The Handala Wiper Masquerades as CrowdStrike. We Found It on GitHub.

# The Handala Wiper Masquerades as CrowdStrike. We Found It on GitHub.

**Author:** Patrick Duggan (with Claude Code)

**Series:** DugganUSA Field Reports

CrowdStrike.bin

The malware that wiped 200,000 Stryker devices has a filename: `CrowdStrike.bin`.

Iran's Handala wiper — the tool that destroyed a medical device company's entire fleet via Microsoft Intune — masquerades as a CrowdStrike update. 46 out of 76 VirusTotal engines detect it as malicious. Its C2 runs through Telegram's bot API. And the original, non-defanged payload is sitting on GitHub right now.

What VirusTotal Shows

Hash: `96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8`

| Finding | Detail |

|---------|--------|

| Detection | 46/76 engines |

| Type | NSIS installer (ZIP) |

| Size | 1.2MB |

| Filenames | `update.zip`, `CrowdStrike.bin`, `914319423.exe` |

| C2 | `api.telegram.org` (149.154.167.220) |

| Recon | `icanhazip.com` (IP discovery) |

| Behaviors | WMI calls, debug detection, CPU checks, anti-sandbox, long sleeps |

The CrowdStrike masquerade is deliberate. After the July 2024 CrowdStrike outage — when a faulty update crashed 8.5 million Windows machines — naming a wiper `CrowdStrike.bin` exploits the muscle memory of IT teams trained to trust CrowdStrike updates.

The GitHub Network

We found a deobfuscated version of the wiper at `MrDomainAdmin/handalas-wiper-emulation`, published March 13, 2026 ����� two days after the Stryker attack. The repository contains the full kill chain plus the original live payload in `infected.zip`.

Then we followed the followers.

MrDomainAdmin has 7 followers. Three of them form a cross-linked network:

**killvxk** — 14,211 repositories. Location: "USSR." Bio in Chinese (gaming references). This isn't a researcher. This is a malware collection and aggregation node with 1,579 followers. Mutual follow with TechForBad.

**TechForBad** — "Interest-driven Hero." 80 followers, 144 following. Active networker. Mutual follow with killvxk. Follows MrDomainAdmin.

**tthking** — 268 repositories. Follows 6,902 accounts. Another collection machine. Follows both killvxk and MrDomainAdmin.

All three follow MrDomainAdmin. killvxk and TechForBad mutually follow each other. The network pre-existed the wiper publication.

The Kill Chain

From the deobfuscated analysis and Splunk Threat Research:

1. **Delivery:** NSIS installer disguised as `update.zip` or `CrowdStrike.bin`

2. **Launcher:** `carroll.cmd` — batch script that checks for AV processes via `tasklist`, sleeps via `ping -n`

3. **Payload assembly:** Binary fragments with innocuous names (Acrobat, Democracy, Honda, Viagra) reassemble into AutoIt3 executable

4. **Execution:** AutoIt script `L.a3x` loads shellcode, hollows `RegAsm.exe` (T1218.009 — Signed Binary Proxy Execution)

5. **C2:** Telegram bot API for command and control

6. **Wipe:** Via compromised Active Directory → Microsoft Intune remote wipe

IOCs

All indexed in our STIX feed as of today:

| Type | Value | Context |

|------|-------|---------|

| SHA-256 | `96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8` | Original wiper payload |

| IP | `149.154.167.220` | Telegram C2 |

| Domain | `api.telegram.org` | C2 channel |

| IP | `82.25.35.25` | Handala/Void Manticore VPS |

| IP | `31.57.35.223` | Handala/Void Manticore VPS |

| Filename | `carroll.cmd` | Batch launcher |

| Filename | `L.a3x` | AutoIt payload |

| Filename | `CrowdStrike.bin` | Masquerade name |

Pull our STIX feed for the full indicator set: `analytics.dugganusa.com/stix/pricing`

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →