Handala Wiper Attack

What is the Attack?

What is the recommended Mitigation?

• Harden endpoint management configurations (Intune and equivalents).
• Enforce MFA and strong identity controls for admin access.
• Restrict and monitor privileged device management actions.
• Apply Microsoft hardening guidance and security baselines.
• Audit device enrollment and policy deployment mechanisms.

What FortiGuard Coverage is available?

• FortiGuard Incident Response: Organizations that suspect compromise of endpoint management infrastructure (e.g., Microsoft Intune or equivalent platforms) should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include privileged account abuse, unauthorized policy deployment, and potential destructive actions across managed endpoints.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring ongoing threat activity involving the targeting of endpoint management systems and associated destructive campaigns. This includes tracking Iran-linked actor activity (e.g., Handala), evolving wiper malware techniques, and abuse of centralized device management platforms. Continuous intelligence updates, indicators of compromise (IOCs), and mitigation guidance will be provided as new information emerges.

• FortiGuard Antivirus & Behavior Detection: Provides protection against known malware and destructive tooling, including wiper malware and post-compromise payloads. Advanced behavioral detection identifies abnormal endpoint management actions, privilege misuse, and mass-impact operations, enabling early detection and prevention of large-scale device disruption.