Earlier today, Iran International published an exclusive news item claiming the Islamic Revolutionary Guard Corps (IRGC) has effectively staged a soft coup within Tehran. They have started blocking presidential appointments, erecting a security cordon around Supreme Leader Mojtaba Khamenei, and installing a military council of IRGC officers as the de facto executive authority of the Iranian state.

For political analysts, this is a story about militarization of a theocracy under the umbrella of an ongoing war. But for cyber threat intelligence practioners, this event could mark the beginning of a whole new series of threats and risks in cyberspace. The events on the ground are already casting a shadow and with this alleged takeover, one of IRGC’s most well-known arms will now get more freedom and resources to carry out its agenda.

The entity that concerns us here is Handala. For followers of our threat intelligence advisories will know this threat actor very well. IRGC's consolidation of power removes one of the last remaining friction points that even loosely constrained Handala's operational tempo. The group is definitely not going quiet.

Before we move forward, don't forget to check out our previous blog on A CTI leader’s guide to building an APT sandbox here.

Who is Handala?  

Before we can go into why the IRGC's power seizure matters, we need to be precise about what Handala actually is. The descriptor "hacktivist" often associated with the group flatters it and misleads defenders.

Handala is not a grassroots collective. It is a carefully constructed public-facing persona operated by “Void Manticore” also tracked as Banished Kitten, Storm-0842, and Red Sandstorm. It is a cyber unit embedded within Iran's Ministry of Intelligence and Security (MOIS)(specifically its **Counter-Terrorism (CT) Division). The command chain, documented through open-source reporting, Shieldworkz research and U.S. Treasury designations, runs to a named individual “Seyed Yahya Hosseini Panjaki”, a deputy minister-level official who was U.S. Treasury-sanctioned in September 2024 for overseeing Iranian dissident assassination operations — and who was subsequently reported killed in Israeli strikes on MOIS headquarters in early March 2026.

Handala maintains at least three public-facing operational personas: “Handala Hack” (the primary, dominant persona since late 2023, focused on Israel and now the United States), “Karma” (a predecessor identity that has gone dormant), and “Homeland Justice” (the persona used in the 2022 destructive attacks on Albanian government infrastructure, including the TIMS border management system and national telecom networks). These are not three separate groups instead, they are three masks on the same operational team.  

The group has historically purchased initial access from underground criminal services — a deliberate choice that preserves operational separation and allows plausible deniability. It is a state cyber unit that shops from the darknet. That tells you everything about the register it operates in. Handala’s playbooks are changing and the group is now participating in direct attacks and false flag attacks with Russian threat actors as well. This group has been through multiple evolutionary cycles and is now past its reputation building phase and is now entering a more destructive cycle.

Old Handala Vs new Handala

For the operational record: This is not a peripheral actor

Handala's documented attack record is not the kind you associate with a bumbling unsophisticated hacktivist group. Shieldworkz’s threat researchers have documented the IOCs related to this group in 35 different honeypot environments around the world between January and February 2026 when the group was actively pre-positioning its payloads across environments linked to key targets across 14 countries.

In addition, the following represent high-confidence, verified operations:

Wiper attacks against Israeli civilian and government infrastructure. Handala has used multiple simultaneous wiping methods — custom-built and publicly available — against Israeli targets, often in tandem with hack-and-leak operations designed to maximise psychological pressure. Check Point Research documented newly observed TTPs in 2026 including the deployment of **NetBird** to tunnel traffic into victim networks and the use of an AI-assisted PowerShell script to automate wiping activity. This is not an unsophisticated actor.

The Stryker attack, March 2026.
Handala claimed responsibility for a destructive malware attack against Stryker, a Michigan-based U.S. Fortune 500 medical technology company. The attackers appear to have gained access to Stryker's Active Directory infrastructure — when exactly is unclear, indicating pre-positioning — and used Microsoft Intune's endpoint management capability to remotely wipe devices and servers across the company's global footprint. The company was still working to restore full manufacturing capacity weeks later. This was a structural escalation: Handala moved from Israeli infrastructure targets to a U.S. Fortune 500 company with direct destructive impact.

Breach of FBI Director Kash Patel's personal email.
Handala claimed to have compromised Patel's personal email account. The FBI confirmed the targeting. The accessed data was described as "historical in nature" — but the targeting of the sitting FBI Director's personal communications is a deliberate provocation, calculated to demonstrate reach and inflict reputational damage. 

Doxxing of Lockheed Martin engineers.
The group sent unsolicited SMS messages containing personally identifiable information to Lockheed Martin engineers based in Israel, threatening them to leave the country within 48 hours — a physical intimidation operation enabled by a cyber intrusion. The boundary between cyber operations and threats of physical violence is one Handala deliberately blurs.

Jordan's fuel systems and an Israeli energy exploration company.
Handala claimed compromise of Jordan's fuel infrastructure and an Israeli energy exploration firm — both claimed in the context of the broader Electronic Operations Room established February 28, 2026, immediately after Operation Epic Fury, the U.S.-Israeli joint military strikes on Iran.

The U.S. Department of Justice seized four Handala-linked domains on March 19, 2026 — handala-hack[.]to, handala-redwanted[.]to,justicehomeland[.]org, and karmabelow80[.]org. The group's response was to continue operating. The group also changes its Telegram channels frequently as well.

The pivot point: IRGC consolidation and what it destroys

Handala is a MOIS asset and MOIS is Iran's civilian intelligence ministry — the domestic and foreign intelligence apparatus that operates under notionally civilian government oversight, distinct from the IRGC's military intelligence structures. The IranIntl exclusive of April 1, 2026 documents that the IRGC has now done the following:

- Blocked MOIS leadership appointments.
President Pezeshkian's effort to appoint a new intelligence minister was personally vetoed by IRGC chief-commander Ahmad Vahidi, who declared that "all critical and sensitive leadership positions must be selected and managed directly by the IRGC until further notice."

- Imposed a military council over state decision-making.
A council of senior IRGC officers now exercises executive authority, with a security cordon preventing government reports from reaching the Supreme Leader's inner circle.

- Effectively absorbed MOIS command authority.
With the MOIS deputy minister assessed to have led Handala (Panjaki) killed, and now MOIS leadership appointments blocked by the IRGC, the organisational line of civilian accountability that ran from Handala's operators upward through the MOIS has been severed or subordinated.

This matters for five specific, discrete reasons:

The death of Panjaki was not the end of Handala — and the IRGC takeover makes a reconstitution far more dangerous.

When Panjaki was killed in early March 2026, initial analysis across the security community assessed that this could disrupt Handala's operational continuity. The evidence says otherwise. The group continued to operate — the Stryker attack, the Patel breach, the Lockheed Martin doxxing all occurred after Panjaki's reported death. This demonstrated that Handala had achieved a degree of **operational decentralisation** that made it resilient to leadership decapitation.

Now consider what happens when the IRGC, which has its own cyber arm (the IRGC Cyber-Electronic Command, IRGC-CEC), takes control of state security apparatus. The IRGC-CEC has historically conducted state-directed ICS/OT targeting operations — a different and in many respects more technically sophisticated attack profile than the psychological and destructive operations that characterise MOIS/Handala. The convergence of these two traditions under a unified IRGC command structure creates the conditions for **cross-pollination of capabilities**: IRGC targeting intelligence and OT expertise flowing into Handala-style destructive and hack-and-leak operations.

2. Civilian oversight — however minimal — has been removed 

To describe MOIS oversight of Handala as robust would be generous. But civilian bureaucracies, even authoritarian ones, impose some constraints: risk calculations, concern about attribution, diplomatic exposure. The IRGC is a military organisation in a shooting war. It does not operate on the same calculus. When IRGC officers replace civilian intelligence ministers in the approval chain for offensive cyber operations, the threshold for authorising a destructive attack against a U.S. company, a European critical infrastructure operator, or a Gulf state energy system drops. The bureaucratic friction that even marginally constrained operational scope is gone.

3. Wartime operational mandate expands the permissible target set.

The IRGC has declared itself in a wartime posture. In that framing, cyber attacks on adversary infrastructure are not provocations — they are force-multiplying instruments of war. The group's own Electronic Operations Room, established February 28, 2026, specifically framed cyber operations as a theatre of the kinetic conflict. Under IRGC command authority, this framing becomes doctrine. Entities that would previously have been considered diplomatically sensitive targets — Gulf state financial infrastructure, European energy companies, U.S. telecommunications firms — become legitimate in IRGC's wartime logic.

4. Handala has already demonstrated the ability to operate under degraded connectivity and command disruption.

Shieldworkz Research documented a critical and underappreciated finding. After Iran's nationwide internet shutdown in January 2026, Handala continued conducting brute-force and logon attempts against organisational VPN infrastructure pivoting to Starlink IP ranges to maintain operational continuity and to leverage pre-positioned access. The group can operate when Iran's internet is down using stolen Starlink transceivers. It can operate when its domestic leadership is killed. It can operate when its primary domain infrastructure is seized by the DOJ. The resilience profile of this actor is a significant force multiplier and it’s the main reason why Handala is on the IRGC radar.

The IRGC's consolidation of power does not require Handala to rebuild or reconstitute. It operates as a going concern. What the IRGC power seizure does is remove the structural constraints that shaped Handala's targeting aperture and operational risk tolerance.

What’s next?

Handala’s mandate will change. It will be given a more autonomous role.  

Handala's historical targeting follows a discernible progression: Israeli government and defense → Israeli civilian infrastructure (healthcare, energy) → Gulf state adjacent targets → U.S. defence-adjacent companies → U.S. Fortune 500 enterprises → symbolic U.S. government individuals. Each escalation step was correlated with a specific geopolitical trigger event.

The IRGC's consolidation of power, occurring in the context of an active shooting war, represents the most significant geopolitical escalation trigger Handala has ever operated under. The following target categories face materially elevated risk:

U.S. critical infrastructure and Fortune 500 companies with Israeli technology partnerships or supply chain relationships. Handala has already demonstrated the template with Stryker: pre-position inside the target, wait for a geopolitical moment, execute a destructive wipe. Arctic Wolf's Ismael Valenzuela explicitly assessed that further targeting of U.S. firms with Israeli supply chain ties is a near-certainty.

GCC financial and energy infrastructure. Handala already claimed the compromise of Jordan's fuel systems. The DieNet group — a separate pro-Iran hacktivist entity — claimed attacks on airports in Bahrain, Sharjah, and targeted Riyadh Bank. Under IRGC wartime authority, Gulf states that host U.S. military assets or have normalised relations with Israel face explicit targeting rationale. Energy infrastructure at Bahrain and UAE represents both symbolic and operational value.

European entities with Iran sanctions exposure. The IRGC has a documented history of using cyber operations against European governments as pressure instruments in diplomatic disputes. With civilian government sidelined, the restraint that even Iran's civilian negotiators applied to European targeting evaporates.

Iranian diaspora, journalists, and dissidents. This is a non-negotiable mission for the IRGC regardless of conflict tempo. The Handala-redwanted platform's function as a tool for identifying and locating regime critics for potential physical harm does not pause during a power transition. It intensifies.

Healthcare and civilian-critical services. The Stryker attack, combined with Handala's historical targeting of Israeli healthcare, establishes a clear doctrinal preference: attacking systems that sustain life maximizes psychological impact. Under IRGC authority, the calculation about acceptable collateral harm to civilian populations in adversary countries shifts further toward permissiveness.

The "Void Manticore Absorbs IRGC-CEC" scenario: A forward assessment

The most consequential forward scenario — not yet evidenced but analytically well-founded — is the functional merger of MOIS cyber operations (Void Manticore/Handala) with IRGC-CEC capabilities under unified IRGC command authority.

IRGC-CEC has demonstrated capability against industrial control systems and operational technology. IRGC affiliated threat actor APT 35 is consistently popping up in our honeypots in countries such as India, UAE, Ukraine, South Korea, USA and Brazil. Handala may increase its cooperation with this group to access the networks that APT 35 already has access to.

Handala's strength lies in its human-facing capabilities: social engineering for initial access, psychological operations, hack-and-leak cadence, and the media and Telegram amplification infrastructure for maximum impact.

If IRGC command authority causes even informal integration of these two capabilities sets — IRGC-CEC's OT targeting capability channelled through Handala's proven access and operational infrastructure — the resulting threat profile approaches something qualitatively different from what defenders have previously faced from Iran-aligned actors.

What defenders should do now

1. Threat hunt for Handala TTPs immediately.** The group's indicators are documented and shared by Shieldworkz. Hunt for these now, not after a claim appears on Telegram.

2. Treat Intune as a lateral movement and destructive vector.** The Stryker attack used Microsoft Intune's legitimate endpoint management capability to execute remote device wipes at scale. Audit all Intune job creations. Restrict access to Intune's remote wipe and deployment capabilities to the minimum necessary set of identities, enforce MFA on all admin accounts, and review service account permissions in your endpoint management infrastructure.

3. Protect your Active Directory before Handala does.** The group's documented playbook includes pre-positioning inside Active Directory before executing destructive operations. If Handala is inside your AD, by the time you see the wiper, the clock has already run out. Implement tiered AD administration, enforce privileged access workstations, and monitor for anomalous group policy changes and service account creation.

4. Do not wait for the claim post.** Handala's most destructive operations begin weeks or months before the public announcement. The group exfiltrates, pre-positions, and then publishes only when ready to execute. By the time you read a claim on handala-hack[.]to, you may already be a victim. Reduce your attack surface now, based on the targeting logic above, not based on retrospective claim attribution.

5. Monitor Telegram for the Electronic Operations Room cadence.** Handala amplifies through Telegram. The Electronic Operations Room, established February 28, 2026, has become the coordination mechanism for Iran-aligned cyber activity during this conflict. Monitoring these channels — through licensed threat intelligence platforms — gives defenders early warning of targeting shifts and claim patterns before they translate into live attacks.

The friction is no longer there

The IranIntl reporting on the IRGC's seizure of the Iranian state is, on its surface, a story about internal Iranian politics. But political power determines who authorizes what in offensive cyber operations. When civilian intelligence ministers who weighed diplomatic risk and maintained even nominal accountability structures are replaced by a military council of IRGC officers in a shooting war, the calculus for offensive cyber changes.

Handala has already proven it can survive the death of its supervisor. It has proven it can operate through domestic internet shutdowns. It has proven it can continue after domain seizures. It has proven it can execute destructive attacks against U.S. Fortune 500 companies and breach the personal communications of the FBI Director.

Now it operates in an environment where the institutional friction that even loosely shaped its operational boundaries has been removed, and where the geopolitical trigger — an active kinetic war — is at maximum intensity.

This is not speculation. The group's technical capabilities are documented. Its target selection logic is consistent. Its resilience profile is established. The IRGC's consolidation of power is confirmed by Iran International's sources.

The question is not whether Handala will escalate. The evidence already answers that. The question is whether your organization’s security posture reflects the reality of what this threat actor is now operating under — and how fast you can close that gap before the next claim appears on Telegram.

Head over to our Remediation Guides section to access free playbooks on deploying remediations for your OT infrastructure.

Schedule a threat intelligence briefing for your enterprise