Iranian Cyber Group Handala Targets US Troops in Bahrain

The Iran-linked threat actor Handala this week targeted US troops in Bahrain in an influence campaign carried out on WhatsApp. The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. “Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the messages reportedly read. On Tuesday, the group boasted on its Telegram channel about publishing the personal information of 2,379 US Marine Corps members stationed in the Persian Gulf. The Navy warned service members earlier this month about Iran’s influence campaigns, Stars and Stripes reports. Also tracked as Handala Hack, Banished Kitten, Dune, Hanzalah Hacking Group, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore, Handala has been active since at least 2008, engaging in a broad range of activities, from hacktivism to destructive attacks. In March, the US officially linked Handala to Iran’s Ministry of Intelligence and Security (MOIS), following the disruptive attack on the US-based medical technology giant Stryker. According to SOCRadar, Handala’s association with MOIS and not Iran’s Islamic Revolutionary Guard Corps (IRGC) suggests that the group is “more of an intelligence and influence operation than a purely military one. The goal is psychological damage and data collection, not just technical disruption.” The targeting of US troops in Bahrain is the latest step in a campaign that started earlier this year with attacks against Israeli infrastructure and ramped up into direct clashes with US institutions and military personnel. Boasting about the Stryker attack, Handala claimed wiping out over 200,000 systems using compromised administrator credentials in Microsoft Intune. The group also claimed to have hacked FBI Director Kash Patel’s personal Gmail account. The US confirmed the incident and posted a $10 million reward for information leading to the identification and arrest of Handala members. Using custom malware, commercial tools, and social engineering tactics, the group previously targeted numerous Israeli organizations, ranging from kindergartens to nuclear research centers. Handala also relies on wipers (BiBi Wiper, CoolWipe, ChillWipe, Hamsa, and Hatef) and leverages the Telegram Bot API for command-and-control (C&C) communication. “The group operates inside a larger Iranian intelligence structure, gets initial network access handed to it by more sophisticated actors, and has shown it can cause significant operational damage when it reaches its target. The shift toward directly threatening military personnel through personal communications channels shows it is willing to move beyond corporate or infrastructure targets,” SOCRadar notes. Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions Related: Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Alleged Chinese State Hacker Extradited to US Dozens of Open VSX Extension Clones Linked to GlassWorm Malware No Patch for New PhantomRPC Privilege Escalation Technique in Windows Spectrum Security Emerges From Stealth Mode With $19 Million Incomplete Windows Patch Opens Door to Zero-Click Attacks OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Latest News Hundreds of Internet-Facing VNC Servers Expose ICS/OT Checkmarx Confirms Data Stolen in Supply Chain Attack 38 Vulnerabilities Found in OpenEMR Medical Software Chrome 147, Firefox 150 Security Updates Rolling Out Critical GitHub Vulnerability Exposed Millions of Repositories Cyber Insurance Data Gives CISOs New Ammo for Budget Talks Vimeo Confirms User and Customer Data Breach The Mythos Moment: Enterprises Must Fight Agents with Agents Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move MongoDB has appointed Doug Bowers as Chief Information Security Officer. Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA. Cato Networks has appointed Meital Koren as Chief Legal Officer. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email