APT / THREAT GROUP HACKTIVISM

Handala

🇵🇸PS-attributed
194
victims
1
campaigns
2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.

Threat Analysis

Handala is a known-sophistication threat actor attributed to PS, engaged in cyber operations with a primary motivation of hacktivism.

As a hacktivist-aligned entity, Handala conducts operations driven by ideological, political, or social grievances, typically through website defacements, DDoS attacks, and the leaking of sensitive data to advance a public narrative.

Ransomware Victims (194)

CTIWATCH tracks 194 organizations claimed as victims by Handala on its data leak site, with attack dates, sectors and countries.

View full victims list →

Known Campaigns

Handala — Active Campaign April 2026

Handala is conducting an active ransomware campaign targeting organizations across 2 countries. Primary targets: Energy, Public Sector, Technology. 13 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 7 Apr 2026).

🎯 Energy🎯 Public Sector🎯 Technology
ACTIVEHIGH2026

Intelligence Reports Mentioning Handala

External References

Quick Facts

TypeAPT / Threat Group
Motivation hacktivism
Origin🇵🇸 PS
Aliases2
SourceMalpedia

Also Known As

win.handalaHandala

External Intelligence

Malpedia: win.handala

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.