While the US DOJ continues its enforcement action against the pro-Iranian Handala threat actor group, new websites (or previously dormant ones) activate within less than 48h.
This illustrates how difficult it is to counter online psy-op websites content – especially when their infrastructure uses “bulletproof hosting” in non-compliant or overtly hostile jurisdictions. Or simply anonymous – or by proxy -registration on European servers, which still might take several days before they get detected, reported and taken down.
These sites are being used not only for propaganda purposes, but also to leak various types of data or to dox individuals. Despite takedowns as a result of abuse reporting or law enforcement action, Handala wesbites quickly reappear under new top level domains (.to being the current favourite – .to is the country code top-level domain for the Kingdom of Tonga).
ACTIVE HANDALA WEBSITES - March 2026
- handala-alert[.]to
- Overview: Created on 02-01-2026; hosted on IP address 82.38.63.237, hosting provider: Ultahost, Inc. (Sweden)
- Wayback Machine: https://web.archive.org/web/20260000000000*/handala-alert.to
- VirusTotal score: https://www.virustotal.com/gui/domain/handala-alert.to
- https://handala-team[.]to
- Overview: Created on 19-03-2026; hosted on IP address 185.178.208.137, hosting provider: DDoS-Guard (russia)
- Wayback Machine: https://web.archive.org/web/20260000000000*/https://handala-team.to/
- VirusTotal score: https://www.virustotal.com/gui/domain/handala-team.to
- http://handala-redwant[.]to
- Overview: Created on 20-03-2026; hosted on IP address 192.142.53.75, hosting provider: Ultahost, Inc. (Netherlands)
- Wayback Machine: https://web.archive.org/web/20260322142106/http://handala-redwant.to/
- VirusTotal score: https://www.virustotal.com/gui/domain/handala-redwant.to
BACKUP DOMAINS / REDIRECTS:
- https://handala-hack[.]ps
- https://handala[.]to
- http://handala-hack[.]to (now seized by the FBI)
- https://handala-redwanted[.]to (now seized by the FBI)
- Tor website: http://vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion
ASSOCIATED ACCOUNTS:
- https://t.me/HANDALA_HPR
- https://t.me/s/HANDALA_HPR2
- https://x.com/HPRNEW (now suspended)
- https://x.com/Handala_Red (now suspended)
- https://x.com/Handala_news (now suspended)
Handala operates and behaves more like a hacktivist collective rather than an APT actor, so it is likely than the next wave of attacks will be directed against entities listed on the so called “Tasnim News list”.
Basically, this was a list of “enemy technology infrastructure” targets, identified in a tweet by Tasnim News, an IRGC affiliated propaganda outlet. The list contains 7 names and 30 locations of facilities located in the region, in relatively close proximity to Iran. The companies are Microsoft, Nvidia, Amazon, Google, Oracle, IBM, and Palantir.
NOTE: More Handala websites might be added to the above dataset in the near future, should they emerge.