Disrupting Handala: Did OP Innovate Help Silence a Major Cyber Threat?

Filip Dimitrov

May 13, 2025

The Handala group has been one of the most active threat actor groups targeting Israeli organizations and digital infrastructure since late 2023.

On February 9th, 2025, Handala publicized its last major cyberattack, an announcement that it had breached Israel’s national police network and exfiltrated 2.1 terabytes of sensitive data.

A little over a week later, on February 18th, OP Innovate published “Unpacking Handala“, a deep technical analysis providing unparalleled insight into the group’s infrastructure, attack methods, and operational behaviors, unveiling their playbook to the global cybersecurity community.

Since the release of the report, there have been no further public claims, attack announcements, or activity from Handala, with the group disappearing from its primary communication channels, including Telegram.

Is Handala Gone for Good?

The reasons behind this disappearance remain unclear. It is possible that a combination of factors contributed to Handala’s reduced public presence. The group’s Telegram channels were reportedly suspended around this time, and it is reasonable to consider that the publication of OP Innovate’s research, which unravelled key elements of their operations, may have increased the pressure and risks associated with continuing their activities in the same way.

OP Innovate first started covering Handala in November 2024, culminating with the release of our detailed report a few months later.

This period, from late 2024 to early 2025 was when the group was at its most active and visible. Since their emergence in late 2023, it has been highly uncharacteristic for them to go several months without publicly claiming activity.

The latest known communication from Handala came on February 9, 2025 (the same date as the attack on Israel’s national police), when the group shared a link to their new Telegram channel after their previous one had been suspended.

Excerpt from Handala’s last public statement

This statement marked the last verified public activity from the group before their sudden disappearance. Whether that continues remains to be seen.

The Rise of Handala

Handala emerged as a prominent cyber threat group in late 2023. Claiming pro-Palestinian motives, the group targeted Israeli government, infrastructure, and private organizations, combining hacktivism with highly sophisticated attacks. Handala gained attention for using Telegram and social media to publicize its operations and taunt victims.

Throughout 2024 and up to early 2025, the group launched several high-profile campaigns. Some of the most notable ones included:

The Silicom breach (November 2024): Handala claimed to exfiltrate and wipe 40TB of sensitive data from the Israeli tech firm.

The kindergarten alert hijack (January 2025): The group triggered emergency sirens and sent mass SMS alerts, causing panic across Israeli schools.

The Israeli police data heist (February 2025): Handala claimed to have stolen 2.1TB of police files, including personal and case data.

The wiper malware phishing attack (mid-2024): They impersonated a global cybersecurity firm to deliver destructive malware to Israeli networks.

Handala’s strategy blended technical skill with psychological warfare, leveraging mass communications to amplify fear and confusion.

Though the group claims independent activism, many experts believe Iranian state interests may have played a supporting role.

OP Innovate’s Research Into Handala

OP Innovate’s Unpacking Handala report provided the first detailed technical analysis of the group’s transformation from a disruptive hacktivist collective to a structured cyber threat actor with nation-state-level capabilities. Our research, powered by proprietary AI-driven analysis tools and hands-on incident response experience, traced Handala’s evolving tactics across multiple confirmed breaches.

The investigation revealed how Handala shifted from basic phishing and DDoS attacks to credential-based infiltrations, privilege escalation, and long-term persistence within victim environments. We uncovered their use of cloud storage for data exfiltration, multi-channel command and control techniques, and malware that blends into normal network traffic to evade detection.

Through extensive real-world investigations, OP Innovate identified and shared a wealth of threat intelligence and Indicators of Compromise (IOCs) that were not available anywhere else, providing organizations with early-warning capabilities to detect and mitigate Handala’s campaigns.

Our team reverse-engineered malware samples, including the discovery of senvarservice-DC.exe, which revealed hidden components for data exfiltration via Telegram and storage platforms like AWS S3 and Storj.

Excerpt from our research into Handala-deployed malware

By mapping their infrastructure and attack patterns, we helped organizations worldwide understand Handala’s operations and better defend against their tactics.

While many factors likely contributed to Handala’s subsequent drop in public activity, OP Innovate’s research increased global awareness and scrutiny, showcasing the power of proactive threat intelligence to empower defenders, disrupt threat actor momentum, and enhance overall cyber resilience.

Stay Ahead of Threats with OP Innovate

As threats continue to evolve, the need for actionable intelligence and expert intervention has never been greater. OP Innovate is at the forefront of the fight against sophisticated threat actors like Handala by actively supporting organizations with rapid incident response (IR) and cutting-edge threat intelligence.

With our WASP platform, organizations can proactively identify and remediate vulnerabilities that groups like Handala actively seek to exploit. WASP combines continuous manual and automated penetration testing with real-time reporting to help organizations detect weaknesses before attackers do.