FBI Links Handala Group to Iranian MOIS in Ongoing Hack-and-Leak Campaign
The FBI has officially tied the Handala hacking collective to Iran's Ministry of Intelligence and Security, revealing a multi-stage malware campaign targeting dissidents since autumn 2023.
The FBI has formally attributed the Handala hacking collective to Iran's Ministry of Intelligence and Security (MOIS), exposing a sustained cyber espionage campaign that has targeted dissidents, journalists, and opposition groups since autumn 2023. The group, which also claimed responsibility for a destructive wiper attack on US medical technology firm Stryker, has been conducting intelligence collection and hack-and-leak operations against multiple opposition organizations.
The malware employed by Handala uses a sophisticated multi-stage payload architecture designed to evade detection while maintaining persistent access. The first stage is delivered through social engineering, with the malware masquerading as legitimate software such as Pictory, KeePass, WhatsApp, or Telegram. The FBI noted that the initial payload appears to be tailored to each victim's digital habits, indicating the actors conduct reconnaissance before engagement.
Once the first stage executes, it connects the infected machine to Telegram-based command-and-control (C2) bots. This second stage enables remote user access, allowing the attackers to capture screenshots, record audio, compress files, and exfiltrate data. The malware also achieves defensive evasion by excluding certain directories from scanning and using PowerShell for execution.
In at least one documented case, the threat actors impersonated tech support from a social messaging platform and convinced the victim to accept a malicious file transfer. The FBI report emphasizes that the multi-stage approach allows the attackers to maintain flexibility and adapt their tactics based on the target environment.
The Handala group's activities are part of a broader pattern of Iranian state-sponsored cyber operations aimed at suppressing dissent and gathering intelligence on opposition figures. The FBI's attribution provides official confirmation of the group's ties to MOIS, which has been implicated in numerous cyber campaigns targeting human rights activists, journalists, and diaspora communities.
The FBI has urged individuals and organizations to defend against these attacks by keeping systems updated, downloading software only from trusted sources, installing anti-malware tools, using strong passwords with multi-factor authentication, and reporting suspicious communications to authorities. The advisory underscores the persistent threat posed by state-aligned hacking groups that combine technical sophistication with targeted social engineering.