The Boy With His Back Turned: Exposing Handala, Its MOIS Handlers, and the Bangkok Footage They Thought Was Tel Aviv | Intercept Cell
Handala is not a hacktivist group. It is a MOIS operational cluster — Void Manticore — running rotating personas under a refugee cartoon's name. Its parent in the Ministry of Intelligence's Domestic Security Directorate is FBI-wanted, EU-sanctioned, and personally directed an attack against Iranian journalists as revenge for his Treasury designation. The cell's channel admin is a 27-year-old from Tabriz who has used his own birthdate as a password across his accounts. Their flagship wiper will not execute on machines named "HANDALA" — operator safety infrastructure embedded in production malware. And when they tried to intimidate Israel with evidence of airport surveillance access, they accidentally published ceiling photographs from Suvarnabhumi Airport, Bangkok. Here is the full picture: operators, infrastructure, tooling, and every OPSEC failure the open record contains.
Handala is a cartoon: a 10-year-old Palestinian refugee drawn by Naji al-Ali, always seen from behind, arms clasped, never facing the viewer. Al-Ali said the boy would turn around when Palestinians returned home. He has been facing away since 1969. The Iranian Ministry of Intelligence chose this symbol to brand a state wiper cell. The choice is deliberate \u2014 righteous grievance, perpetual resistance, anonymity as identity. The symbol is borrowed. The operations are MOIS. The intelligence community designation is **Void Manticore**. Microsoft tracks the same cluster as Storm-0842. CrowdStrike calls it Banished Kitten. Sophos uses COBALT MYSTIQUE. Recorded Future has it as Dune. These names refer to the same entity: a destructive operations unit within Iran's Ministry of Intelligence and Security (MOIS), operating under the Domestic Security Directorate. Void Manticore does not operate alone. It operates in sequence with **Scarred Manticore** \u2014 a separate MOIS intelligence collection unit that maintains long-term access to target networks, sometimes for 12 months or longer. When destruction is authorized, Scarred Manticore hands Domain Admin credentials to Void Manticore. Void Manticore deploys wipers. The model was documented by Check Point Research in both the 2022 Albania operations (Homeland Justice persona) and the 2023\u20132024 Israel operations (Karma/Handala personas). The Stryker operation on March 11, 2026 follows the same template. Void Manticore runs three primary operational personas: