Intelligence Insights: March 2026

This month, Bridewell CTI has been conducting focused research into the detection of, and defensive measures against, activity associated with the Handala group. Handala is a high‑profile pro‑Palestinian hacktivist persona that emerged in late 2023, branded around the symbolic figure of “Handala”. While the group publicly presents itself as a decentralised, ideologically driven collective, multiple security assessments link Handala to Iran’s Ministry of Intelligence and Security (MOIS), commonly aligning it with the state‑affiliated threat actor Void Manticore.

Handala’s operations are best understood as state‑backed psychological warfare, designed to disguise strategic Iranian cyber operations as a grassroots digital uprising. The group prioritises high‑impact disruption and reputational damage over financial gain, with campaigns dominated by destructive activity such as wiper operations, combined with public hack‑and‑leak activity and doxing via platforms including its RedWanted site.

Activity observed in March 2026 highlights a clear expansion towards Western commercial organisations, particularly US‑based firms perceived to have links to Israel. This shift was illustrated by the March 2026 cyber incident affecting global medical technology firm Stryker, which caused widespread disruption to its Microsoft environment through the abuse of legitimate cloud management tooling.

The Stryker incident demonstrates Handala’s strategic preference for weaponising native administrative tooling rather than deploying bespoke malware at scale. By abusing privileged credentials and cloud management platforms such as Microsoft Intune, Handala can achieve rapid, global impact while significantly constraining traditional detection and response timelines.

Community Detection Opportunities

// Detects remote WMI-based activity associated with credential theft or destructive operations
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "VolumeShadowCopy",
    "GLOBALROOT",
    "config\\system",
    "config\\sam",
    "handala.bat"
)
| extend ActionType = case(
    ProcessCommandLine has_any ("copy", "reg save", "reg export"), "Credential/Data Theft",
    ProcessCommandLine has_any ("del", "rmdir", "erase", "vssadmin delete"), "Data Destruction",
    "Generic Unauthorized WMI Execution"
)
| project Timestamp, DeviceName, AccountName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName
            

// Detects destructive PowerShell-based wiper activity
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
    or ProcessCommandLine has_any ("powershell", "pwsh"))
| where ProcessCommandLine has_all ("Remove-Item", "-Recurse", "-Force")
    or ProcessCommandLine has_any ("Format-Volume", "Clear-Disk", "cipher /w", "ZeroShred", "BiBiWiper")
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), CommandCount=count()
    by DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
            

March 2026 also saw a notable software supply chain compromise involving the widely used npm package Axios. Threat actors compromised a maintainer account and published malicious versions directly to the npm registry, introducing a rogue dependency executed at install time via npm lifecycle scripts.

The payload provided cross‑platform remote access across Windows, macOS, and Linux environments. While the malicious versions were available only briefly, the scale at which Axios is consumed significantly amplifies downstream risk. Attribution analysis increasingly links this activity to a North Korea‑aligned threat cluster.

Community Detection Opportunities

DeviceFileEvents
| where ActionType in~ ("FileCreated", "FileDeleted", "FileRenamed")
| where FileName endswith ".bat"
| where FolderPath matches regex @'(?i)^[a-z]:\\ProgramData\\$'
| where InitiatingProcessFileName in~ (
    "powershell.exe","cmd.exe","node.exe","npm.exe","python.exe","mshta.exe"
)
| project Timestamp, ActionType, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
            

DeviceProcessEvents
| where
    (ProcessCommandLine has_any ("copy","move")
        and ProcessCommandLine has_all ("powershell","wt.exe","ProgramData"))
    or FolderPath =~ @"c:\programdata\wt.exe"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine
            

Bridewell CSIRT Detection Rules & Analytics

The following detection content was generated through our managed threat intelligence, threat hunting, and detection and response (MDR) services. The content automatically protects our customers from known and emerging threats.