We Started With 85 Handala IOCs. We Ended With 145. Here's How.

# We Started With 85 Handala IOCs. We Ended With 145. Here's How.

*March 26, 2026 — DugganUSA*

Yesterday, Iran's Handala hack group dumped 14 gigabytes of alleged Mossad chief data. Five days after the FBI seized their domains. From a new .ps domain they stood up in hours.

We decided to hunt.

What We Started With

85 Handala IOCs already in our STIX feed — wiper hashes, C2 infrastructure, indicators from the Stryker attack that wiped 200,000 devices across 79 countries on March 11. Solid coverage, but static. The kind of IOCs every threat feed has because every vendor blogged about Stryker.

Static IOCs are yesterday's ammunition. The infrastructure underneath them is today's.

Phase 1: The FBI FLASH (12 Hashes)

FBI FLASH-20260320-001 dropped March 20 — the same day they seized Handala's domains. Twelve MD5 hashes from FBI investigations of MOIS malware using Telegram as C2:

| Filename | What It Does |

|----------|---|

| KeePass.exe | Stage 1 masquerading — pretends to be password manager |

| Pictory_premium_ver9.0.4.exe | Stage 1 masquerading — pretends to be video editor |

| Telegram_Authenticator.exe | Stage 1 masquerading — pretends to be Telegram auth |

| WhatssApp.exe | Stage 1 masquerading — note the typo |

| MicDriver.exe/dll | Records screen and audio during Zoom sessions |

| RuntimeSSH.exe (2 variants) | Persistent implant |

| MsCache.exe | Persistent implant |

| smqdservice.exe | Exfiltration via Telegram API |

| winappx.exe | Exfiltration via Telegram API |

| rantom.txt (2 variants) | Staging/config |

The kill chain: social engineering delivers stage 1 → masquerading app installs stage 2 → persistent implant phones home to api.telegram.org via bot C2 → exfil screen captures and files.

Every hash is in our STIX feed now. Three GitHub repos had them before us: SlimKQL's MOIS IOC list, pisut-muangsamai's blocklist, and globus-intr's hash list. We were fourth. That's fine. Hashes are table stakes.

Phase 2: The GitHub Hunt

We searched GitHub for every Handala indicator — code, repos, detection rules. Found the ecosystem:

**stamparm/maltrail** — Handala trail file with C2 IP `93.127.195.88` (Hostinger, AS47583) and the Tor hidden service: `vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion`

**fastfire/IsraelIranConflict** — Tracks 60+ pro-Iran groups. Three Telegram channels for Handala: `t.me/handala_hack26`, `t.me/handala_channel`, and a private invite link. Status on the clearweb domains: OFFLINE. Status on one Telegram channel: VALID.

**barkandbite/iranian-apt-detection** — The real find. Suricata rules written March 24-25, 2026 with:

- Detection for Handala's Microsoft Intune mass wipe API call (the exact technique used on Stryker)

- Detection for the masquerading filenames from the FBI FLASH

- Six FBI-seized domains including three we hadn't seen: `handala-alert.to`, `handala-redwanted.to`, `karmabelow80.org`

- A Telegram bot token: `6428401585`

**llagos0630/EDL** — An endpoint detection list containing the full Telegram C2 URL: bot token + chat ID. One repo on all of GitHub had this.

**splunk/security_content** — Handala wiper detection story. Mainstream vendor coverage.

**Checkpoint research** (via aNaoy) — Handala modus operandi write-up posted March 12, the day after Stryker.

Phase 3: The DNS Pivot

This is where it gets interesting. Nobody on GitHub had done this.

We ran DNS lookups — A, TXT, MX, NS — on every known Handala domain. The current infrastructure map:

| Domain | IP | Hosting | NS | Status |

|--------|---|---|---|---|

| handala-hack.to | 104.21.3.183 | Cloudflare | **ns1.fbi.seized.gov** | Seized Mar 20 |

| handala-hack.ps | 66.29.132.176 | Namecheap | dns1.namecheaphosting.com | **LIVE** — stood up within hours of seizure |

| handala-team.to | 185.178.208.137 | **DDOS-Guard LTD (Russia)** | ns1.ddos-guard.net | LIVE |

| handala.to | 103.224.212.206 | Trellian (AU) / Above.com | ns1.abovedomains.com | Parked |

The `.ps` domain's SPF record gave us two mail server IPs that aren't in any public IOC list:

- `66.29.132.86` — Namecheap mail infrastructure

- `66.29.132.160` — Namecheap mail infrastructure

Zero results on GitHub for either IP. These are operational — MOIS set up email on the post-seizure domain. You don't configure SPF records for a propaganda site. You configure them so your outbound email doesn't get flagged as spam. That's operational infrastructure for phishing or communications.

The MX records point to `jellyfish.systems` — Namecheap's private email hosting. The TXT record on `handala.to` contains a verification hash: `0ad094978b47130a6a809a0396525cae21191ed6`. No matches anywhere.

Phase 4: The ASN Map

The infrastructure tells a story about who protects Handala's operations:

| IP | ASN | Provider | Country | Role |

|---|---|---|---|---|

| 107.189.19.52 | PONYNET | Cloudzy (bulletproof) | US | Known C2 |

| 93.127.195.88 | AS47583 | Hostinger | US | C2 (maltrail) |

| 146.185.219.235 | — | Zeropointer | NL | VPN exit node |

| 185.178.208.137 | AS57724 | DDOS-Guard LTD | **Russia** | DDoS protection |

| 66.29.132.176 | NAMEC | Namecheap | US | Post-seizure hosting |

DDOS-Guard (AS57724) is the thread worth pulling. Russian DDoS protection provider. Same service used by numerous APT-linked operations. When a state-backed Iranian threat actor chooses Russian DDoS protection for their post-seizure infrastructure, that's not a hosting decision — that's an alliance signal.

Cloudzy (PONYNET) has been flagged by Halcyon as a bulletproof hosting provider used by multiple Iranian operations. The IP `107.189.19.52` resolves to `52.19.189.107.static.cloudzy.com`.

Phase 5: The Telegram C2 Bot

The full C2 URL from the GitHub hunt:

Bot token `6428401585`. Chat ID `6932028002`. This is the endpoint that MOIS malware phones home to. The FBI FLASH confirmed Telegram as the C2 channel. The Suricata rules from barkandbite match on the bot token prefix. The EDL repo has the complete URL.

This is not a hash that changes with every compile. This is C2 infrastructure that works until Telegram revokes the bot token. Monitor it.

The Final Count

| Source | IOCs Added | Type |

|--------|:---:|---|

| Starting baseline | 85 | Mixed (wiper hashes, C2 IPs) |

| FBI FLASH-20260320-001 | 12 | MD5 hashes (masquerading malware + implants) |

| Vendor reports (Rewterz) | 2 | SHA256 wiper + SHA1 |

| GitHub code search | 4 | Domains, Tor onion, ransomware hash |

| DNS pivot (novel) | 6 | SPF mail IPs, post-seizure domains |

| Telegram C2 (novel) | 1 | Full bot URL with token + chat ID |

| Infrastructure mapping | 5 | Hosting IPs, seized domains |

| **Total** | **145** | **28 new from this hunt** |

What This Means for Defenders

1. **Monitor AS57724 (DDOS-Guard)** — Handala chose Russian DDoS protection for post-seizure infrastructure. If you see traffic to DDOS-Guard IPs from your network, investigate.

2. **Block the Telegram bot token** — `6428401585` in any outbound HTTP to api.telegram.org. The Suricata rule from barkandbite does this. Deploy it.

3. **SPF records are intelligence** — The `.ps` domain's TXT record reveals mail infrastructure nobody else has published. DNS pivoting after domain seizure/reboot catches operational infrastructure that hash-based detection misses.

4. **Domain seizures don't work** — Handala stood up `.ps` in hours, configured email, set SPF records, and resumed publishing. The FBI took four domains. Handala has at least seven more we can see, plus Telegram channels and a Tor hidden service.

5. **The STIX feed has all 145** — Free at analytics.dugganusa.com/stix. Consumed by 275+ organizations in 46 countries. If you're defending healthcare infrastructure, these indicators should be in your SIEM today.

The Method

We started where everyone starts: vendor blogs and FBI releases. Then we did what most people don't:

1. **GitHub code search** for every hash and filename — find who else is tracking, what detection rules exist, what infrastructure details leaked into public repos

2. **DNS pivot** on every domain — A, TXT, MX, NS records reveal infrastructure the domain registrant configured but didn't intend to advertise

3. **ASN mapping** — who provides hosting, DDoS protection, and bulletproof services tells you about the threat actor's operational relationships

4. **Reverse lookup** on every IP — PTR records, neighboring infrastructure, shared hosting

5. **Certificate transparency** — check crt.sh for TLS certs (Handala's post-seizure domains have none — they're running without TLS or behind proxies)

Anyone can do this. The tools are free. The data is public. The gap is the same gap it always is: between having the data and asking the right questions.

*Patrick Duggan is the founder of DugganUSA LLC. The Handala MOIS STIX feed, PreCog precursor detection system, and full IOC database are available at analytics.dugganusa.com. The hunt that produced this article took one afternoon and a DNS client. The FBI seizure that prompted it cost significantly more and lasted approximately one day.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →