It is hard to find an Israeli who has not received a suspicious SMS message or seen a frightening headline about a massive breach of a sensitive database. Behind many of those headlines stands one group that chose the name Handala, after the famous refugee child character created by Palestinian cartoonist Naji al-Ali.
Do not be misled by the romantic name. This is not a group of children with laptops, but one of the most aggressive arms of Iran’s digital and psychological warfare apparatus.
Not all Iranian hackers are the same
To understand Handala, it must be viewed alongside other groups operating in the arena. While the Black Shadow group, remembered for the hack of the Shirbit insurance company, focused on extortion mixed with humiliation, Handala abandoned the money trail altogether.
Its activity resembles that of the Moses Staff group, but with a stronger emphasis on direct civilian terror and cooperation with groups such as Anonymous Sudan to carry out denial-of-service attacks on infrastructure. It is also important to note that these groups operate on behalf of different Iranian bodies, such as the Revolutionary Guards or Iranian intelligence. That means differing objectives and possibly internal power struggles over budgets and prestige.
As of late 2025, despite periods of relative quiet and the temporary loss of its Telegram channels, Handala remains a significant threat. Its activity in the summer of 2025 against the Iranian opposition channel Iran International in London demonstrated that the group’s reach extends beyond Israel and targets anyone perceived by the Iranian regime as an external threat.
Targeting Israel’s senior decision-makers
The most troubling development in Handala’s activity in recent months does not involve taking down websites or mass text messages, but rather a surgical attempt to strike at Israel’s decision-making echelon.
Analysis of the group’s recent operations, including the alleged breach of former prime minister Naftali Bennett’s computer, devices linked to associates of Tzachi Braverman and threats against other senior figures, reveals an Iranian strategy that experts refer to as a “second-circle attack.”
Contrary to the cinematic image of hackers breaking in real time into encrypted phones of heads of state, Handala’s method is simpler and therefore more dangerous. Senior cyber experts, including former members of Israel’s security establishment, explain that the group realized there is little value in attacking “red” devices that are secure and classified, belonging to the military or Mossad.
Instead, the focus is on the personal devices of assistants, advisers and family members. The attacks do not necessarily target the physical device itself, but rather its backup environment, such as cloud services or private computers. Hackers gain access to cloud accounts, personal computers and neglected old backups, allowing them to extract WhatsApp messages, photos and calendars accumulated over years.
The assumption is straightforward. Even if a senior official’s device is well protected, the device of the aide managing the schedule often is not.
Alongside genuine breaches, Handala also specializes in disinformation campaigns. A prominent example was the publication of dramatic texts describing alleged internal disputes within the Shin Bet, presented as intelligence material. Investigations showed the content was fabricated and designed to exploit public tensions in Israel.
The method is clear. A kernel of truth, such as a real breach of a junior-level target or outdated information, is wrapped in layers of dramatic falsehoods to generate headlines.
From hacktivism to state-sponsored activity
Handala began its significant activity in late 2023, alongside the outbreak of the “Iron Swords” war. Initially, the group was perceived as another hacktivist outfit, ideological hackers carrying out basic denial-of-service attacks to bring down websites. Over the course of 2024 and 2025, however, the group transformed.
Information security experts in Israel and abroad, including firms such as Cyberint and Check Point, have pointed to its evolution. Unlike criminal groups seeking ransom payments, Handala’s objective is reputational and psychological damage. Its approach combines medium to high technical capabilities with a deep understanding of Israeli psychology.
Hod Ben Nun, co-founder of the cyber firm MIND, which specializes in data leaks, told Ynet: “Handala is a pro-Iranian hacking group operating under the auspices of the Revolutionary Guards. Its activity is part of a planned influence campaign, not an isolated event.
“This is a group that operates according to a clear method, with consistent patterns and a strong connection to the Iranian arena. That is evident in the writing style, the timing and the direct linkage to current events. The technological capabilities of groups like Handala are not necessarily exceptional, but their ability to access large pools of civilian and non-civilian data and present that access as an achievement serves a clear goal. In influence operations of this kind, the value lies not in the information itself, but in the fact that it was reached.”
Ben Nun added that Israel is currently in an election year, and in such a reality cyber groups deliberately place political and governmental figures at the center of their targeting because the public impact outweighs the intrinsic value of the content.
“The breach of Bennett was just the opening shot, and it is likely this trend will accompany us in the coming months. A recurring pattern is already visible. Denials fuel the discourse with the Iranians and encourage further leaks and access to personal information, even if its actual value is low. For Iran, cyber operations are now perceived as another battlefield, a convenient and effective tool for influencing Israeli public consciousness.”
Undermining the sense of security
One of the most searing incidents in Israeli public memory occurred in January 2025, when the group managed to penetrate the systems of Maagar-Tec, an electronics supplier, and took control of public address systems in public institutions.
The result was chilling. Air raid sirens were activated and threatening messages in Arabic were broadcast inside kindergartens across Israel. The incident marked Handala not as a group seeking credit card numbers, but as one aiming to undermine the public’s sense of personal security on the home front.
By December 2025, the group had accumulated a series of psychological “achievements” alongside technical failures:
A breach of Israel Police systems in February 2025. The group claimed it had stolen 2.1 terabytes of sensitive data. In practice, as in many other cases, the material published was partial, outdated or recycled, but the reputational damage was done.
A nuclear threat in September 2024. The group claimed to have penetrated servers linked to the Soreq Nuclear Research Center. Reviews by the National Cyber Directorate and independent experts found this to be psychological warfare, with no real operational data stolen, yet the global headlines achieved their effect.
Wiper malware attacks. Throughout 2024, the group distributed destructive malware disguised as security updates from legitimate companies such as F5 or CrowdStrike. The aim was to completely wipe servers, a tactic reminiscent of the devastating attacks on the Saudi oil industry in the previous decade.
The child at the front line of cyberwar
In Handala’s case, the use of the child figure itself is a message. The hacking group’s logo is instantly recognizable to anyone familiar with Middle Eastern politics. It depicts a small, angry child, hands clasped behind his back, face hidden.
This is Handala, a cultural icon born in the Kuwaiti press of the late 1960s, now finding itself at the front line of the cyberwar of 2025. The use of the image is deliberate, part of a calculated tactic of identity laundering designed to serve the ayatollahs’ regime.
The character was created by Palestinian cartoonist Naji al-Ali in 1969. His name derives from the word handal, a bitter desert plant symbolizing resilience in harsh conditions. According to al-Ali, who was assassinated in London in 1987 under circumstances that remain unclear, Handala is a 10-year-old refugee child, the age at which al-Ali left Palestine in 1948.
“He will not grow up until he returns to his homeland,” al-Ali once explained. The fact that Handala is almost always drawn with his back to the viewer symbolizes his silent protest against the world and his refusal to face it until the Palestinian issue is resolved. Over time, the character moved from newspaper pages to graffiti on West Bank walls, pendants worn by activists and a universal symbol of steadfastness and resistance.
So how did a drawn child from refugee camps in Lebanon end up on Iranian intelligence servers? The answer lies in the professional concept of false flag operations. In the cyber world, attribution is everything. Iran, a state with advanced cyber capabilities, seeks to strike Israeli infrastructure from hospitals to warning systems, while avoiding direct fingerprints that could trigger military retaliation or harsher international sanctions.
By adopting the name and logo of a distinctly Palestinian symbol, the Iranian hacking group constructs a narrative of hacktivism. It frames itself not as a sovereign state attacking another state, but as angry citizens fighting for their freedom.
This is the perfect disguise. It grants moral legitimacy to the group and its actions in the eyes of supporters worldwide, complicates justification for a conventional military response by Israel and creates immediate emotional identification and support across the Arab world.
There is bitter irony in Tehran’s use of al-Ali’s character. The late cartoonist was known for his fierce criticism not only of Israel and the West, but also of Arab regimes and dictatorships that exploited the Palestinian cause for their own political ends.
Technologically and psychologically, the branding works. In discourse on social media platforms such as Telegram and X, many consumers of the content are convinced this is a local organization from Gaza or the West Bank, not intelligence officers sitting in air-conditioned offices in Tehran.
The Handala of 2025 may wear the same tattered clothes, but in his hidden hands today is a keyboard, directly connected to the servers of the Revolutionary Guards.