By Mari Hansen 
The name has a very unsettling quality. Handala, a spiky-haired, barefoot refugee boy created in 1969 by Palestinian cartoonist Naji al-Ali, was always intended to symbolize defiance. With his back to the observer and his arms crossed behind him, the boy observes a world that does not recognize him. It’s a potent picture. And now, over fifty years after al-Ali’s first words were written, that same figure has been appropriated by a group of hackers who have transformed digital warfare into something intimate, accurate, and truly terrifying.
Only a few weeks after the October 7 attacks rekindled one of the most watched conflicts in the world, the Handala Hack Team made its debut in December 2023. They initially appeared to be a grassroots group of politically engaged hackers united around a Palestinian emblem. They referred to themselves as “small fighters” of Hamas.
| Field | Details |
|---|---|
| Full Name | Handala Hack Team (also: Hanzalah Hacking Group) |
| Type | Hacktivist group / suspected state-backed cyber unit |
| Founded | December 2023 |
| Origin | Iran (suspected) |
| Alleged Sponsor | Iranian Ministry of Intelligence and Security (MOIS) |
| Also Known As | Void Manticore, Storm-0842, Banished Kitten, Red Sandstorm |
| Primary Targets | U.S. and Israeli government, military, and civilian infrastructure |
| Named After | Handala — cartoon character by Palestinian artist Naji al-Ali (1969) |
| Key Leader (sanctioned) | Yahya Hosseini Panjaki (killed during 2026 Iran war) |
| Most Significant Attack | Stryker Corporation wipe via Microsoft Intune (March 2026) |
| Reference | Wired — Iranian Cyber Operations |
Israeli websites were vandalized by them. They distributed malware under the guise of beneficial software. However, patterns that didn’t quite fit the description of a garage operation operating solely on ideology began to be noticed by cybersecurity researchers.
Since then, Western analysts, including investigators at the U.S. Department of Justice and Wired, have characterized Handala as something much more calculated—a possible front for Iran’s Ministry of Intelligence and Security, or MOIS. Without holding back, the DOJ described the group as a “fictitious identity” intended to conceal the ministry’s participation in psychological campaigns and influence operations.
In order to provide additional context, the FBI connected Handala to a MOIS unit that was also in charge of Justice Homeland and Karma Below, two other Iranian cyber personas. The majority of viewers of the group’s Telegram posts might not have realized they were witnessing the implementation of state policy.
Up until 2024, the group’s attacks resembled a list of increasingly bold actions. They asserted that they had compromised Iron Dome radar systems. 22 gigabytes of data were taken from a kibbutz. Tens of thousands of emails from military leaders like Gadi Eisenkot and Benny Gantz, over 110,000 emails from former Israeli Prime Minister Ehud Barak, and private photos that swiftly went viral on social media were all compromised. One picture, purportedly of Gantz, was the kind of intimate detail intended to humiliate as well as embarrass. Handala seems to have grasped a crucial point: shame spreads more quickly than a missile in contemporary conflict.
The operations had become more bizarre and dramatic by 2025. At least 20 Israeli kindergartens’ public address systems were taken over by the group in January, and rocket sirens and Arabic songs were played in the classrooms. Kids heard fake air raid alerts.
It was a psychological operation directed at regular families beginning their Tuesday mornings rather than soldiers or politicians. Observing that from the outside, it’s difficult to avoid feeling that this group’s definition of its targets has changed. Handala asserted in November that she had placed a bouquet of flowers inside the vehicle of a senior Israeli nuclear scientist, a claim that required no justification.
Then came the attack in March 2026 that actually altered the way analysts discussed Handala. The group carried out what is reportedly the most destructive Iranian cyberattack against the United States during the war on March 11. Handala completely avoided traditional malware by using Microsoft’s own legitimate tools and compromised Global Administrator credentials inside Microsoft Intune to erase over 200,000 systems belonging to the medical device giant Stryker Corporation in 79 countries.
There were no malicious files deleted. There were no suspicious executables identified. The infrastructure itself was turned into a weapon by the attack. It was, in the worst sense of the word, elegant.
On March 27, two weeks later, the group gained access to FBI Director Kash Patel’s personal Gmail account. A resume, personal photos, and more than 300 emails were made public. The pictures depicted Patel in informal, private moments, such as holding a cigar and standing next to a sports car. These kinds of pictures can be found on anyone’s phone.
Although the FBI acknowledged the breach, they quickly pointed out that the data was “historical in nature” and did not include any official government information.
The majority of the emails were sent between 2010 and 2019, which may indicate a link to an earlier hack by Iranian actors in 2024. However, the content wasn’t really the point. The statement was the point. Following the FBI’s seizure of four of Handala’s operational domains and its $10 million bounty for member information, Handala declared the hack as direct retaliation. We know who you are, too, was the direct message.
Beyond the Stryker attack and the data leaks, it’s still unclear how much operational harm Handala has actually caused. Certain allegations, such as the purported takeover of Iron Dome systems, have never been independently confirmed. Not every announcement can be taken at face value because the group has a tendency to exaggerate its own mythology.
However, experts in cybersecurity are cautious not to discount them either. The Patel breach revealed something the industry has known for years but seldom discusses in public: enterprise-grade security is meaningless when threat actors just switch to the unprotected personal devices of those connected to those networks, according to James Turgal of Optiv. Prominent people are easy pickings. It has always been.
Recently, the group itself has suffered some structural setbacks. Yahya Hosseini Panjaki, its leader, was assassinated in the 2026 Iran War after being sanctioned by the US in 2024. According to reports, two other notable individuals met similar demise, necessitating what the Irish Examiner called a major reorganization. It’s genuinely unclear if that slows them down. These kinds of groups often absorb losses and adjust. After all, the man who drew the Handala symbol was assassinated in 1987. With his back to us, the boy has endured worse.