive attacks. The group specializes in gaining access to networks and maintaining long-term persistence for intelligence gathering. Their campaigns often start with spear-phishing but quickly pivot to exploiting vulnerabilities in public-facing applications. MuddyWater's sophistication is assessed as moderate; they are highly adaptable and effective but rely heavily on "living off the land" techniques and publicly available tools, which makes attribution challenging. Notable technical observations include their heavy use of PowerShell for backdoors (e.g., POWERSTATS), DNS for command and control (C2), and the exploitation of vulnerabilities like Log4j.

Targets of MuddyWater:

  • Sectors/Verticals: Telecommunications, government (including defense and intelligence), technology, and energy sectors.
  • Post-Intrusion Activity: Once inside, MuddyWater conducts extensive internal reconnaissance, seeks to escalate privileges, and exfiltrates data of intelligence value. They are not typically destructive but have the capability and have been linked to wiper malware deployments in the past.
  • Persistence: The group is known for long dwell times, using scheduled tasks, registry modifications, and custom backdoors to maintain access for months or even years.
  • Target Relationship: Targets are often linked by their strategic importance to Iran, such as being key technology providers in the Middle East or government agencies of rival nations.

MuddyWater Diamond Model Attributes:

MuddyWater Modus Operandi:

MuddyWater's operational flow is efficient and built for stealth. IN: They gain access via phishing emails containing malicious documents or by exploiting unpatched, internet-facing servers. THROUGH: They immediately deploy PowerShell backdoors and use legitimate Windows tools (LOLBins) to blend in with normal network traffic while performing reconnaissance and escalating privileges. OUT: Data is collected, staged in archives, and exfiltrated slowly over obfuscated C2 channels to avoid detection.

Threat Actor Profile: APT34 (OilRig)

Threat Actor Aliases:

CrowdStrike Mandiant Microsoft Palo Alto Networks Group-IB
Helix Kitten APT34 Hazel Sandstorm OilRig Cobalt Gypsy

Note: While sometimes linked to MuddyWater due to shared state sponsors, APT34 is considered a distinct group with its own unique and often more sophisticated toolset and operational methodologies.

APT34 is a state-sponsored cyber espionage group, active since at least 2014 and widely believed to operate on behalf of the Iranian government, potentially its Ministry of Intelligence and Security (MOIS). The group specializes in long-term intelligence collection campaigns that align with Iran's strategic national interests. Their campaigns are characterized by the heavy use of custom-developed tools, a focus on maintaining stealth, and the ability to adapt their tactics based on the target's environment. Based on their extensive custom malware arsenal (e.g., BondUpdater, QUADAGENT), use of advanced techniques like DNS tunneling for C2, and their operational discipline, APT34 is assessed as a highly sophisticated and mature threat actor. Their technical hallmarks include using legitimate credentials to blend in and exploiting trusted relationships in supply chain attacks to bypass perimeter defenses.

Targets of APT34:

  • Sectors/Verticals: Primarily targets financial services, government, energy (oil & gas), telecommunications, and chemical industries. They have also been observed targeting IT companies, potentially for supply chain compromises.
  • Post-Intrusion Activity: Once inside a network, APT34 focuses on credential harvesting, lateral movement, and identifying and exfiltrating high-value data. They use tools to dump credentials from memory, discover network topology, and package data for exfiltration over covert channels.
  • Persistence: The group is known for extremely long dwell times. They establish multiple points of persistence using custom backdoors, web shells, and scheduled tasks to ensure continued access even if one method is discovered.
  • Target Relationship: Targets are almost always linked to the geopolitical and economic interests of Iran. This includes rival Middle Eastern governments, companies involved in the global energy market, and financial institutions.

APT34 Diamond Model Attributes:

APT34 Modus Operandi:

APT34's operations are methodical and stealthy. IN: They favor spear-phishing with lures relevant to the target's industry or compromising a trusted third-party IT provider to gain initial access. THROUGH: They live off the land where possible but are known to deploy a powerful and evolving set of custom PowerShell tools to perform reconnaissance, escalate privileges, and move laterally. OUT: Their signature technique is the use of DNS as a covert channel to communicate with C2 servers and exfiltrate stolen data, making their traffic difficult to spot among legitimate DNS requests.

Threat Actor Profile: Handala

Handala is a politically motivated hacktivist group that emerged in the context of the Israeli-Hamas conflict. The group is classified as a hacktivist entity, but some researchers assess them to be state-aligned, likely operating in support of Iran's geopolitical objectives, similar to the operational model of groups like CyberAv3ngers. Handala specializes in disruptive and public-facing attacks, including DDoS, website defacement, and data theft and subsequent leaking. Their goal is to punish entities they view as enemies of the Palestinian cause and to spread their political message.

Handala's sophistication is assessed as low to moderate. They do not appear to use zero-day exploits but are effective at leveraging known vulnerabilities in web applications (e.g., SQL injection) and using readily available tools and botnets to launch powerful DDoS attacks. Their notable technical characteristic is their speed in publicizing attacks on their Telegram channel, often posting evidence of the breach or data leaks in near real-time to maximize media attention.

Targets of Handala:

  • Sectors/Verticals: Targeting is extremely broad and opportunistic. It includes government, technology, logistics, travel, eCommerce, and any commercial entity based in or vocally supporting Israel. They have claimed attacks against major technology firms, travel agencies, and data centers.
  • Post-Intrusion Activity: The group's actions are swift and destructive to confidentiality and integrity. They access databases, exfiltrate user data, customer lists, and other sensitive information, and immediately leak it. They often deface websites with pro-Palestinian messaging.
  • Persistence: Handala does not appear to focus on long-term persistence. Their model is based on gaining access, stealing valuable data, and getting out before publishing their findings. The goal is disruption and embarrassment, not long-term espionage.
  • Target Relationship: All targets are linked by a single common denominator: a real or perceived connection to the state of Israel, either through national origin, business partnerships, or stated political support.

Handala Diamond Model Attributes:

Handala Modus Operandi:

Handala's operational playbook is direct and built for speed and public impact. IN: They either overwhelm a target's services with high-volume DDoS traffic or exploit a vulnerability on their public website to gain access. We have also seen cases where Handala has sent phishing emails to its targets. THROUGH:Once in, they quickly navigate to and exfiltrate sensitive databases or files. OUT: Their final step is to exfiltrate the stolen data and immediately publish it on their Telegram channel, often accompanied by a defacement of the victim's website and public taunts.

MITRE ATT&CK Mapping - APT42, Muddywater, APT34, Handala

Legend:

Light blue: APT42

Gray: Muddywater

Orange: APT34

Dark Blue: Handala

Common TTPs in 2 or more groups: Red

Impact

  • Data Breaches & IP Loss: Sensitive internal data, intellectual property, and credentials may be exfiltrated, exposing your business to espionage or financial theft.
  • Brand & Trust Damage: Public leaks and defacements (as seen with Handala) can erode customer trust and invite media scrutiny.
  • Operational Downtime: Exploited vulnerabilities or persistence mechanisms can disrupt operations or require full environment remediation.
  • Long-Term Infiltration Risk: Use of DNS tunneling and legitimate system tools (LOLBins) allows prolonged undetected access.
  • Compliance & Regulatory Exposure: Breaches may trigger non-compliance penalties under data protection laws (e.g., GDPR, HIPAA).

Mitigations

  • Invest in Patch Hygiene: Assess your attack surface and enforce rapid patching of public-facing applications via centralized vulnerability management.
  • Harden PowerShell Usage: Restrict scripting tool usage, implement logging (ScriptBlock Logging), and use AppLocker policies.
  • Detect Covert C2 Activity: Deploy DNS anomaly detection and restrict outbound DNS to known resolvers only.
  • Zero Trust & Least Privilege: Limit user and service account privileges; continuously verify trust boundaries.
  • Endpoint & Network Telemetry: Use EDR/XDR tools to detect LOLBins, credential theft behaviors, and lateral movement early.

References

#Traffic Light Protocol - Wikipedia

Author

Koushik Pal

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

7

min read

Part 2: The Iran-Israel Cyber Standoff - The State's Silent War

CloudSEK uncovered a surge in Iran-linked cyberattacks targeting Israel and its allies. Groups like APT42, APT34, MuddyWater, and hacktivist Handala are conducting espionage, data theft, and DDoS attacks. These actors use phishing, credential theft, and stealthy tools to infiltrate sensitive sectors. CloudSEK advises organizations to patch vulnerabilities, monitor DNS traffic, and enforce zero-trust security policies.

Authors
Koushik Pal
Co-Authors
Nivya Ravi

Executive Summary

This report outlines the evolution and current capabilities of Iran-aligned cyber threat actors, particularly in the context of heightened Iran-Israel geopolitical tensions. Iran's offensive cyber operations are orchestrated primarily by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), often executed through contractors and proxies like Emennet Pasargad and Afkar System. While there are numerous actors affiliated with the Iranian-state, key actors include APT42, focused on espionage via social engineering and cloud compromise; MuddyWater, leveraging PowerShell and public exploits under MOIS direction; and APT34, a stealthy group employing DNS tunneling and supply chain attacks. Recent escalations have also seen the emergence of Handala, a politically motivated hacktivist group targeting Israeli-linked entities with DDoS and data leaks. Despite varied sophistication levels, all groups display consistent patterns of phishing-based initial access, persistence via credential theft and LOLBins, and data exfiltration through covert channels. These actors continue to evolve in alignment with Iran’s regional strategic interests and retaliatory agendas.

ALSO READ: Part 1: The Iran-Israel Cyber Standoff - The Hacktivist FrontPart 1: The Iran-Israel Cyber Standoff - The Hacktivist Front

Analysis 

Iran’s cyber operations are primarily driven by two main state-aligned entities, both playing distinct yet sometimes overlapping roles in advancing national objectives in cyberspace:

  • Islamic Revolutionary Guard Corps (IRGC)
    The IRGC is a powerful military organization that reports directly to Iran’s Supreme Leader, Ayatollah Ali Khamenei. The IRGC oversees offensive cyber activities aimed at both external adversaries and internal dissidents. It leverages a network of contractors and front companies to carry out operations while maintaining plausible deniability.
  • Ministry of Intelligence and Security (MOIS) (also known as VEVAK in Farsi)
    MOIS is Iran’s main civilian intelligence agency, reporting to the President. Its cyber operations are often focused on espionage, internal security, and influence operations targeting political opponents and foreign states.

Both the IRGC and MOIS coordinate through the Supreme Council of Cyberspace, which helps align cyber strategy with national security objectives.

Contractors and Proxies:
Iran frequently outsources cyber operations to private contractors, front companies, and proxy groups to obscure attribution and expand operational capacity. 

  • Emennet Pasargad (formerly EIP; linked to Cotton Sandstorm)
  • Afkar System
  • Najee Technology (associated with Nemesis Kitten / APT35 cluster)

These groups enable Iran to conduct deniable operations while scaling their reach and sophistication.

Threat Actor Profile: APT42 (Charming Kitten)

Threat Actor Aliases:
CrowdStrike Mandiant Microsoft (New) Proofpoint Secureworks
Charming Kitten APT42, TA453 Mint Sandstorm TA453 Cobalt Illusion (SPHYNX)

APT42 is a state-sponsored cyber espionage group attributed to Iran's Islamic Revolutionary Guard Corps (IRGC). The group specializes in highly targeted reconnaissance and social engineering campaigns against individuals and organizations of strategic interest to Iran. Their campaigns are not typically wide-ranging "spray and pray" attacks; instead, they are patient, bespoke operations focused on compromising specific accounts for intelligence gathering. Based on their meticulous impersonation techniques, custom malware development (e.g., PowerKitten), and persistence, APT42 is assessed as a highly sophisticated and resourceful threat actor. Their notable technical observations include the use of fake login pages, tailored malware droppers delivered via spear-phishing, and extensive reconnaissance to make their social engineering lures highly credible.

Targets of APT42:

  • Sectors/Verticals: APT42 primarily targets academia, human rights organizations, journalists, non-governmental organizations (NGOs), and governmental entities. Their focus is on individuals involved in research, policy, or activism related to Iranian interests.
  • Post-Intrusion Activity: Once inside a victim's environment, APT42 focuses on data exfiltration. They seek out and steal emails, contact lists, documents, and any other sensitive information stored in compromised accounts (e.g., Google Workspace, Microsoft 365).
  • Persistence: The group is known to maintain persistence for long periods, often using stolen credentials to maintain access to email accounts and cloud storage, continuously monitoring communications.
  • Target Relationship: Targets are often related through their work, such as being researchers in the same field or attendees of the same international conferences on foreign policy.

APT42 Diamond Model Attributes:

APT42 Modus Operandi:

At a high level, APT42's operations follow a clear pattern. IN: They gain initial access almost exclusively through hyper-targeted spear-phishing campaigns that impersonate trusted contacts or services. THROUGH: They move laterally by using the compromised account to target the victim's contacts and deploy lightweight reconnaissance scripts or backdoors. OUT: Their primary goal is achieved by exfiltrating data directly from the victim's cloud or email account.

Threat Actor Profile: MuddyWater

Threat Actor Aliases:

CISA Symantec Trend Micro Palo Alto Networks PwC
MuddyWater Seedworm TEMP.Zagros OilRig* (disputed overlap) Boggy Serpens

Note: There is industry debate about the exact boundaries between MuddyWater and APT34 (OilRig), with some researchers assessing them as distinct groups with occasional tool sharing.

MuddyWater is a state-sponsored group acting in support of the Iranian MOIS. It is classified as an espionage actor but has demonstrated capabilities for disruptive attacks. The group specializes in gaining access to networks and maintaining long-term persistence for intelligence gathering. Their campaigns often start with spear-phishing but quickly pivot to exploiting vulnerabilities in public-facing applications. MuddyWater's sophistication is assessed as moderate; they are highly adaptable and effective but rely heavily on "living off the land" techniques and publicly available tools, which makes attribution challenging. Notable technical observations include their heavy use of PowerShell for backdoors (e.g., POWERSTATS), DNS for command and control (C2), and the exploitation of vulnerabilities like Log4j.

Targets of MuddyWater:

  • Sectors/Verticals: Telecommunications, government (including defense and intelligence), technology, and energy sectors.
  • Post-Intrusion Activity: Once inside, MuddyWater conducts extensive internal reconnaissance, seeks to escalate privileges, and exfiltrates data of intelligence value. They are not typically destructive but have the capability and have been linked to wiper malware deployments in the past.
  • Persistence: The group is known for long dwell times, using scheduled tasks, registry modifications, and custom backdoors to maintain access for months or even years.
  • Target Relationship: Targets are often linked by their strategic importance to Iran, such as being key technology providers in the Middle East or government agencies of rival nations.

MuddyWater Diamond Model Attributes:

MuddyWater Modus Operandi:

MuddyWater's operational flow is efficient and built for stealth. IN: They gain access via phishing emails containing malicious documents or by exploiting unpatched, internet-facing servers. THROUGH: They immediately deploy PowerShell backdoors and use legitimate Windows tools (LOLBins) to blend in with normal network traffic while performing reconnaissance and escalating privileges. OUT: Data is collected, staged in archives, and exfiltrated slowly over obfuscated C2 channels to avoid detection.

Threat Actor Profile: APT34 (OilRig)

Threat Actor Aliases:

CrowdStrike Mandiant Microsoft Palo Alto Networks Group-IB
Helix Kitten APT34 Hazel Sandstorm OilRig Cobalt Gypsy

Note: While sometimes linked to MuddyWater due to shared state sponsors, APT34 is considered a distinct group with its own unique and often more sophisticated toolset and operational methodologies.

APT34 is a state-sponsored cyber espionage group, active since at least 2014 and widely believed to operate on behalf of the Iranian government, potentially its Ministry of Intelligence and Security (MOIS). The group specializes in long-term intelligence collection campaigns that align with Iran's strategic national interests. Their campaigns are characterized by the heavy use of custom-developed tools, a focus on maintaining stealth, and the ability to adapt their tactics based on the target's environment. Based on their extensive custom malware arsenal (e.g., BondUpdater, QUADAGENT), use of advanced techniques like DNS tunneling for C2, and their operational discipline, APT34 is assessed as a highly sophisticated and mature threat actor. Their technical hallmarks include using legitimate credentials to blend in and exploiting trusted relationships in supply chain attacks to bypass perimeter defenses.

Targets of APT34:

  • Sectors/Verticals: Primarily targets financial services, government, energy (oil & gas), telecommunications, and chemical industries. They have also been observed targeting IT companies, potentially for supply chain compromises.
  • Post-Intrusion Activity: Once inside a network, APT34 focuses on credential harvesting, lateral movement, and identifying and exfiltrating high-value data. They use tools to dump credentials from memory, discover network topology, and package data for exfiltration over covert channels.
  • Persistence: The group is known for extremely long dwell times. They establish multiple points of persistence using custom backdoors, web shells, and scheduled tasks to ensure continued access even if one method is discovered.
  • Target Relationship: Targets are almost always linked to the geopolitical and economic interests of Iran. This includes rival Middle Eastern governments, companies involved in the global energy market, and financial institutions.

APT34 Diamond Model Attributes:

APT34 Modus Operandi:

APT34's operations are methodical and stealthy. IN: They favor spear-phishing with lures relevant to the target's industry or compromising a trusted third-party IT provider to gain initial access. THROUGH: They live off the land where possible but are known to deploy a powerful and evolving set of custom PowerShell tools to perform reconnaissance, escalate privileges, and move laterally. OUT: Their signature technique is the use of DNS as a covert channel to communicate with C2 servers and exfiltrate stolen data, making their traffic difficult to spot among legitimate DNS requests.

Threat Actor Profile: Handala

Handala is a politically motivated hacktivist group that emerged in the context of the Israeli-Hamas conflict. The group is classified as a hacktivist entity, but some researchers assess them to be state-aligned, likely operating in support of Iran's geopolitical objectives, similar to the operational model of groups like CyberAv3ngers. Handala specializes in disruptive and public-facing attacks, including DDoS, website defacement, and data theft and subsequent leaking. Their goal is to punish entities they view as enemies of the Palestinian cause and to spread their political message.

Handala's sophistication is assessed as low to moderate. They do not appear to use zero-day exploits but are effective at leveraging known vulnerabilities in web applications (e.g., SQL injection) and using readily available tools and botnets to launch powerful DDoS attacks. Their notable technical characteristic is their speed in publicizing attacks on their Telegram channel, often posting evidence of the breach or data leaks in near real-time to maximize media attention.

Targets of Handala:

  • Sectors/Verticals: Targeting is extremely broad and opportunistic. It includes government, technology, logistics, travel, eCommerce, and any commercial entity based in or vocally supporting Israel. They have claimed attacks against major technology firms, travel agencies, and data centers.
  • Post-Intrusion Activity: The group's actions are swift and destructive to confidentiality and integrity. They access databases, exfiltrate user data, customer lists, and other sensitive information, and immediately leak it. They often deface websites with pro-Palestinian messaging.
  • Persistence: Handala does not appear to focus on long-term persistence. Their model is based on gaining access, stealing valuable data, and getting out before publishing their findings. The goal is disruption and embarrassment, not long-term espionage.
  • Target Relationship: All targets are linked by a single common denominator: a real or perceived connection to the state of Israel, either through national origin, business partnerships, or stated political support.

Handala Diamond Model Attributes:

Handala Modus Operandi:

Handala's operational playbook is direct and built for speed and public impact. IN: They either overwhelm a target's services with high-volume DDoS traffic or exploit a vulnerability on their public website to gain access. We have also seen cases where Handala has sent phishing emails to its targets. THROUGH:Once in, they quickly navigate to and exfiltrate sensitive databases or files. OUT: Their final step is to exfiltrate the stolen data and immediately publish it on their Telegram channel, often accompanied by a defacement of the victim's website and public taunts.

MITRE ATT&CK Mapping - APT42, Muddywater, APT34, Handala

Legend:

Light blue: APT42

Gray: Muddywater

Orange: APT34

Dark Blue: Handala

Common TTPs in 2 or more groups: Red

Impact

  • Data Breaches & IP Loss: Sensitive internal data, intellectual property, and credentials may be exfiltrated, exposing your business to espionage or financial theft.
  • Brand & Trust Damage: Public leaks and defacements (as seen with Handala) can erode customer trust and invite media scrutiny.
  • Operational Downtime: Exploited vulnerabilities or persistence mechanisms can disrupt operations or require full environment remediation.
  • Long-Term Infiltration Risk: Use of DNS tunneling and legitimate system tools (LOLBins) allows prolonged undetected access.
  • Compliance & Regulatory Exposure: Breaches may trigger non-compliance penalties under data protection laws (e.g., GDPR, HIPAA).

Mitigations

  • Invest in Patch Hygiene: Assess your attack surface and enforce rapid patching of public-facing applications via centralized vulnerability management.
  • Harden PowerShell Usage: Restrict scripting tool usage, implement logging (ScriptBlock Logging), and use AppLocker policies.
  • Detect Covert C2 Activity: Deploy DNS anomaly detection and restrict outbound DNS to known resolvers only.
  • Zero Trust & Least Privilege: Limit user and service account privileges; continuously verify trust boundaries.
  • Endpoint & Network Telemetry: Use EDR/XDR tools to detect LOLBins, credential theft behaviors, and lateral movement early.

References

#Traffic Light Protocol - Wikipedia