Lockheed Martin Rejected My Application. Iran Accepted Theirs.

# Lockheed Martin Rejected My Application. Iran Accepted Theirs.

*March 26, 2026 — DugganUSA*

This morning I received an email from Lockheed Martin Talent Acquisition:

> *"Thank you for giving us the opportunity to review your skills and experience for the AI Platform Engineer Staff position. At this time we are considering other candidates for this opening."*

This afternoon, Handala — Iran's Ministry of Intelligence and Security cyber unit — claimed they exfiltrated 375 terabytes from Lockheed Martin. F-35 Block 4 technical documentation. Next-generation interceptor missile systems. Internal contracts. The personal data of 28 senior American engineers stationed in Israel — names, passport numbers, residences, base assignments. Ransom demand: $400-600 million.

I applied to build their AI platform. They're considering other candidates.

Iran applied to their network. They got in.

What We Know

Handala posted a 48-hour ultimatum on their Telegram channel demanding Lockheed Martin employees cease cooperation with Israel. They claim full access to sensitive defense data including F-35 and F-22 maintenance programs and the THAAD missile defense system.

Lockheed Martin's response: *"There is no evidence indicating these reports are accurate. We remain confident in the integrity of our robust, multi-layered information systems and data security."*

Important caveat: Handala has been flagged for unverified and potentially fabricated claims. RedPacket Security's listing includes a verification alert. No proof of the breach has been published as of this writing. The 375TB number may be propaganda.

But Handala's track record includes Stryker — 200,000 devices wiped across 79 countries. That one was real. The FBI confirmed it. The DOJ attributed it to MOIS. So when Handala makes a claim, the responsible thing is to take it seriously until evidence says otherwise.

The Escalation Pattern

We've been tracking Handala's infrastructure since their domains were seized. Here's the pattern:

| Date | Target | Scale | Verified |

|------|--------|-------|:---:|

| Mar 11 | **Stryker** (medical devices) | 200,000 devices wiped | Yes — FBI/DOJ confirmed |

| Mar 20 | FBI seizes 4 Handala domains | — | Yes |

| Mar 20 | Handala stands up new domains within hours | 3 new domains, 3 hosting providers | Yes — we mapped them |

| Mar 25 | **Tamir Pardo** (former Mossad chief) | 14GB claimed | Unverified |

| Mar 25 | **Lockheed Martin** (defense industrial base) | 375TB claimed | **Unverified** |

Medical devices → intelligence chief → defense contractor. Each target larger than the last. Each claim made after the FBI tried to shut them down. They're not retreating from the domain seizure — they're escalating through it.

What We Found This Morning

Before the Lockheed news broke, we published our Handala infrastructure hunt. Starting from 85 IOCs and ending at 148 through DNS pivoting, GitHub code search, and live infrastructure mapping. The findings:

- **handala-alert.to** is live on `82.38.63.237` — Ultahost (AS214036), a hosting provider that runs 6 Tor middle relays. Bulletproof hosting. Nobody else had this IP.

- **handala-team.to** is behind DDOS-Guard LTD in Russia. Their WordPress site is serving content right now.

- **handala-hack.ps** has SPF records configured for email — operational infrastructure, not just propaganda.

- The **Telegram C2 bot token** (`6428401585`) and full URL are documented. The token has been revoked but the pattern is recorded.

- Three original C2 IPs from vendor reports are **dark** (ports closed). Four new infrastructure IPs are **live**.

They burned the old, lit up the new, and kept operating. The FBI seizure was a press release. The infrastructure rotation was a Tuesday.

The Rejection Letter

I spent 8 years in enterprise infrastructure. Dell EMC. Palo Alto Networks. Embedded at Microsoft for JEDI and Azure Stack. I build AI platforms that process a million IOCs, run autonomous threat detection, and feed STIX intelligence to 275 organizations in 46 countries.

I applied to Lockheed Martin to build AI platforms. Position 707829BR. They're considering other candidates.

Meanwhile, our two-person operation:

- Mapped Handala's post-seizure infrastructure before any vendor published it

- Found novel IOCs through DNS pivoting that zero GitHub repos contain

- Indexed 148 Handala indicators in a STIX feed consumed by more organizations than most threat intel companies have customers

- Published the Telegram C2 bot token, the DDOS-Guard connection, and the Ultahost Tor-relay-hosting relationship

- Built an automated gap miner that turns customer search queries into intelligence requirements

Lockheed Martin doesn't need another AI Platform Engineer. They need someone who checks whether Iranian state hackers are claiming to sell their F-35 blueprints.

What Defenders Should Do

Regardless of whether the 375TB claim is real:

1. **If you're in the defense industrial base** — check your Intune/MDM admin access. That's how Stryker got wiped. MFA on every admin account. Alert on mass device actions.

2. **Monitor the infrastructure we published** — `82.38.63.237` (Ultahost), `185.178.208.137` (DDOS-Guard), AS214036. These are Handala's current operational nodes.

3. **The STIX feed has 148 Handala IOCs** — free at analytics.dugganusa.com/stix. Deploy them. The FBI's domain seizure lasted one day. The IOCs in your SIEM last until you remove them.

4. **Watch for the proof** — If Handala publishes even a fraction of what they claim, the defense industrial base has a supply chain problem that makes SolarWinds look like a typo.

The Point

I don't hold grudges against Lockheed Martin's recruiting team. They have a process. They followed it. I don't fit whatever box position 707829BR required.

But the irony of receiving a rejection letter on the same day Iran claims to have breached the company — that writes itself.

The gap between "we're considering other candidates" and "375 terabytes of F-35 data" is the same gap that exists everywhere in this industry: between what organizations think they need and what the threat environment actually demands.

I'll be here. Mapping infrastructure. Filling gaps. Feeding the STIX feed. The rejection letter goes in the folder with the rest of them. The IOCs go in the database where they help people.

*Patrick Duggan is the founder of DugganUSA LLC. He was not considered for Lockheed Martin position 707829BR. He was, however, the first person to publish Handala's post-seizure infrastructure, DNS-derived mail server IPs, and the Telegram C2 bot token used by Iran's Ministry of Intelligence and Security. The STIX feed is free. The rejection letter was also free.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →