In the world of Cyber Threat Intelligence (CTI), we usually talk about "persistence" as a technical state.This could mean a registry key here, a scheduled task there or even a payload lurking in the dark depths of a long forgotten yet connected device or network. But what we are witnessing with the Iranian-linked actor Handala (tracked as Void Manticore or Storm-0842) is something a bit more primal: operational resilience.

Despite the massive kinetic strikes of early March 2026 (Operation Epic Fury) that leveled IRGC cyber headquarters and took out key leadership figures, including deputy minister Seyed Yahya Hosseini Panjaki, Handala didn't just make its presence felt. They escalated. The recent wiping of over 200,000 devices at Stryker Corporation across 79 countries is essentially a masterclass in how a "suppressed" actor strikes at will when no expects them to.

So, how does a group "bounce back" when their physical world is literally on fire? Here is a breakdown of the Handala resilience playbook that offers some answers. The analysis is essentially an data and evidence-based sketch on what we have seen in the last few weeks.

Before we move forward, don’t forget to check out our previous blogpost on the topic: Mapping NIST CSF 2.0 to IEC 62443: A Practical Framework for Industrial OT Security here.

The "pre-positioned" trigger strategy

One of the most sobering realizations from the Stryker incident is that the strikes on Iran didn't actually cause the cyberattack; they simply pulled the trigger.

Handala’s resilience relies on what can be called a "long-fuse" strategy defined by:

• Dormant footholds: Intelligence suggests they had established administrative access weeks, if not months, prior. They knew they would have to show proof of access and disruption during a war.

• Identity weaponization: Instead of relying solely on vulnerable local infrastructure, they move into the victim's cloud. By abusing Microsoft Intune and Entra ID, they turned the victim's own management tools into a massive, distributed wiper. The impact was catastrophic and Handala didn’t stick around to ask for a ransom or negotiate. They move on to collaborate with Russian APT groups to attack a nuclear facility in Poland.

• The lesson: You can bomb a server room in Tehran, but you can’t "bomb" a compromised global admin credential sitting in the Azure cloud.

• As per Shieldworkz research, Handala is working with APT 35 another threat actor from Iran that specializes in pre-positioning. So the collaboration is within Iran and outside its borders as well.

Infrastructure agnosticism (The Starlink Pivot)

When the Iranian regime throttled internet connectivity to 1–4% to prevent inbound tracking during the conflict, Handala simply changed the "pipe."

Shieldworkz research indicates a swift migration to Starlink satellite connectivity and commercial VPN nodes (Many Starlink IPs have showed up on the list of addresses linked to Handala). By decoupling their operations from the national ISP infrastructure, they created a "borderless" operating environment that removed every technical dependency. They aren't just "Iranian hackers"; they are a distributed cell-based operation that happens to be aligned with Iranian interests.

This mirrors the actions of Iranian armed forces who are said to operate on a decentralized mosaic model. These mosaics led by a zonal leader have orders to strike at will in case of a disruption of central leadership.  

The "disrupt + leak and then amplify" doctrine

Handala has mastered the art of Information Shock. Their playbook follows a rigid, high-tempo cycle:

• Technical strike: Deploy wipers (like the Hatef or Hamsa variants).

• Narrative hijack: Within hours, screenshots and exaggerated claims (e.g., "50TB stolen") are blasted across Telegram and X.

• Psychological toll: By targeting sensitive sectors like medical devices or kindergarten alert systems, they ensure the "fear" outlasts the technical recovery.

The potential playbook: A blueprint for the "Modern APT"

If we were to draft the "Handala Playbook" that other APTs (Advanced Persistent Threats) are may be studying right now, it would look like this:

Phase I: The "Handoff" model

Intelligence from Shieldworkz shows a two-tier system. A "quiet" actor (like APT 35) establishes the deep, multi-year access. When geopolitical tensions boil over (like the Feb 28 school strike in Minab), they "hand off" the credentials to the "loud" actor (Handala) to pull the trigger and announce the strike.

CTI Insight: The access is decoupled from the actor. Even if the Handala "operators" are neutralized, the access remains in the hands of the quiet collectors.

Phase II: Infrastructure hardening (the Starlink pivot)

Since mid-January 2026, Handala has been documented using black-market Starlink terminals seized from Iranian activists.

• Impact: This bypasses the Iranian government's "Filternet" and internet shutdowns.

• Strategic Value: It allows them to maintain a 24/7 "Command and Control" (C2) presence that is completely independent of the national grid.

• Lends obscurity: They can hide behind various IP ranges to mask the origin of the malicious traffic.   

Phase III: The narrative "force multiplier"

Handala understands that psychological impact > technical impact.

• They defaced Stryker’s Entra login pages with the Handala logo before the wipe.

• They claimed 50TB of exfiltrated data (likely an exaggeration) to create a "panic loop" for the board of directors.

• The Playbook: Strike the backup systems first, then wipe the endpoints, then leak the data.

• Social media accounts linked to the group went ballistic within an hour of the announcement of the breach making wild claims on the whole incident

What this means for the Global APT Landscape

Handala is the blueprint for Asymmetric Cyber Warfare 2.0. They have proven that:

• Cyber is "Bomb-Proof": Unlike ballistic missiles, cyber capacity doesn't require a factory. It requires a laptop and a satellite link. This makes it the ultimate tool for a cash-strapped or war-torn state.

• Identity is the New Perimeter: The shift from "malware" to "identity abuse" (Intune/Azure) means traditional firewalls are increasingly irrelevant.

• The "Cockroach" Effect: Other actors (like North Korea’s Lazarus or Russia’s Sandworm) are watching. They see that even under total military siege, a small team of 10–30 operators can cause global chaos if they own the right identities.

The "Handala Model" represents a worrying evolution for global security:

· From "Malware-first" to "Identity-first": Expect Russian (Sandworm) and North Korean (Lazarus) actors to move away from expensive zero-day exploits and toward mass-scale Identity Hijacking.

· SaaS blast radius: As companies move more to the cloud (Intune, Azure, Salesforce), the "blast radius" of a single compromised admin account grows exponentially.

· Kinetic-cyber decoupling: We can no longer assume that hitting a nation's infrastructure will stop their cyber operations. The "digital soldier" of 2026 is mobile, satellite-connected, and cloud-native.

Handala isn't just a threat actor; they are a symptom of the new threat landscape reality. They strike "at will" because they have already spent the time doing the boring work: harvesting credentials and sitting quietly in the corners of our networks.

Additional resources

Access the remediation guides and resolve common OT security challenges
More on deploying OT security controls aligned to NIST SP 800-171