What happened
Researchers reported that the Iran-linked threat group Handala, also tracked as Void Manticore, is using Remote Desktop Protocol (RDP) and the NetBird networking tool to gain access and operate inside victim networks during destructive cyber campaigns. The group relies on compromised credentials, particularly from VPN services, to establish initial access, then uses RDP for hands-on keyboard activity and lateral movement across systems. Once inside, attackers deploy multiple wiping techniques simultaneously to maximize disruption, including custom wipers and AI-assisted PowerShell scripts designed to delete files and damage systems. The group has been linked to attacks targeting government, telecom, and enterprise organizations, including recent incidents affecting U.S.-based companies.
Who is affected
Organizations with exposed remote access services or compromised credentials are affected, particularly those in government, telecom, and enterprise sectors targeted by Handala operations.
Why CISOs should care
The campaign shows how attackers can use legitimate remote access tools like RDP combined with credential theft to gain control of networks and execute destructive operations without relying on complex exploits.
3 practical actions
- Secure remote access services. Restrict RDP exposure and enforce strong authentication controls to prevent unauthorized access.
- Monitor for credential abuse. Detect suspicious VPN logins and lateral movement across systems.
- Identify destructive activity early. Watch for signs of mass file deletion or simultaneous wiping behavior across endpoints.
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.
