Cyberattack on the European Commission; Hackers publish data without ransom demands.
In an advanced cyberattack, the European Commission's cloud infrastructure was breached, and more than 350 gigabytes of data, including sensitive information and databases, were extracted.
In an advanced cyberattack, the European Commission's cloud infrastructure was breached, and more than 350 gigabytes of data, including sensitive information and databases, were extracted.
Iran is reportedly leveraging AI-powered surveillance networks to monitor its airspace in real time—turning the sky into a tracked domain. The fusion of computer vision + distributed sensors is quietly reshaping air defense and raising new questions about asymmetric warfare.
Recent activity across multiple domains and messaging platforms indicates a growing pattern of entities presenting themselves as affiliated with the “Handala” hacking collective—complicating attribution and raising concerns among analysts tracking operations linked to the group.
Several domains, including Handala .ps and handala .tw, along with a Telegram channel operating under Handala intel/rss have emerged claiming association. These outlets, however, differ from the group’s previously and currently identified primary web presence at www.handala-team.to, which has been more consistently referenced in past operations and official communications.
This fragmentation reflects a broader challenge within the cyber threat landscape: identity replication and brand mimicry. By reusing established names, symbols, and even referencing known infrastructure, emerging actors can cultivate perceived legitimacy while simultaneously obscuring the operational footprint of the original entity.
From an intelligence standpoint, this dynamic introduces significant attribution challenges. Security agencies and independent researchers may struggle to distinguish between core operators, affiliated participants, and unrelated actors leveraging the same branding. In such conditions, the risk of misattribution increases—particularly when early assessments are influenced by geopolitical assumptions rather than technical evidence.
The situation is further complicated by the transnational character often associated with hacktivist ecosystems. Handala operating under a unified banner may draw participation from multiple regions—including Palestinian territories, Iran, Algeria, Lebanon, and Turkey—whether through loose coordination or shared ideological alignment. As a result, geographic indicators alone are insufficient for determining origin or command structure.
Historically, the Handala name has been associated with operations aligned with the Palestinian struggle, with indications of activity extending beyond the West Bank. Concurrently, open-source observations point to overlapping interests and potential cooperation across broader regional networks, although the group’s structure and hierarchy—if any—remain opaque.
The emergence of parallel domains and communication channels employing similar identifiers underscores a central reality of modern cyber conflict: identity is increasingly fluid, and influence can be constructed as readily as it is established.
For analysts and observers, the priority remains rigorous verification—focusing on infrastructure consistency, communication patterns, and technical signatures rather than relying solely on public-facing claims or branding.
At present, available evidence does not support the characterization of Handala as an exclusively Iranian hacktivist entity.
"Referencing the official website in your bio does not establish authenticity or affiliation. That said, the visibility and attention—whether intentional or not—are noted and, from a broader perspective, reflect a level of interest and support that is acknowledged."
Several domains, including Handala .ps and handala .tw, along with a Telegram channel operating under Handala intel/rss have emerged claiming association. These outlets, however, differ from the group’s previously and currently identified primary web presence at www.handala-team.to, which has been more consistently referenced in past operations and official communications.
This fragmentation reflects a broader challenge within the cyber threat landscape: identity replication and brand mimicry. By reusing established names, symbols, and even referencing known infrastructure, emerging actors can cultivate perceived legitimacy while simultaneously obscuring the operational footprint of the original entity.
From an intelligence standpoint, this dynamic introduces significant attribution challenges. Security agencies and independent researchers may struggle to distinguish between core operators, affiliated participants, and unrelated actors leveraging the same branding. In such conditions, the risk of misattribution increases—particularly when early assessments are influenced by geopolitical assumptions rather than technical evidence.
The situation is further complicated by the transnational character often associated with hacktivist ecosystems. Handala operating under a unified banner may draw participation from multiple regions—including Palestinian territories, Iran, Algeria, Lebanon, and Turkey—whether through loose coordination or shared ideological alignment. As a result, geographic indicators alone are insufficient for determining origin or command structure.
Historically, the Handala name has been associated with operations aligned with the Palestinian struggle, with indications of activity extending beyond the West Bank. Concurrently, open-source observations point to overlapping interests and potential cooperation across broader regional networks, although the group’s structure and hierarchy—if any—remain opaque.
The emergence of parallel domains and communication channels employing similar identifiers underscores a central reality of modern cyber conflict: identity is increasingly fluid, and influence can be constructed as readily as it is established.
For analysts and observers, the priority remains rigorous verification—focusing on infrastructure consistency, communication patterns, and technical signatures rather than relying solely on public-facing claims or branding.
At present, available evidence does not support the characterization of Handala as an exclusively Iranian hacktivist entity.
"Referencing the official website in your bio does not establish authenticity or affiliation. That said, the visibility and attention—whether intentional or not—are noted and, from a broader perspective, reflect a level of interest and support that is acknowledged."
❤2
Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3).
Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.
Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.
CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings.
Exploitation is confirmed in the wild, with a federal patch deadline set.
Exploitation is confirmed in the wild, with a federal patch deadline set.
Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails.
Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.
Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.
Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS.
Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.
Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.
A supply chain attack hit the telnyx Python package—versions 4.87.1 and 4.87.2 were backdoored to steal credentials.
Malware hidden in .WAV files runs on import, exfiltrates data, persists on Windows, and runs fileless on Linux/macOS before deleting traces.
Malware hidden in .WAV files runs on import, exfiltrates data, persists on Windows, and runs fileless on Linux/macOS before deleting traces.
A drone attack on strategic electronic warfare and radar centers in Haifa.
🔍 Domain intel: not all ccTLDs are created equal.
.to (Tonga) → attacker’s playground. Lax registration, no public WHOIS. Perfect for phishing infra, C2, and propaganda sites.
.tw (Taiwan) → attacker’s target. High user trust → prime impersonation bait for banking & gov phishing.
Know the risk.
#cybersecurity #threatintel #infosec #domains
.to (Tonga) → attacker’s playground. Lax registration, no public WHOIS. Perfect for phishing infra, C2, and propaganda sites.
.tw (Taiwan) → attacker’s target. High user trust → prime impersonation bait for banking & gov phishing.
Know the risk.
#cybersecurity #threatintel #infosec #domains
The US Department of State just announced a $10,000,000 bounty on the hackers behind the Kash Patel Gmail breach.
Cyber Dispatch: Keep trying for at least 5 years to find those hackers.
Translation: We traced them… actually no. We found them… not really. They’re in Iran… or maybe just Iranian… or honestly, we have no idea who they are 😭
Cyber Dispatch: Keep trying for at least 5 years to find those hackers.
Translation: We traced them… actually no. We found them… not really. They’re in Iran… or maybe just Iranian… or honestly, we have no idea who they are 😭
🤔1
The “Handala” group claims responsibility for a cyberattack on the Good Food Store in Missoula, Montana, alleging the deletion of around 4TB of data and a full shutdown of operations. The store, which employs over 300 people, is reportedly facing significant disruption following the incident.
#TGITM @TheGhostITM
#TGITM @TheGhostITM
The Anonymous collective claims responsibility for data deletion incidents affecting multiple Israeli websites.
#TGITM @TheGhostITM
#TGITM @TheGhostITM
Cyber Dispatch™️
For those seeking the original Handala Hack logo, consider this a gift. #TGITM @TheGhostITM
Fan channels and profiles associated with Handala may use this original logo.
The sheriff's office in Jackson County, Indiana, had to shut down all computer systems following a ransomware attack.
The EU Commission, ENISA, and the DG for Digital Services have been compromised by ShinyHunters.
Leaked data includes:
Emails & attachments
Full SSO user directory
DKIM signing keys
AWS config snapshots
NextCloud/Athena data
Internal admin URLs
Leaked data includes:
Emails & attachments
Full SSO user directory
DKIM signing keys
AWS config snapshots
NextCloud/Athena data
Internal admin URLs
Security researchers used a low-cost consumer satellite dish to intercept satellite signals and found massive amounts of unencrypted traffic.
Revealing:
📡 Military and government comms including GPS data
📡 Credit card transactions
📡 Phone calls and texts from remote cell towers
📡 In-flight Wi-Fi activity
Revealing:
📡 Military and government comms including GPS data
📡 Credit card transactions
📡 Phone calls and texts from remote cell towers
📡 In-flight Wi-Fi activity