Handala's Kill List: Tracking the Victims of Iran's Most Destructive Cyber Unit

A follow-up to: "Handala and the New Face of Iranian Cyber Warfare"

If you read the last post, you already know where I land on Handala. I don't buy the idea that this is just a loose hacktivist crew freelancing online. It looks a lot more like a state-backed Iranian operation wearing a hacktivist mask.

And since the war with Iran escalated in early 2026, the victim list has gotten a lot harder to shrug off.

Here's the part that matters: who they've gone after, what they appear to have used, and why Western security teams should stop treating this as someone else's problem.

The victim list

Once you lay the timeline out, the pattern is hard to miss.

Early activity: late 2023 through 2024

Handala started with a tight Israeli target set.

In June 2024, the group hit Kibbutz Ma'agan Michael in a ransomware operation. They claimed to have taken 22GB of data and sent more than 5,000 threatening SMS messages to residents. That wasn't just intrusion for access or money. It looked like intimidation baked into the operation.

They also went after Sheba Medical Center, an associated biotech company, and Vidisco, a security scanner manufacturer. In September 2024, they claimed a breach of the Soreq Nuclear Research Center, saying they stole 197GB of data that included infrastructure maps, personnel records, and administrative files. The group framed that operation as retaliation for the killing of Hezbollah leader Hassan Nasrallah.

Handala also claimed activity against Israeli defense contractors Rafael Advanced Defense Systems and Elbit Systems, along with access to 70 SCADA systems tied to Israeli water and energy infrastructure.

Then in November 2024, they hit Elad Municipality. According to the claim, they breached air-gapped network segments, leaked more than 3TB of resident data, and forced the municipal office to shut down.

Some of the details in this early timeline still rest heavily on the group's own claims and secondary reporting. Even so, the direction of travel was clear. The target set was broadening, and the operations were getting uglier.

The shift in February and March 2026

After the U.S. and Israel launched Operation Epic Fury on February 28, 2026, Handala's pace picked up fast.

The biggest incident tied to the group so far came on March 11, 2026: the destructive attack on Stryker Corporation, the medical device giant based in Michigan.

This is the part that security teams should really sit with. The attack did not rely on some glamorous zero-day. Public reporting indicates the attackers abused Microsoft Intune, Stryker's own device management platform, after gaining privileged access. Instead of dropping traditional malware, they used a trusted admin tool to push mass wipe actions across a huge device fleet.

Handala claimed that more than 200,000 devices were wiped, 50TB of data was stolen, and operations were disrupted across 79 countries. The lower-level facts are much firmer than the biggest numbers, but even the confirmed version is serious enough. A destructive enterprise attack carried out through identity and management tooling is a different kind of problem.

Within the same window, Handala also claimed a breach of Verifone, the payment technology company whose systems touch merchants all over the world. The group said it disrupted payment systems and took transaction and financial data. Verifone denied that. So the impact claim remains unsettled, but the targeting intent is hard to ignore.

Then on March 27, 2026, Handala breached the personal email account of FBI Director Kash Patel and published more than 300 emails, personal photos, and an alleged resume. The FBI confirmed the compromise and said the material was historical in nature. U.S. authorities later offered a $10 million reward for information that could identify Handala members.

April 2026: still moving

The pace did not ease up in April.

Handala claimed a Passover-timed operation that wiped 22TB of data across 14 companies at once. The group also claimed a breach of PSK Wind Technologies, which it described as a key designer of Israeli command-and-control infrastructure. Most recently, it said it had doxed 100 elite Maglan Unit 212 officers, including personal details, movements, and operational information.

Those April claims need to be read carefully. Some are still better understood as actor claims than fully established fact. But even with that caveat, the broader picture is not subtle.

Why Western infrastructure should pay attention

The victim list tells a pretty direct story.

Handala has moved well past a narrow Israel-only target set. The group now appears willing to go after organizations tied to Israel, U.S. interests, defense, healthcare, and critical infrastructure. That is a much wider attack surface, and it includes companies that may not think of themselves as sitting anywhere near the front line.

Healthcare is not an accident

The Stryker attack matters because healthcare supply chains do not have much slack in them. When a company that large gets hit, the disruption spreads. Hospitals feel it. Procurement teams feel it. Patients eventually feel it too.

That is why I don't read healthcare targeting here as incidental. It looks like pressure applied where the downstream effects are hard to contain.

Financial infrastructure is clearly in scope

I would be careful about overstating the Verifone incident, because the public record is still messy. But the claim itself still matters. If a group like Handala is probing payment infrastructure, that should get attention even when the target disputes the breach.

A successful destructive or disruptive operation against a company at that layer would not stay neatly inside a SOC dashboard. It would show up at checkout counters.

This is an identity problem as much as a malware problem

The Stryker case is the cleanest example of the shift.

If an attacker can phish or otherwise compromise privileged access, then abuse a trusted management platform to issue destructive actions, a lot of traditional detection logic becomes less useful. There may be no obvious malware. No flashy exploit chain. Just legitimate tools used with malicious intent.

That is uncomfortable, because most enterprises trust those systems by design.

The tempo still matters

The individual claims vary in confidence, but the overall pace is the part I keep coming back to. The group is active, opportunistic, and increasingly comfortable mixing destruction, leaks, intimidation, and psychological pressure.

That's not background noise. That's a campaign.

Bottom line

Handala is no longer something Western SOC teams can treat as a regional sideshow.

The Stryker incident showed that the group, or the operators behind it, can carry out a destructive attack against a major U.S. company using ordinary enterprise tooling in a very abnormal way. The Patel breach showed a willingness to target senior U.S. officials for exposure and embarrassment. The Verifone claim, even if disputed, suggests payment infrastructure is firmly on the radar.

If your company has ties to Israeli suppliers, defense work, healthcare logistics, industrial systems, or critical infrastructure, this belongs in your threat model now.

The wiper is part of the story. The disruption is the product.

Lee Sult is Chief Investigator at Binalyze, specializing in digital forensics, incident response, and threat intelligence. Follow for continued analysis on Handala and Iranian nation-state cyber operations.