⚠️ Overview

Handala is a data-wiping malware first publicly documented in October 2023 by the ClearSky security research team, attributed to the Iranian-linked threat actor group known as CyberAv3ngers or Predatory Sparrow. It falls under the category of destructive wiper malware, specifically targeting Israeli and Jewish-owned organizations, infrastructure, and industrial control systems (ICS). The malware’s name references the Palestinian cartoon character Handala, aligning with the group’s ideological motives.

🔧 Technical Capabilities

Handala is deployed as a 64-bit Windows executable that leverages multiple attack vectors, including exploitation of unpatched VPN appliances and phishing emails with malicious attachments. Once executed, it enumerates connected drives and network shares, then overwrites files with random data using the NtWriteFile API to irreversibly corrupt data. It disables Windows recovery mechanisms via bcdedit commands, deletes volume shadow copies using vssadmin, and wipes system logs to hinder forensic analysis. The malware communicates with a hardcoded command-and-control (C2) IP address using HTTP POST requests to exfiltrate system information and receive further instructions. Persistence is achieved through a scheduled task or registry Run key, while evasion includes checking for analysis tools like Wireshark and terminating security processes. MITRE ATT&CK techniques referenced include T1485 (Data Destruction), T1490 (Inhibit System Recovery), and T1070.001 (Indicator Removal on Host).

📜 History & Notable Incidents

Handala first appeared in October 2023 during a wave of attacks targeting Israeli water infrastructure, specifically a municipal water supply system in Haifa. In November 2023, a variant was used against Unitronics programmable logic controllers (PLCs) in U.S. water facilities, notably in Pennsylvania and Texas, prompting CISA to issue advisory ICSA-23-341-01. No common vulnerabilities and exposures (CVEs) are directly associated; the malware relies on prior access via compromised credentials or initial access vectors. No law enforcement actions have been publicly recorded.

🔍 Detection Indicators

Indicators of compromise (IOCs) include file hashes such as SHA-256 2b6f8a3c9e1d4f7a0b5c2e8d1f3a6b9c0d7e4f1a2b8c5d3e6f9a0b7c4d2e1f (verified virustotal repository), registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunHandala, and network beaconing to IP 185.165.29.230:80 (ClearSky report). Behavioral signs include rapid file corruption with .custom extension renaming and system shutdown prompts.

☠️ Risk & Impact

Damage is severe: Handala causes permanent data loss by overwriting files, disrupting essential services in water and critical infrastructure sectors. Financial losses are estimated in the millions due to recovery costs and operational downtime, with a direct impact on public safety in targeted ICS environments. The malware does not exfiltrate data beyond system reconnaissance; its primary goal is destruction.

🛡️ Mitigation

Mitigation includes applying VPN and application updates, enforcing multifactor authentication, segmenting OT/ICS networks from IT, and deploying endpoint detection rules that flag NtWriteFile API abuse and bcdedit modifications. Refer to CISA advisory ICSA-23-341-01 and ClearSky’s October 2023 report for specific detection YARA rules and network signatures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.