Lynx Was in Our Feed 43 Days Before ACN Healthcare Got Hit. Handala Was 28 Days Before Dubai Lost 6 Petabytes. The Math.

Four organizations got compromised last week that we want to talk about. Two of them were in our feed before the breach happened. One of them was a same-day publication on the same attacker methodology we wrote about a day earlier. The fourth tracks the same pattern as the third. None of them subscribed to our STIX feed. All of them paid for someone else's threat intel that did not have these indicators in time. Here is the math.

ACN Healthcare. Hit by Lynx ransomware. April 10, 2026.

We had the Lynx infrastructure indicator lynx-new.mightrecoverymarketing.com indexed in our IOC database on February 26, 2026. That is 43 days before ACN Healthcare appeared on the Lynx leak site. Lynx is a rebrand of INC ransomware, tracked by Unit 42 since their July 2024 emergence and documented as a ransomware-as-a-service operation that has now hit 397 victims as of late March 2026. They claim to exclude hospitals and non-profits as a policy and then list healthcare orgs anyway. ACN was the latest example.

If a SOC at ACN had been pulling our STIX feed at any point in the 43 days between February 26 and April 10, the Lynx infrastructure indicator would have flagged in their SIEM the moment any internal traffic touched that domain or any related Lynx C2 we have indexed downstream. They would have had six weeks to harden, segment, hunt, and block before the encryption fired.

Dubai Courts Department, Dubai Land Department, and Dubai Roads & Transport Authority. Hit by Handala Hack Team wiper. April 12, 2026.

Approximately 6 petabytes of data destroyed. 149 terabytes exfiltrated. Handala is the same Iran-affiliated group the FBI and DOJ assess with high confidence to be a state-directed persona operated by Iran's Ministry of Intelligence and Security, also tracked as Void Manticore, HomeLand Justice, Karma, Storm-0842, and Banished Kitten.

We had the first Handala IOC indexed on March 15, 2026, after the Stryker breach four days earlier showed us we were behind. By March 26 we had a full collection: handala.to, handala-team.to, handala.cx, handala-redwanted.to, handala-alert.to, handala-hack.to, the github.com/MrDomainAdmin/handalas-wiper-emulation repo, and the [email protected] address from the FBI flash. That gives the Dubai government 17 to 28 days of warning between when our collection was complete and when their data center got wiped. Three different agencies, six petabytes, all of it preventable from a SIEM rule the moment any of those domains resolved internally.

ADT. Hit by ShinyHunters via voice phishing into Okta SSO into Salesforce. April 20, 2026. 10 million records claimed.

We published the methodology in our April 19 post titled "ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked." That post called out the vishing-to-Okta-to-Salesforce attack chain and noted the broader pattern Mandiant tracks under UNC6040. The next day, ADT got hit using exactly that chain. One day of lead, but the lead was the playbook itself.

Inditex. Kemper Corporation. Amtrek. Hit by ShinyHunters across the same week.

9 million records at Inditex. 13 million records and 29 GB at Kemper. 2.1 million records at Amtrek. All three claimed by the same ShinyHunters operation, all three using the same Salesforce-via-Okta SSO pattern, all three within seven days of our writeup. We did not have specific IOCs for these three, but we had the playbook documented and shipped to subscribers. A help desk training memo and an Okta vishing tabletop based on our published M.O. would have caught any of them.

Here is what to do about this.

If you operate a SIEM, the Lynx and Handala domains we listed above are in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed/domains.csv right now. Pull the file. Add it to your DNS sinkhole. The price for the entire feed is $9 per month. The price for being a Handala wiper victim is six petabytes of data plus the political fallout of explaining to your government how an Iranian intelligence operation walked into your court system unimpeded.

If you operate a help desk that has Okta SSO into a Salesforce CRM with customer records, the ShinyHunters M.O. is now public, repeated, and provably effective against billion-dollar companies. The fix is a single help desk policy: nobody resets MFA over a phone call without out-of-band verification. The cost of the policy is a half-hour staff meeting. The cost of skipping it is what ADT, Inditex, Kemper, and Amtrek will spend on incident response, regulatory fines, and customer notification mail in the next six months.

A note on the ones we will not claim. Stryker got hit on March 11 and our Handala collection started on March 15, so we were four days late. ChipSoft got hit on April 7 and our advisory entry is dated April 12, so we were five days late. Vercel got hit on April 19 and we covered it the same day, not before. We do not get to claim those as protections. We claim the ones the receipts support.

The receipts here are dated, sourced, and indexed. The lead times are mathematical, not narrative. The four organizations named at the top are real. So is the feed. So is the price.

STIX feed: analytics.dugganusa.com/api/v1/stix-feed Domains CSV: analytics.dugganusa.com/api/v1/stix-feed/domains.csv Adversary profiles: Lynx (G-pending), Handala Hack Team (Void Manticore / Storm-0842), ShinyHunters (UNC6040 cluster).

Sources: Ransomware.live Lynx group page, Unit 42 Lynx-as-INC-rebrand analysis, Hive Pro Handala GCC critical infrastructure advisory, Check Point Research Handala modus operandi, FBI flash on [email protected], BleepingComputer ADT confirmation, BreachSense breach tracking April 24-26 entries.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com