Open Nav
Sign Up

Disrupting Handala: Did OP Innovate Help Silence a Major Cyber Threat?

handala

Filip Dimitrov

May 13, 2025

The Handala group has been one of the most active threat actor groups targeting Israeli organizations and digital infrastructure since late 2023. 

On February 9th, 2025, Handala publicized its last major cyberattack, an announcement that it had breached Israel’s national police network and exfiltrated 2.1 terabytes of sensitive data.

A little over a week later, on February 18th, OP Innovate published  “Unpacking Handala“, a deep technical analysis providing unparalleled insight into the group’s infrastructure, attack methods, and operational behaviors,  unveiling their playbook to the global cybersecurity community.

Since the release of the report, there have been no further public claims, attack announcements, or activity from Handala, with the group disappearing from its primary communication channels, including Telegram.

Is Handala Gone for Good?

The reasons behind this disappearance remain unclear. It is possible that a combination of factors contributed to Handala’s reduced public presence. The group’s Telegram channels were reportedly suspended around this time, and it is reasonable to consider that the publication of OP Innovate’s research, which unravelled key elements of their operations, may have increased the pressure and risks associated with continuing their activities in the same way.

OP Innovate first started covering Handala in November 2024, culminating with the release of our detailed report a few months later. 

This period, from late 2024 to early 2025 was when the group was at its most active and visible. Since their emergence in late 2023, it has been highly uncharacteristic for them to go several months without publicly claiming activity.

The latest known communication from Handala came on February 9, 2025 (the same date as the attack on Israel’s national police), when the group shared a link to their new Telegram channel after their previous one had been suspended. 

Excerpt from Handala’s last public statement

This statement marked the last verified public activity from the group before their sudden disappearance. Whether that continues remains to be seen.

The Rise of Handala

Handala emerged as a prominent cyber threat group in late 2023. Claiming pro-Palestinian motives, the group targeted Israeli government, infrastructure, and private organizations, combining hacktivism with highly sophisticated attacks. Handala gained attention for using Telegram and social media to publicize its operations and taunt victims.

Throughout 2024 and up to early 2025, the group launched several high-profile campaigns. Some of the most notable ones included:

  • The Silicom breach (November 2024): Handala claimed to exfiltrate and wipe 40TB of sensitive data from the Israeli tech firm.
  • The kindergarten alert hijack (January 2025): The group triggered emergency sirens and sent mass SMS alerts, causing panic across Israeli schools.
  • The Israeli police data heist (February 2025): Handala claimed to have stolen 2.1TB of police files, including personal and case data.
  • The wiper malware phishing attack (mid-2024): They impersonated a global cybersecurity firm to deliver destructive malware to Israeli networks.

Handala’s strategy blended technical skill with psychological warfare, leveraging mass communications to amplify fear and confusion.

Though the group claims independent activism, many experts believe Iranian state interests may have played a supporting role.

OP Innovate’s Research Into Handala

OP Innovate’s Unpacking Handala report provided the first detailed technical analysis of the group’s transformation from a disruptive hacktivist collective to a structured cyber threat actor with nation-state-level capabilities. Our research, powered by proprietary AI-driven analysis tools and hands-on incident response experience, traced Handala’s evolving tactics across multiple confirmed breaches.

The investigation revealed how Handala shifted from basic phishing and DDoS attacks to credential-based infiltrations, privilege escalation, and long-term persistence within victim environments. We uncovered their use of cloud storage for data exfiltration, multi-channel command and control techniques, and malware that blends into normal network traffic to evade detection.

Through extensive real-world investigations, OP Innovate identified and shared a wealth of threat intelligence and Indicators of Compromise (IOCs) that were not available anywhere else, providing organizations with early-warning capabilities to detect and mitigate Handala’s campaigns.

Our team reverse-engineered malware samples, including the discovery of senvarservice-DC.exe, which revealed hidden components for data exfiltration via Telegram and storage platforms like AWS S3 and Storj. 

Excerpt from our research into Handala-deployed malware

By mapping their infrastructure and attack patterns, we helped organizations worldwide understand Handala’s operations and better defend against their tactics.

While many factors likely contributed to Handala’s subsequent drop in public activity, OP Innovate’s research increased global awareness and scrutiny, showcasing the power of proactive threat intelligence to empower defenders, disrupt threat actor momentum, and enhance overall cyber resilience.

Stay Ahead of Threats with OP Innovate

As threats continue to evolve, the need for actionable intelligence and expert intervention has never been greater. OP Innovate is at the forefront of the fight against sophisticated threat actors like Handala by actively supporting organizations with rapid incident response (IR) and cutting-edge threat intelligence.

With our WASP platform, organizations can proactively identify and remediate vulnerabilities that groups like Handala actively seek to exploit. WASP combines continuous manual and automated penetration testing with real-time reporting to help organizations detect weaknesses before attackers do.

Contact us today to learn how OP Innovate can help safeguard your business from emerging cyber threats.

We regularly publish blog and Cyber Threat Intelligence (CTI) updates on our website. Sign up to receive our latest updates straight to your inbox.

Resources highlights

Over 600 Laravel Applications Vulnerable to Remote Code Execution via Leaked APP_KEYs (CVE-2018-15133, CVE-2024-55556)

Security researchers have uncovered a major RCE threat affecting over 600 Laravel applications, triggered by leaked APP_KEYs found on public GitHub repositories. Laravel's APP_KEY, typically…

Read more >

CVE-2018-15133, CVE-2024-55556

CVE-2025-3648: “Count(er) Strike” Vulnerability in ServiceNow

CVE-2025-3648, dubbed “Count(er) Strike”, is a high-severity vulnerability (CVSS 8.2) in ServiceNow's Now Platform, discovered by Varonis Threat Labs. The flaw allows both authenticated and…

Read more >

CVE-2025-3648

What to Look for in a Pentesting Platform (Beyond Just Scans)

Penetration testing platforms are a great way to centralize vulnerability discovery and triage. However, when evaluating penetration testing platforms, many organizations make the mistake of…

Read more >

pentesting platform

CVE-2016-10033: Actively Exploited Remote Code Execution (RCE) Vulnerability in PHPMailer

CVE-2016-10033 is a critical remote code execution vulnerability in PHPMailer, a widely used PHP library for sending emails. The flaw lies in the mailSend function…

Read more >

CVE-2016-10033

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554
Under Cyber Attack?

Fill out the form and we will contact you immediately.