{"id":5628,"date":"2026-03-22T22:34:52","date_gmt":"2026-03-22T22:34:52","guid":{"rendered":"https:\/\/osintme.com\/?p=5628"},"modified":"2026-03-22T22:36:41","modified_gmt":"2026-03-22T22:36:41","slug":"pro-iranian-threat-actor-handala-new-websites","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2026\/03\/22\/pro-iranian-threat-actor-handala-new-websites\/","title":{"rendered":"Pro-Iranian threat actor Handala &#8211; new websites"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"5628\" class=\"elementor elementor-5628\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a86c773 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a86c773\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-619ddda\" data-id=\"619ddda\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ea78edc elementor-widget elementor-widget-text-editor\" data-id=\"ea78edc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>While the US DOJ continues <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-disrupts-iranian-cyber-enabled-psychological-operations\">its enforcement action<\/a> against the pro-Iranian Handala threat actor group, new websites (or previously dormant ones) activate within less than 48h.<\/p><p>This illustrates how difficult it is to counter online psy-op websites content &#8211; especially when their infrastructure uses &#8220;bulletproof hosting&#8221; in non-compliant or overtly hostile jurisdictions. Or simply anonymous &#8211; or by proxy -registration on European servers, which still might take several days before they get detected, reported and taken down.<\/p><p>These sites are being used not only for propaganda purposes, but also to leak various types of data or to dox individuals. Despite takedowns as a result of abuse reporting or law enforcement action, Handala wesbites quickly reappear under new top level domains (.to being the current favourite &#8211; .to is the country code top-level domain for the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Tonga\">Kingdom of Tonga<\/a>).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-02fb229 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"02fb229\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8cd04b0\" data-id=\"8cd04b0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-01313e7 elementor-widget elementor-widget-image\" data-id=\"01313e7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"768\" height=\"331\" src=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-22-150507.png?fit=768%2C331&amp;ssl=1\" class=\"attachment-medium_large size-medium_large wp-image-5645\" alt=\"handala hack defacement osint\" srcset=\"https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-22-150507.png?w=956&amp;ssl=1 956w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-22-150507.png?resize=300%2C129&amp;ssl=1 300w, https:\/\/i0.wp.com\/osintme.com\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-22-150507.png?resize=768%2C331&amp;ssl=1 768w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Example Handala defacement graphics found on a victim website<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-30d6a6b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"30d6a6b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-90d0c7c\" data-id=\"90d0c7c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b9b5796 elementor-widget elementor-widget-heading\" data-id=\"b9b5796\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">ACTIVE HANDALA WEBSITES - March 2026<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-201e14e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"201e14e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fe2f53b\" data-id=\"fe2f53b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6bfc5bf elementor-widget elementor-widget-text-editor\" data-id=\"6bfc5bf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>handala-alert[.]to<\/strong><\/li><li>Overview: Created on 02-01-2026; hosted on IP address 82.38.63.237, hosting provider: Ultahost, Inc. (Sweden)<\/li><li>Wayback Machine: <a href=\"https:\/\/web.archive.org\/web\/20260000000000*\/handala-alert.to\">https:\/\/web.archive.org\/web\/20260000000000*\/handala-alert.to<\/a><\/li><li>VirusTotal score: <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/handala-alert.to\">https:\/\/www.virustotal.com\/gui\/domain\/handala-alert.to<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f5fc51c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f5fc51c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-44afd06\" data-id=\"44afd06\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b491501 elementor-widget elementor-widget-text-editor\" data-id=\"b491501\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>https:\/\/handala-team[.]to<\/strong><\/li><li>Overview: Created on 19-03-2026; hosted on IP address 185.178.208.137, hosting provider: DDoS-Guard (russia)<\/li><li>Wayback Machine: <a href=\"https:\/\/web.archive.org\/web\/20260000000000*\/https:\/\/handala-team.to\/\">https:\/\/web.archive.org\/web\/20260000000000*\/https:\/\/handala-team.to\/<\/a>\u00a0<\/li><li>VirusTotal score: <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/handala-team.to\">https:\/\/www.virustotal.com\/gui\/domain\/handala-team.to<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c55a50c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c55a50c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2ef7fb4\" data-id=\"2ef7fb4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c9a2c10 elementor-widget elementor-widget-text-editor\" data-id=\"c9a2c10\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>http:\/\/handala-redwant[.]to<\/strong><\/li><li>Overview: Created on 20-03-2026; hosted on IP address 192.142.53.75, hosting provider: Ultahost, Inc. (Netherlands)<\/li><li>Wayback Machine: <a href=\"https:\/\/web.archive.org\/web\/20260322142106\/http:\/\/handala-redwant.to\/\">https:\/\/web.archive.org\/web\/20260322142106\/http:\/\/handala-redwant.to\/<\/a><\/li><li>VirusTotal score: <a href=\"https:\/\/www.virustotal.com\/gui\/domain\/handala-redwant.to\">https:\/\/www.virustotal.com\/gui\/domain\/handala-redwant.to<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-dbb5672 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"dbb5672\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1148030\" data-id=\"1148030\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cfe7e6d elementor-widget elementor-widget-text-editor\" data-id=\"cfe7e6d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>BACKUP DOMAINS \/ REDIRECTS:<\/strong><\/p><ul><li>https:\/\/handala-hack[.]ps<\/li><li>https:\/\/handala[.]to<\/li><li>http:\/\/handala-hack[.]to (now seized by the FBI)<\/li><li>https:\/\/handala-redwanted[.]to (now seized by the FBI)<\/li><li>Tor website: http:\/\/vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8cca474 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8cca474\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5479a90\" data-id=\"5479a90\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9efcab1 elementor-widget elementor-widget-text-editor\" data-id=\"9efcab1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>ASSOCIATED ACCOUNTS:<\/strong><\/p><ul><li><a href=\"https:\/\/t.me\/HANDALA_HPR\">https:\/\/t.me\/HANDALA_HPR<\/a><\/li><li><a href=\"https:\/\/t.me\/s\/HANDALA_HPR2\">https:\/\/t.me\/s\/HANDALA_HPR2<\/a><\/li><li><a href=\"https:\/\/x.com\/HPRNEW\">https:\/\/x.com\/HPRNEW<\/a> (now suspended)<\/li><li><a href=\"https:\/\/x.com\/Handala_Red\">https:\/\/x.com\/Handala_Red<\/a> (now suspended)<\/li><li><a href=\"https:\/\/x.com\/Handala_news\">https:\/\/x.com\/Handala_news<\/a> (now suspended)<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-901d93c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"901d93c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9ca8bc0\" data-id=\"9ca8bc0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b2d0cdc elementor-widget elementor-widget-text-editor\" data-id=\"b2d0cdc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>SHODAN SEARCH RESULTS:<\/strong><\/p><ul><li><a href=\"https:\/\/www.shodan.io\/search?query=title%3Ahandala\">title:handala<\/a><\/li><li><a href=\"https:\/\/www.shodan.io\/search?query=http.title%3A%22hacked+by+handala%22\">http.title:&#8221;hacked by handala&#8221;<\/a><\/li><li><a href=\"https:\/\/www.shodan.io\/search?query=http.html%3A%22handala%22\">http.html:&#8221;handala&#8221;<\/a><\/li><li><a href=\"https:\/\/www.shodan.io\/search?query=ip%3A185.178.208.137\">ip:185.178.208.137<\/a><\/li><li><a href=\"https:\/\/www.shodan.io\/search?query=ip%3A192.142.53.75\">ip:192.142.53.75<\/a><\/li><li><a href=\"https:\/\/www.shodan.io\/search?query=ip%3A82.38.63.237\">ip:82.38.63.237<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e0b4ec elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1e0b4ec\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-342da0b\" data-id=\"342da0b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14db5e9 elementor-widget elementor-widget-text-editor\" data-id=\"14db5e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Handala operates and behaves more like a hacktivist collective rather than an APT actor, so it is likely than the next wave of attacks will be directed against entities listed on the so called &#8220;Tasnim News list&#8221;.<\/p><p>Basically, this was a list of &#8220;enemy technology infrastructure&#8221; targets, identified in a <a href=\"https:\/\/x.com\/Tasnimnews%5FFa\/status\/2031541620080775181\">tweet by Tasnim News<\/a>, an IRGC affiliated propaganda outlet. The list contains 7 names and 30 locations of facilities located in the region, in relatively close proximity to Iran. The companies are Microsoft, Nvidia, Amazon, Google, Oracle, IBM, and Palantir.<\/p><p><span style=\"text-decoration: underline;\"><strong>NOTE:<\/strong><\/span> More Handala websites might be added to the above dataset in the near future, should they emerge.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Overview of psy-op domains associated with Handala, a pro-Iranian threat actor group.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[93],"tags":[76,60,120,132,79],"class_list":["post-5628","post","type-post","status-publish","format-standard","hentry","category-my-investigations","tag-cybercrime","tag-hacking","tag-iran","tag-leak","tag-website"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=5628"}],"version-history":[{"count":70,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5628\/revisions"}],"predecessor-version":[{"id":5703,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/5628\/revisions\/5703"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=5628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=5628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=5628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}