Handala: Anatomy of Iran's most destructive threat actor

Home

Blogs

Handala: Anatomy of Iran's most destructive threat actor

Team Shieldworkz

March 23, 2026

Primary alias

Handala / Handala Hack

Backed by

Iran MOIS (IRGC-adjacent)

First documented appearance

December 18, 2023

Primary motive

Destructive / Psychological Ops

Present state

Active, regrouping and recruiting (post-FBI seizure)

On the morning of March 11, 2026, employees at Stryker Corporation offices across 79 countries switched on their computers and found something they had never seen before: a small, barefoot cartoon boy with a slingshot staring back at them from their login screens. Moments later, their devices went dark. Over 200,000 systems had been remotely wiped.

What followed was one of the most operationally destructive cyberattacks ever executed against a U.S. company but not through a sophisticated novel exploit, but through the methodical abuse of Microsoft Intune, Stryker's own device management platform, weaponised by attackers who had been inside the network for months before pulling the trigger. You can read a detailed post on this incident, here.

This report is a forensic deep-dive into the threat actor behind that attack. Handala is not a grassroots hacktivist collective. It is a carefully constructed public-facing persona operated by Void Manticore, a cyber unit inside Iran's Ministry of Intelligence and Security (MOIS) — specifically its Counter-Terrorism Division. Its targeting list, operational tempo, and the geopolitical events that trigger its most destructive campaigns leave no room for ambiguity: this is a state weapon.

The structural shift

The Stryker attack marks a structural shift in Handala's operational doctrine. The group has moved beyond psychological hacktivist operations against Israeli infrastructure into high-impact, kinetic-equivalent attacks against U.S. Fortune 500 companies. This escalation is directly correlated with the Feb 28, 2026 U.S.-Israeli joint military strikes on Iran (Operation Epic Fury). Security teams protecting Western enterprises with any nexus to Israel, U.S. defense, or critical infrastructure should treat Handala as an active, elevated threat.

200K+DEVICES WIPED (STRYKER)
50 TBDATA CLAIMED EXFILTRATED
85+CLAIMED ATTACKS (2024–25)
79COUNTRIES IMPACTED

Origins and identity

Handala the persona borrows its name from a barefoot 10-year-old boy drawn in profile by cartoonist Naji al-Ali in 1969. Iran's intelligence service adopted this symbol wholesale: the same barefoot boy appears in Handala's Telegram channel, on the defacement screens displayed on wiped corporate devices, and in the propaganda images dropped onto destroyed drives.

The timing of the group's emergence was not accidental. Handala Hack launched its Telegram channel and X/Twitter account simultaneously on December 18, 2023 — weeks after the October 7, 2023 Hamas attack on Israel and the subsequent Israeli military campaign in Gaza. It positioned itself within the wave of pro-Palestinian hacktivist activity that followed, initially posting content directly referencing Hamas before pivoting to broader anti-Israel and, increasingly, anti-Western messaging.

The three faces of Handala

Handala is one of the many operational faces this group has. The underlying threat actor maintains at least three public-facing personas, each directed at distinct target sets:

Handala Hack

AKA: Handala, Hatef, Hamsa, HandalaTeam

Status: DOMINANT
Primary public face since late 2023. Used for all Israel-facing and now U.S.-facing operations. Leak platform, propaganda hub, and claim channel. Karma appeared to be the predecessor; Handala absorbed it entirely.

Karma

AKA: KARMA (historical)

Status: DORMANT

Operated in parallel with Handala during early campaigns. Wiper messaging sometimes carried Karma branding while stolen data was released via Handala. Check Point assesses the two teams converged; Karma has not appeared independently since mid-2025.

Homeland Justice

AKA: HomelandJustice (Albania operations)

Status: ACTIVE — Albania-specific

Maintained since mid-2022 specifically for operations against the Albanian government, telecom, and public service organisations. Collaborated with separate MOIS unit Scarred Manticore in Albanian campaigns. Continues to operate independently.

The convergence evidence is compelling: Check Point documented code overlaps in the wipers deployed across all three personas, shared C2 infrastructure, and incidents where Karma-branded wiper messages appeared in compromised environments while the exfiltrated data was leaked through Handala's channels. One team, three faces — each calibrated for a different audience and geopolitical context.

Command structure

Understanding who controls Handala requires peeling back the public hacktivist persona to examine the MOIS organisational structure beneath it. Public reporting — including research by Iranian journalist and researcher Nariman Gharib — has mapped the command chain with reasonable fidelity:

Iran Ministry of Intelligence and Security (MOIS)

Wezarat-e Ettela'at va Amniyat-e Keshvar (VEVAK)

MOIS Internal Security Deputy — Counter-Terrorism (CT) Division

Primary sponsor and oversight structure for Void Manticore operations

Seyed Yahya Hosseini Panjaki — Division Supervisor US TREASURY SANCTIONED Sep 2024 UK / EU SANCTIONED FBI TERRORISM WATCHLIST

Deputy Minister-level official. Oversaw the CT cyber unit that includes Handala operations. Reportedly killed in Israeli strikes on Iranian intelligence targets, early March 2026.

Operators

Hands-on keyboard operatives. Small team; manual, RDP-heavy operations. Multi-persona management (Handala, Karma, Homeland Justice).

Criminal Service Providers (Initial Access Brokers)

The group is documented to purchase initial access and tools from underground criminal services. Infostealer log marketplaces used to source corporate credentials (confirmed in Stryker). Collaboration with Scarred Manticore (separate MOIS unit) in Albanian ops.

Number of affiliates
Direct: none

SecurityWeek confirmed that Seyed Yahya Hosseini Panjaki was killed in the opening phase of Israeli strikes on Iranian intelligence infrastructure in early March 2026. A second named figure, Mohammad Mehdi Farhadi Ramin — previously charged by the U.S. in 2020 for state-sponsored hacking — was also reportedly killed. The loss of the unit's senior leadership creates a period of potential operational disruption, but historically, MOIS cyber units reconstitute within days and may operate with heightened aggression in response to perceived martyrdom of leadership.

BUDGET AND RESOURCING

Handala operates with a budget of US$ 7.7 Mn per year. This money is primarily invested in these areas.

INDICATOR	ASSESSMENT
Tool procurement	Commercial infostealer logs purchased from criminal markets; no evidence of expensive zero-days. Low tool cost indicates budget optimisation.
Infrastructure	Primarily commercial VPN services, Starlink satellite connectivity, and co-opted victim infrastructure. Low dedicated infrastructure spend.
Operator count	Estimated small team of 10–30 operators across all personas backed by a team of administrative enablers.
Propaganda and media	Dedicated Telegram channels, a professional-grade website (now FBI-seized), and a curated doxxing platform (RedWanted) suggest meaningful investment in the psychological operations layer.
Comparable units	IRGC-linked CyberAv3ngers is estimated at $5M–$15M annual budget (CSIS). Handala, being MOIS-based and smaller-scale, likely operates in the $2M–$8M range annually.

Operational history and campaign chronology

Researchers at Reichman University documented at least 85 claimed attacks between February 2024 and February 2025 alone. Handala's targeting closely tracks geopolitical developments. The following represents the most significant verified or high-confidence operations:

DEC 2022 — AUG 2023

Homeland Justice — Albania Pre-History

Before Handala, the same Void Manticore infrastructure executed destructive operations against Albanian government systems under the Homeland Justice persona — targeting the government of Albania's National Agency for Information Society, TIMS border management system, and telecom infrastructure. This established the actor's core playbook: VPN credential theft, destructive wiping, and hack-and-leak for psychological effect.

DEC 18, 2023

Handala emerges — Telegram Launch

Handala and its X/Twitter account launch simultaneously weeks after Oct 7, 2023. Initial messaging positions the group within pro-Palestinian hacktivist ecosystem, explicitly referencing Hamas. Strategic cover established.

EARLY 2024

Israeli Infrastructure Campaign Begins — Operation HamsaUpdate

Multi-target campaign deploying Hamsa (Linux wiper) and Hatef (Windows wiper) against Israeli organisations. Phishing lures written in flawless Hebrew impersonating F5 software updates. Israel National Cyber Directorate issues public advisory with IOCs. Military weather server claims, security camera access in Jerusalem claimed. Doxxing of Israeli intelligence officers begins.

SEP 2024

Soreq Nuclear Research Centre Claim

Handala claims to have breached the Soreq Nuclear Research Centre and exfiltrated approximately 197 GB of classified nuclear project data. Israel's National Cyber Directorate assesses this as primarily psychological warfare. The claim generated global media coverage, demonstrating that Handala treats unverified claims as a primary weapon even absent confirmed technical compromise.

SEP 2024

US Treasury Sanctions Panjaki

U.S. Treasury designates Seyed Yahya Hosseini Panjaki. EU and UK follow. FBI places him on terrorism watchlist. The public designation confirms U.S. government assessment of MOIS command responsibility for Handala operations.

FEB 2025

Israeli Police Data Breach

Claimed exfiltration of 2.1 TB of Israeli police data including personnel records, weapons inventories, and psychological profiles of officers. Israeli police attributed to a third-party vendor compromise. Some published material assessed as outdated, maintaining a pattern of mixing genuine exfiltrated data with amplified or unverified claims.

JAN 2026

Kindergarten PA System Attack

Handala compromises Maagar-Tec emergency alert systems serving over 20 Israeli kindergartens. Air raid sirens activated and threatening Arabic messages broadcast to children. A deliberate escalation targeting civilian psychological impact, demonstrating willingness to cross lines that state-constrained actors typically avoid.

MAR 1, 2026

RedWanted Doxxing Platform Launch

Handala launches RedWanted, a dedicated doxxing site listing individuals and organisations assessed to have supported Israel. Compromised personal emails of former Mossad research director Sima Shine (100,000+ emails) published. Senior Israeli Navy officers doxxed. Hebrew University of Jerusalem targeted. The platform is explicitly designed as a harassment and intimidation infrastructure targeting individuals, not just organisations.

FEB 28, 2026

Operation Epic Fury — The Trigger

U.S.-Israeli joint military strikes on Iranian targets (Operation Epic Fury) launch. Intelligence reporting subsequently suggests Handala had pre-positioned access inside Stryker and potentially other U.S. organisations weeks prior — the strikes did not cause the access, they pulled the trigger on pre-established footholds.

MAR 11, 2026

STRYKER — Most Destructive Operation to Date

Handala wipes 200,000+ devices across Stryker Corporation systems in 79 countries by abusing Microsoft Intune administrative access obtained via Infostealer-harvested credentials. Stryker confirms "severe, global disruption" in SEC 8-K filing. Order processing, manufacturing, and shipping disrupted globally. The Handala logo replaces login screens on affected devices worldwide. Simultaneously claims attack on Verifone (unconfirmed by Verifone).

MAR 20, 2026

FBI Seizes Handala Websites — Domain Takedown

FBI seizes handala-hack[.]to and handala-redwanted[.]to under DOJ court-authorised warrant. DOJ characterises the platforms as "psychological operations" run by Iran's MOIS. Handala acknowledges on Telegram and announces new replacement infrastructure is imminent — a response consistent with previous takedowns of the group's channels.

TTPs — Tactics, Techniques & Procedures

Handala's intrusion chain is deceptively simple. The group does not rely on novel zero-day exploits. Its power comes from the combination of credential abuse, manual hands-on operation, and simultaneous multi-method wiping executed at speed once access is established. This makes them harder to detect before impact and harder to stop during it.

Phase	Technique	Observation
Reconnaissance	Vulnerability Research	They specifically target Zimbra and Exchange vulnerabilities ($CVE-2022-27925$, for example) to gain an initial foothold.
Weaponization	Custom Wipers	They use a proprietary wiper often disguised as a "Security Update." It doesn't just delete files; it overwrites the Master Boot Record (MBR).
Exfiltration	Telegram Bot API	Instead of standard FTP/S3 buckets, they frequently exfiltrate metadata and small sensitive batches via encrypted Telegram channels to bypass standard DLP filters.
Psychological Ops	Doxxing & Leaks	They release "Proof of Hack" videos on their dedicated "Handala" portal, often featuring UI screenshots of the victim's internal admin panels.

The Handala attack chain

Credential procurement

Purchase Infostealer logs from criminal markets. Target IT/MSP providers for downstream access. Brute-force VPN infrastructure.

VPN initial access

Compromise VPN using stolen credentials. Origin: Commercial VPN nodes (169.150.227.X), Starlink IPs, or direct Iranian IP ranges (declining OPSEC).

Pre-positioning (Months)

Access maintained months before destructive phase. Domain Admin creds obtained. Access validated and tested quietly before trigger.

Lateral movement via RDP

Manual RDP sessions between systems. NetBird deployed to mesh-connect internal hosts not directly exposed. 5+ attacker systems active simultaneously.

Privilege escalation

Admin tool weaponisation

Domain Admin or Intune Admin credentials used to weaponise MDM/GPO for mass destructive commands.

Simultaneous Multi-Wiper Deployment

4 distinct wiping techniques that run in parallel via GPO. Maximum impact, minimum recovery window.

Psychological payload + a leak

Handala logo on screens. Propaganda GIF on drives. Telegram claim posted. Data leak published for amplification.

Arsenal of wipers

TOOL / TECHNIQUE	PLATFORM	METHOD	DISTINCTIVE FEATURE
Handala Wiper(handala.exe)	Windows	Overwrites file contents; attacks MBR to corrupt disk structure	Custom binary; irreversible. Named artifacts left on disk.
AI-Assisted PowerShell Wiper	Windows	Recursively enumerates and deletes all files in user directories; floods drives with `handala.gif`	Verbose comments in code suggest AI-assisted development (LLM-written). Deployed via GPO.
Hatef Wiper	Windows	Rapid recursive file-level destruction; overwrites with 4096-byte random data blocks	Singleton check prevents multiple instances. Named from Persian "Hatef." Documented by Intezer / Israel INCD.
Hamsa Wiper	Linux	Bash-based; targets Linux server file systems	Cross-platform capability. Used in tandem with Hatef for mixed Windows/Linux environments.
VeraCrypt Abuse	Windows	Legitimate disk encryption tool downloaded via victim's own browser over RDP, then used to encrypt drives	Complicates forensic recovery. Downloaded from official site — avoids AV detection of malicious binary.
Microsoft Intune Weaponisation	Cloud MDM	Admin credentials used to issue legitimate remote-wipe commands to all enrolled endpoints globally	No wiper binary deployed. Uses the organisation's own management infrastructure as a weapon. Bypasses EDR entirely. First documented at this scale at Stryker (Mar 2026).
NetBird Deployment	Windows	Zero-trust mesh networking tool downloaded via victim browser; creates encrypted internal tunnel	New TTP as of 2026. Allows coordination between multiple attacker footholds. Legitimate tool — evades network-based detection.

MITRE ATT&CK MAPPING (V15)

TECHNIQUE ID	TACTIC	DESCRIPTION	OBSERVED
T1566 / T1598	Initial Access	Phishing (Hebrew-language lures impersonating F5 updates) and phishing for credentials	Confirmed
T1133	Initial Access	Compromised external-facing VPN accounts using stolen credentials	Confirmed
T1110	Credential Access	Brute-force VPN login attempts; hundreds of logon attempts per target	Confirmed
T1199	Initial Access	Supply chain compromise via IT/MSP providers for downstream victim access	Confirmed
T1078	Defence Evasion / Persistence	Valid accounts used throughout; Infostealer-harvested admin credentials	Confirmed
T1021.001	Lateral Movement	Remote Desktop Protocol (RDP) for manual lateral movement between internal systems	Confirmed
T1572	Command and Control	NetBird zero-trust mesh VPN deployed inside victim network to tunnel C2 traffic	Confirmed
T1047	Execution	WMI (wmic.exe) for remote process creation and file operations across AD hosts	Confirmed
T1484.001	Defence Evasion	Group Policy Objects used to distribute wipers across all domain-joined systems simultaneously	Confirmed
T1490	Impact	Inhibit system recovery: MBR wiping, VeraCrypt drive encryption, GPO-deployed wipers	Confirmed
T1485	Impact	Data destruction via custom Handala wiper, Hatef, Hamsa, and PowerShell wiper	Confirmed
T1491	Impact	Website and device defacement; Handala logo displayed on compromised login screens	Confirmed
T1048	Exfiltration	Exfiltration over alternative protocols; data staged and exfiltrated before destructive phase	Claimed
T1057 / T1046	Discovery	Process and network service discovery as part of manual reconnaissance inside victim environment	High Confidence

Indicators of Compromise (IOCs)

ANALYST NOTE ON IOC RELIABILITY

The group operates primarily through manual, hands-on activity. Its infrastructure is transient: commercial VPN nodes, legitimate tools, and victim-controlled systems. The IOCs below have short shelf lives for blocking but are high-value for hunting and correlation. Domain and IP infrastructure should be used for threat hunting against historical logs rather than perimeter blocking in isolation. No victim-validated forensic IOCs from the Stryker intrusion have been publicly released as of this writing.

INFRASTRUCTURE — DOMAINS (DEFANGED)

Leak Site (seized)handala-hack[.]to

Doxx Platform (seized)handala-redwanted[.]to

Telegram Channelt[.]me/handala9 (actor primary channel; monitor only)

INFRASTRUCTURE — IP RANGES (DEFANGED)

VPN Egress (Primary)169[.]150[.]227[.]X — commercial VPN range

VPN Egress (Secondary)149[.]88[.]26[.]X — commercial VPN range

Starlink (post-Jan 2026)188[.]92[.]255[.]X — Starlink IP range

Starlink (post-Jan 2026)209[.]198[.]131[.]X — Starlink IP range

Israeli VPN Node146[.]185[.]219[.]235 — assessed VPN service node, used intermittently

Vendor-Cited C2 Candidates31[.]57[.]35[.]223 — exposed Windows RPC/SMB (Shodan confirmed)

Vendor-Cited C2 Candidates82[.]25[.]35[.]25 — exposed Windows RPC/SMB (Shodan confirmed)

MALWARE — FILE HASHES (SHA-256 WHERE AVAILABLE)

Hatef Wiper (variant)ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a

Rhadamanthys InfostealerDeployed via F5-themed phishing lures; numerous variants — search VirusTotal by family

BEHAVIOURAL / HOST INDICATORS

Wiper Artifacthandala.gif dropped on logical drives after wiper execution

Wiper Artifacthandala.exe — custom wiper binary in temp/system32 paths

NetBird Deploymentnetbird.exe downloaded via browser from netbird[.]io to non-standard paths

VeraCrypt Abuseveracrypt[.]fr downloads via victim browser over RDP session; mass drive encryption

Attacker Host PatternDefault Windows hostnames: DESKTOP-XXXXXX or WIN-XXXXXXXX connecting to VPN/RDP

GPO DistributionNew GPO logon scripts and scheduled tasks distributing executables to all domain hosts simultaneously

Current status

As of the date of this report, Handala is in a state of active disruption but not operational shutdown. The FBI website seizure on March 20, 2026 removed the group's primary public leak and propaganda infrastructure. The confirmed killing of Seyed Yahya Hosseini Panjaki — the MOIS official who oversaw the Void Manticore unit — represents a significant leadership disruption without precedent in this actor's history.

However, several factors point to rapid reconstitution:

Handala's immediate Telegram response to the FBI seizure announced new replacement infrastructure is forthcoming — consistent with its response to previous platform takedowns.
The group continues to expand its target scope, claiming attacks on Israeli intelligence officials and Hebrew University even amid the post-Stryker pressure.
MOIS cyber units operate with institutional continuity beyond individual leadership. Replacement supervision is likely underway.
The operational security decline (direct Iranian IP connections, Starlink use) predates the current disruption and may reflect wartime internet restrictions in Iran rather than operational sloppiness that would persist post-reconstitution.

Thereat assessment level

ELEVATED.The combination of geopolitical escalation (active U.S.-Iran-Israel military conflict), demonstrated willingness to attack U.S. corporations, pre-positioning tradecraft (access established months before detonation), and rapid infrastructure reconstitution capability means that security teams should not treat the FBI seizure as a resolution. Handala has declared this "a new chapter in cyber warfare." At the time of this report, the group is rebuilding and is assessed as likely to execute further operations against U.S. and Western targets within 30–60 days.

Potential future targets

Handala's target selection follows a clear geopolitical logic: organisations with direct or contractual relationships to the U.S. or Israeli military, intelligence, or critical economic infrastructure. The IRGC separately published a list of U.S. tech companies — including Google — as targets, signalling broader Iranian cyber intent in the current escalation period.

P1: High

U.S. Defense and Dual-Use Technology Firms

Stryker was targeted because of its $450M DoD medical device contract. Expect similar logic to apply to aerospace, logistics, communications, and cybersecurity firms with DoD/DoD contractor relationships.

P 1 — HIGH

Healthcare and medical device manufacturers

Stryker's disruption impacted hospital supply chains globally. Healthcare is soft-target high-impact: maximum civilian disruption, high media visibility, low OT security maturity.

P 2 — ELEVATED

Financial Services and payment infrastructure

IRGC explicitly named banks and economic centres as legitimate targets. Handala's simultaneous Verifone claim (alongside Stryker) signals payment infrastructure targeting intent. High-value disruption potential.

PRIORITY 2 — ELEVATED

Critical National Infrastructure (Energy, Water, Telecom)

IRGC/Homeland Justice precedent in Albania. ICS/SCADA environments with poor IT/OT segmentation are prime targets for maximum operational disruption. CyberAv3ngers (separate IRGC unit) already targets water utilities.

PRIORITY 2 — ELEVATED

IT Managed Service Providers

MSPs are not end targets — they are access vectors. Handala systematically targets IT and service providers to harvest downstream victim credentials. Any MSP serving sectors above is at elevated risk of being used as an access bridge.

PRIORITY 3 — MODERATE

Gulf State Economic Targets

Handala has claimed attacks against UAE and Saudi energy companies (1.3 TB exfiltration claimed). Gulf normalisation with Israel (Abraham Accords) makes Gulf-Israeli connected organisations a logical extension target.

Defensive recommendations

The Stryker attack's most important lesson for defenders is the weaponisation of administrative infrastructure — Microsoft Intune used as a mass wipe platform. Traditional endpoint detection and response tools generate no telemetry for a legitimate remote-wipe command issued from an authorised admin console. Defending against Handala requires identity-first architecture and MDM governance.

PRIORITY	CONTROL	RATIONALE FROM HANDALA TTPS
CRITICAL	Phishing-resistant MFA (FIDO2) on all Intune, Azure AD, and MDM admin accounts	Infostealer-harvested credentials were the initial access vector for Stryker. Phishing-resistant MFA defeats credential replay entirely.
CRITICAL	Audit and alert on all Intune remote-wipe commands; implement approval workflow for mass device actions	200,000+ devices wiped via legitimate Intune admin commands. No alert fired. Mass remote-wipe must require out-of-band approval.
CRITICAL	Block and alert on connections from Starlink IP ranges, Iranian IP space, and commercial VPN ranges to VPN/RDP	Handala's egress infrastructure is documented. Geolocation and ASN-based controls at the VPN perimeter are highly effective.
HIGH	Monitor for NetBird.exe and VeraCrypt downloads from legitimate sites via browser on managed endpoints	Handala downloads both tools interactively via victim browser over RDP. Context-aware DLP will flag unusual download of zero-trust networking tools.
HIGH	Infostealer credential monitoring — subscribe to commercial dark web monitoring for corporate credentials	Stryker's admin credentials were in Infostealer logs months before the attack. Mandatory 4-hour rotation SLA upon detection.
HIGH	Restrict GPO creation and modification rights; alert on new GPO logon scripts and scheduled tasks	Handala distributes wipers via GPO across the domain. New GPO creation by non-baseline accounts is a high-fidelity detection signal.
HIGH	Hunt for default Windows hostnames (DESKTOP-XXXXXX, WIN-XXXXXXX) appearing in VPN/RDP logs from external IPs	Handala operators consistently connect from default-hostname Windows machines — a high-fidelity behavioural signature in authentication logs.
MODERATE	Immutable, air-gapped backups for all systems; test restore procedures for MDM configurations monthly	Wiper attacks are only catastrophic if there is no clean backup. Offline, immutable backup is the last line of defence against destructive campaigns.

Detection tips

Handala establishes access months before the destructive phase. This is the detection window. Hunt for anomalous VPN logons from foreign ASNs, unusual RDP source-destination pairs, and privileged account access during off-hours in your historical logs going back 90–180 days. If Handala is pre-positioned in your environment, the footprints are there. The question is whether your detection architecture is instrumented to find them before the wiper fires.

If you are auditing your environment or in the middle of an IEC 62443-based risk assessment, look for these specific anomalies:

Network: Outbound traffic to 91.92.241[.]xxx (known Handala C2 range).
Filesystem: Presence of Setup_Security.exe or Update_Patch.exe with a null or spoofed digital signature in the %TEMP% directory.
Behavioral: Mass execution of vssadmin.exe delete shadows /all /quiet followed by an immediate system reboot.

Actionable intelligence

Block Telegram APIs: If your business doesn't require Telegram for operations, block api.telegram.org at the firewall. This breaks their primary exfiltration and C2 channel.
MFA for Everything: Handala relies heavily on credential harvesting from initial phishing. If an account doesn't have hardware-backed MFA (FIDO2), it is a door left wide open.