Handala Hit Medical Devices, Then Government, Then Defense. Here Are the Three Sectors Iran's MOIS Hits Next.

We have 48 published posts on Handala Hack Team. We have 145 indicators of compromise on their infrastructure indexed and live in our STIX feed. We have tracked their March escalation campaign in real time across We Started With 85 Handala IOCs. We Ended With 145. Here's How., the Stryker breach, the Lockheed Martin claim, and the April 12 Dubai government wiper that destroyed six petabytes. We are publishing this forecast because we have earned the right to make it. Here is what Iran's Ministry of Intelligence and Security hits next.

The pattern across the campaign is unambiguous. Handala is operated by MOIS — the FBI and DOJ assess this with high confidence and the attribution has held up across every disclosure. They are not a market actor. They do not follow the dark-market lifecycle we wrote about today because they are not selling reputation to paying customers. They are executing a state-directed targeting plan that prioritizes destruction plus exfiltration on assets where the symbolic and operational damage compounds. Their target progression in 2026 reads as a deliberate campaign, not a series of opportunistic strikes.

March 11 — Stryker. Michigan-based medical device manufacturer. Fifty gigabytes exfiltrated. Roughly 80,000 medical devices wiped via what we attributed to a customized variant of Microsoft Intune deployment tooling. Operations disrupted in 79 countries. The reason this matters: medical devices are the consumer-facing edge of American medical sovereignty. When a hospital in Frankfurt cannot use a Stryker bed, that is a story about American capability failing in someone else's hospital. The narrative damage exceeded the operational damage by an order of magnitude.

March 25 — Lockheed Martin. The claim came from Handala-team.to. We documented the infrastructure pivot in our Handala IOC expansion post — they registered seven new domains in the same week, all with the same operator fingerprint. Lockheed disputed the breach scope publicly. The point of the claim was not the data itself; it was the headline that Iran's MOIS could plausibly claim having compromised the company that builds the F-35 program. Symbolic targeting at scale.

April 12 — Dubai Courts, Dubai Land Department, Dubai Roads & Transport Authority. Six petabytes of government data wiped. 149 terabytes exfiltrated. Three separate Emirati ministries hit simultaneously in coordinated wiper operations. We covered this in Lynx Was in Our Feed 43 Days Before ACN Healthcare Got Hit. Handala Was 28 Days Before Dubai Lost 6 Petabytes. The strategic message: Iran can demonstrate attack-at-scale capability against a Gulf Cooperation Council government in a window where GCC normalization talks with Israel were active. Geopolitical signaling executed as cyber operation.

The pattern that matters. Medical devices was the sympathy-extraction target — civilian impact, hospitals globally affected. Lockheed was the symbolic defense target — F-35 industrial base. Dubai was the GCC-pressure target — diplomatic signaling at petabyte scale. Each operation was selected for narrative leverage as much as operational effect. That is how MOIS scopes targets and that is the lens to apply to forecast what comes next.

Three sectors are positioned for the next strike. We rank them in order of probability based on the pattern, the geopolitical context, and the public infrastructure we have visibility into.

One. GCC aviation. Probability: 60% YES by July 31, 2026.

The Dubai April 12 operation established that MOIS will execute against GCC government infrastructure during diplomatic pressure windows. Aviation is the next escalation rung — civil aviation infrastructure is critical infrastructure in the legal sense (subject to ICAO classification), but the operational disruption is consumer-facing in a way that ministry-of-land-records is not. Airports closing in Dubai, Doha, or Riyadh trigger international news cycles. The targets that fit: Emirates Airlines IT infrastructure, Etihad, Qatar Airways, any of the major GCC airport operating authorities (Dubai Airports Co., Hamad International Airport, King Khalid International). We assess Etihad and the Riyadh airport authority as the highest-probability targets specifically because both have had IT modernization initiatives that introduced the kind of management-plane surface MOIS exploited at Stryker. Flips us to NO if GCC normalization talks visibly resume in May.

Two. US power utility infrastructure. Probability: 35% YES by July 31, 2026.

This is the strategically logical target with operationally significant resistance. MOIS has demonstrated wiper capability against medical devices (Stryker) and government data centers (Dubai). The next escalation in the symbolic-leverage hierarchy is American consumer-facing critical infrastructure, of which the power grid is the obvious top tier. The targets that fit: regional transmission organizations, large investor-owned utilities (Duke Energy, Southern Company, Exelon, Pacific Gas & Electric), or the cyber-stack vendors that supply industrial control systems to those utilities (the GE Digital, Schneider, Siemens layer). We rate this as 35% specifically because the US response calculus is different from the GCC response calculus — a confirmed Iranian attack on US grid infrastructure would trigger sanctions or kinetic response options that MOIS may not be authorized to provoke without escalated Iranian leadership sign-off. The probability is conditional on US-Iran tension trajectory, which is not currently in MOIS's escalation window per our reading. If the US-Iran trajectory deteriorates in May or June, this probability climbs to 55%.

Three. Another GCC government, specifically Saudi Arabia or Kuwait. Probability: 45% YES by July 31, 2026.

If MOIS is going to repeat the Dubai operation pattern (multi-ministry coordinated wiper) elsewhere in the GCC, Saudi Arabia and Kuwait are the highest-probability second strikes. Saudi because the strategic prize is largest — Aramco IT, Saudi government cloud, the ministry-level data centers in Riyadh. Kuwait because the operational difficulty is lowest — smaller defense budget, less mature government cyber posture, but symbolic value remains high. We have not yet seen MOIS infrastructure preparation that points specifically at either, but the post-Dubai operational tempo suggests the campaign is not finished. Flips us to higher probability if Handala-team.to or its rebrands register new infrastructure with Saudi-themed or Kuwait-themed naming patterns in the next two weeks.

What every CISO at a target-class organization should do this week.

If you operate critical infrastructure or government IT in any of the three sectors above, pull our Handala IOC list and add it to your SIEM as a high-priority watch. The list is at analytics.dugganusa.com/api/v1/stix-feed filtered for malware_family=Handala or source-tagged dugganusa-iran-stryker. The 145 indicators include the Handala wiper, the Intune-deployment-tool variant, all the *.handala-team.to subdomains, the FBI-flash address [email protected], and the GitHub repo hosting their wiper-emulation code. None of those should ever resolve internally. If they do, you are ten to thirty days into an active operation depending on which indicator type fired.

If you operate the IT for any of the named airline or airport authorities, run the tabletop now. Handala's M.O. is identity-plane compromise via management-tool exploitation, then lateral wiper deployment, then exfiltration on the way out. The defenses are: phishing-resistant MFA on identity-management consoles, network segmentation between management plane and operational plane, immutable backups for both data and configuration, and pre-established incident response with a vendor that has nation-state experience.

If you operate a US utility or supply industrial control to one, the conversation is different. CISA has Iran-specific guidance current as of April 2026. Read it. Tabletop with your TSA / FERC / DOE liaison if you have one. Assume MOIS infrastructure preparation could surface on a 30-60 day window before any operation, and that we will see and publish that infrastructure when it appears in our index.

Forecast resolution discipline. Each of the three predictions above has a July 31 deadline. We will publish a resolution post within 48 hours of any of them resolving. We will publish a final scorecard on August 1 showing which sectors were hit, which were not, and how our probabilities held up. This is the same discipline we committed to in our Kalshi predictions piece and we hold to it.

Why we publish this kind of forecast publicly when most vendors will not. The 95% epistemic cap is real — Murphy was an optimist. We will be wrong on some of these calls. But unpublished forecasts are unfalsifiable, and unfalsifiable forecasts are how the threat intelligence industry has trained itself to never be accountable. We publish because being wrong publicly is more valuable than being correct privately. And right now the trajectory of MOIS targeting against named sectors is one of the higher-confidence calls our archive supports.

Sources: Hive Pro Handala GCC critical infrastructure advisory, Check Point Research Handala modus operandi, Push Security analysis on Stryker-Handala TTP evolution, Unit 42 Iranian cyber threat brief April 17, FBI flash on [email protected], our adversaries index entry for Handala Hack Team (operator: Iran MOIS, aliases: Void Manticore / HomeLand Justice / Karma / Storm-0842 / Banished Kitten), our 48 prior posts on the actor.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com