Inside RasCorp Group: Tracing a Ransomware Alliance within THE PERSEPHONE Network

Ransomware operations rarely function as isolated entities. In many cases, they emerge through loosely organized networks where individuals contribute different capabilities, ranging from malware development and infrastructure management to recruitment and operational coordination. Communication platforms such as Telegram have increasingly become central to these ecosystems, allowing actors to promote tools, recruit collaborators, and coordinate activities across dispersed communities.

During routine monitoring of Telegram discussions related to hacking and cybercrime, references to a group identifying itself as RasCorp Group, also described as the Ransomware Corporation Group, began to surface across several channels. Initial observations suggested that the group was actively promoting itself as a ransomware-focused operation while seeking individuals with expertise in malware development, networking, and infrastructure management.

At first glance, RasCorp appeared to operate primarily through Telegram-based communication channels where announcements, recruitment messages, and partnership statements were shared. However, further examination revealed that the group’s activities were not limited to a single channel or actor. Mentions of RasCorp appeared alongside references to other cyber groups and tooling developers, hinting at a broader network of collaborators operating within the same environment.

This raised important questions about the structure and capabilities of RasCorp: was the group simply promoting itself as a ransomware collective, or was it part of a larger ecosystem involving multiple actors and supporting tools? To answer this, the investigation focused on mapping the Telegram channels, identifying the key personas involved, and examining how RasCorp positioned itself within a wider network of cyber actors.

Incident Trigger and Initial Investigation

The investigation into RasCorp Group originated during the earlier analysis of THE PERSEPHONE platform, which revealed a collaborative environment involving multiple actors. While examining the structure of the Persephone website and the groups referenced within it, RasCorp Group appeared alongside VFVCT and ClayRat, suggesting that the platform was supported by more than one organization operating within the same ecosystem.

To better understand RasCorp’s role within this alliance, further analysis was conducted using StealthMole’s Telegram Tracker, which indexes conversations and activity across Telegram channels commonly used by cyber actors. Searching for references to “RasCorp” revealed several messages across different channels, including those already linked to VFVCT. These messages included recruitment announcements, partnership statements, and references to dedicated RasCorp communication channels.

One such announcement described a strategic alliance between three groups: CrackRat Zone Clay, RasCorp Group, and VFVCT (V For Vendetta Cyber Team). The message outlined the intended roles of each participant, presenting CrackRat Zone Clay as developers of multifunctional tools, RasCorp as responsible for business operations and coordination, and VFVCT as contributing operational and strategic capabilities.

The announcement also listed the Telegram channel associated with RasCorp:

• https://t.me/rascorp************n

Because this channel appeared to serve as a central communication hub for the group, it became the starting point for deeper investigation into RasCorp’s structure, the individuals involved in managing the channel, and the activities promoted within its ecosystem.

RasCorp Communication Channels and Recruitment Activity

Following the identification of the RasCorp Telegram channel, further examination focused on understanding how the group used the platform to promote its activities and interact with potential collaborators. The channel https://t.me/rascorp********n, titled RascorpBusinessGentlemen, appeared to function as the primary communication hub for the group.

The channel description referenced RasCorp Group and included a contact bot, @Rascor***t, indicating that the platform was intended to facilitate direct interaction with individuals interested in the group’s operations. Posts within the channel and related discussions revealed that RasCorp actively promoted recruitment efforts, inviting individuals with technical expertise to participate in ransomware-related activities.

One recruitment message circulated within associated Telegram discussions stated that the group was seeking members with skills in malware development, networking, infrastructure management, and scripting, particularly those experienced with ransomware operations. The message also directed interested individuals to contact specific Telegram accounts for further discussion. Among the listed contacts were @jd*****929, identified as a RasCorp administrator, and @clay*****es, described as a business lead associated with the group.

In addition to the RasCorp channel itself, the recruitment messages referenced other channels connected to the alliance, including CrackRat Zone Clay (https://t.me/cr********y) and the VFVCT backup channel. These references indicated that RasCorp operated within a network of interconnected Telegram channels rather than relying on a single communication point.

The recruitment messaging and channel structure suggested that RasCorp was attempting to position itself as an organized ransomware operation capable of attracting collaborators with specialized skills. By maintaining Telegram channels and automated contact mechanisms, the group appeared to be building a communication infrastructure designed to facilitate coordination and expansion of its activities within the broader cyber underground.

Identifying Key Personas within RasCorp

Further analysis of the RasCorp Telegram channel led to the identification of several accounts associated with the group’s operations. One of the most prominent personas was the Telegram user @jd********929, who appeared to play an administrative role within the RasCorp ecosystem.

Using StealthMole’s historical indexing capabilities, the account’s previous profile data was examined to understand its activity over time. Historical records showed that the account had changed its username and profile images multiple times, indicating periodic efforts to modify its online identity.

Earlier identifiers linked to the account included the username @so******01, observed in records from October 2025, where the profile image depicted a hooded figure commonly associated with hacker-themed imagery. In earlier records from January 2025, the account used the username @Va*****92, accompanied by a profile image showing a screenshot of a website defacement page.

The defacement image referenced a message attributed to Cyber Virus, displaying text indicating that a website had been encrypted by the attacker. While the context of the image could not be independently verified, its presence within the account’s historical profile suggested an association with hacking or defacement-related communities.

Additional examination of the account’s activity across Telegram revealed participation in several unrelated channels. In one community, the user discussed bringing experienced individuals into a ransomware team, further reinforcing the account’s apparent involvement in RasCorp’s recruitment efforts. In other channels, the account engaged in discussions about credential lists and online account combinations, including requests for Eneba account combos.

Overall, the account’s historical identity changes, hacking-themed imagery, and recruitment-related messaging suggested that @jd******929 was likely an active participant in RasCorp’s Telegram ecosystem, potentially contributing to the group’s efforts to recruit collaborators and promote ransomware-related activities.

Links to ClayRat Tooling

During the analysis of RasCorp’s Telegram ecosystem, additional connections emerged linking the group to an actor operating under the username @clay******s. This account had already been referenced in recruitment announcements associated with RasCorp and VFVCT, where it was described as a business lead involved in the alliance. To better understand this role, further investigation was conducted into the activity and historical identifiers associated with the account.

StealthMole’s historical indexing revealed that the account previously operated under the username @cr****t, recorded in January 2026, and displayed the name GhostDroid in earlier records. The earlier username appeared to reference RAT (Remote Access Trojan) tooling, which prompted further examination of the account’s activity across Telegram channels.

Monitoring the account’s activity showed that @clay**********s was particularly active in a community channel titled OFFICIAL YASHVIR GAMING CHAT. Within this channel, the user frequently shared images and discussions related to a tool referred to as G-700 RAT. Screenshots circulated by the user appeared to show an operator interface for the tool, including panels for managing clients and controlling various functions typically associated with remote access malware.

In addition to promoting the RAT tool, the user also posted messages announcing the launch of the G-700 RAT, indicating that the tool was being introduced or distributed within the community. Other messages attributed to the account referenced credential data, including offers to provide NowTV account logs, suggesting involvement in credential-sharing or data trading discussions commonly observed within underground communities.

The presence of the @clay**********s account within both RasCorp recruitment announcements and channels discussing RAT tooling highlighted the role of specialized tooling within the broader ecosystem. Rather than operating as an isolated developer, the account appeared to occupy a position where malware promotion, credential-related discussions, and collaboration with RasCorp and VFVCT intersected within the same Telegram environment.

Operational Structure and Alliance Dynamics

The artifacts identified during the investigation suggest that RasCorp Group does not operate in isolation but instead forms part of a broader collaborative structure involving multiple actors with complementary roles. Messages circulated across the Telegram channels referenced an operational alliance between RasCorp, VFVCT, and CrackRat Zone Clay, describing the partnership as a coordinated effort combining different capabilities within the cyber ecosystem.

According to the announcement observed during the investigation, each participant in the alliance appeared to contribute a distinct role. CrackRat Zone Clay was described as providing advanced multifunctional tools, while RasCorp Group was positioned as responsible for business operations and coordination. Meanwhile, VFVCT (V For Vendetta Cyber Team) was presented as contributing strategic and operational capabilities. This distribution of responsibilities suggested an attempt to structure the collaboration in a way that combined technical tooling, operational planning, and organizational coordination.

The presence of separate Telegram channels for each group, along with cross-references between them, reinforced the idea that these actors were operating within a shared ecosystem rather than as independent entities. Recruitment messages circulated within the network frequently directed interested individuals toward RasCorp contacts, while tooling-related announcements were associated with channels connected to CrackRat Zone Clay.

This structure indicates that the alliance was designed to integrate different functions of cyber operations, from tool development and recruitment to operational coordination. Within this arrangement, RasCorp appeared to position itself as a coordinating entity responsible for managing relationships and facilitating collaboration among participants within the broader network.

Conclusion

The activity surrounding RasCorp Group illustrates how ransomware-oriented operations can emerge within loosely structured online ecosystems rather than through a single centralized organization. The group’s presence across Telegram channels, recruitment announcements, and alliance messaging suggests an effort to position RasCorp as a coordinating entity capable of attracting collaborators with different technical capabilities. By presenting itself as responsible for the “business” and coordination aspects of operations, RasCorp appears to focus on building relationships and organizing participants rather than developing tools or conducting attacks independently.

At the same time, the connections identified with actors involved in malware tooling and credential trading highlight how such ecosystems often overlap with broader underground communities. Individuals active in hacking forums, gaming chats, and credential-sharing spaces can gradually transition into more organized cyber operations, bringing with them both tools and contacts from those environments. Within this context, RasCorp’s recruitment messaging and alliance formation may represent an attempt to formalize these relationships into a more structured ransomware-oriented collaboration.

Viewed in this light, RasCorp is less notable for a specific attack or dataset and more significant as an example of how cyber groups attempt to organize themselves in the early stages of operation. Monitoring these emerging networks, particularly those built around recruitment and partnerships, can provide valuable insight into how future ransomware or cybercrime campaigns may develop.

Editorial Note

Investigations into cyber actors operating across online communities rarely provide complete visibility into every aspect of their operations. Identities, infrastructure, and affiliations can change quickly, and participants may intentionally obscure their roles within collaborative networks. For this reason, attribution should be treated as an evolving assessment rather than a definitive conclusion. This case demonstrates how StealthMole’s monitoring capabilities can help trace connections between actors, communication channels, and tools across different layers of the cyber ecosystem, gradually revealing how such alliances take shape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

THE PERSEPHONE Ecosystem: Uncovering the Alliance Between VFVCT, RasCorp, and ClayRat

Collaboration between cyber threat actors is not uncommon. Groups with different capabilities often form temporary alliances, combining technical expertise, infrastructure, and operational reach to strengthen their campaigns. In many cases, these collaborations operate through shared platforms or coordinated communication channels, allowing participants to contribute specialized roles while presenting a unified presence to the outside world. Such arrangements can make attribution more complex, as multiple actors may be operating within the same ecosystem rather than as isolated groups.

In early 2026, traces of a platform called “THE PERSEPHONE” began appearing across online channels associated with hacking and data leak activities. At first glance, the platform appeared to function as a website hosting various datasets and announcements. However, the way the site presented itself suggested that it might represent more than a single actor’s operation. References within the platform pointed toward multiple groups and hinted at a broader collaborative structure behind the scenes.

This raised an important question: was THE PERSEPHONE simply another leak site, or was it part of a coordinated ecosystem involving several actors working together? To answer this, the investigation focused on mapping the infrastructure, communications, and identities connected to the platform. What initially appeared to be a straightforward leak portal gradually revealed signs of a more structured collaboration, where different groups appeared to contribute distinct roles within the same operational environment.

Incident Trigger and Initial Investigation

The investigation into THE PERSEPHONE began when StealthMole’s Leaked Monitoring tool indexed several newly posted datasets associated with the name on 5 March 2026. The indexed entries pointed to a publicly accessible website hosting multiple files and announcements under the same banner. The platform was located at:

• https://thepersephone.*****.org/?i=1

At first glance, the page appeared to function as a simple leak repository where datasets were organized and made available for download. Several entries were visible on the page, including files labeled “israel_citizen_database.csv”, “CANVA”, and “PORN WEBSITE LOGS.” The presence of multiple datasets suggested that the site was being used to publish and promote breach data in a structured manner.

A closer look at the website revealed that it introduced itself as a prototype platform named THE PERSEPHONE. In addition to listing leaked datasets, the site also contained introductory messages and operational guidelines, including statements outlining which types of organizations the operators claimed not to target. These elements resembled the structure commonly seen on leak portals used by cyber threat actors to showcase breaches and distribute stolen data.

Because the website appeared to be the central location where the datasets were being hosted, it became the starting point for further investigation. The domain https://thepersephone.******.org/ was subsequently analyzed using StealthMole’s tracking capabilities to determine whether the platform had been referenced elsewhere across underground forums or messaging channels.

This pivot quickly produced a relevant lead. A thread on BreachForums titled “1 million Netflix accounts have been leaked by the V for Vendetta cyber team” referenced the same domain and described it as “our website.” The thread was posted by the user VFVCT, who had joined the forum in March 2026. The mention of the Persephone domain within the forum post suggested that the leak platform might be connected to the group identifying itself as the V For Vendetta Cyber Team (VFVCT).

• https://breachforums.**/Thread-1-******V-for-Vendetta-cyber-team

The appearance of the same website in both the indexed leak listings and the BreachForums post raised the possibility that the platform was being actively promoted by the actors responsible for the leaks. This discovery prompted further investigation into the infrastructure and communication channels linked to the Persephone site in order to identify the groups operating behind it.

Tracing the Communication Infrastructure

Following the discovery of the Persephone website and its reference within the BreachForums thread, the investigation shifted toward identifying communication channels where the platform might be promoted or discussed by the actors themselves. The domain https://thepersephone.******.org/ was therefore queried through StealthMole’s Telegram Tracker, which indexes Telegram messages and channel content for investigative analysis.

This pivot revealed a private Telegram group titled Project_Vendetta, accessible through the invitation link:

• https://t.me/+fyA*********Bl

The group’s description referenced “V For Vendetta Cyber Team” and listed several contact points, including the Telegram bot @vfvct**** and the email addresses vfvct@****** and vfvct*****@*******.

The same description also pointed to another Telegram channel associated with the group:

• https://t.me/+tKk**********Y9

Monitoring activity within the Project_Vendetta group revealed messages where participants directly referenced the Persephone website. In one instance, the domain https://thepersephone.******.org/ was shared within the group chat, indicating that the platform was actively circulated among members of the channel. Additional messages contained discussions related to hacking activities, recruitment, and geopolitical commentary, suggesting that the group functioned as a coordination space for the actors involved.

The presence of the Persephone domain within this Telegram group strengthened the link between the leak platform and VFVCT, indicating that the website was not operating in isolation but was instead connected to a broader communication infrastructure maintained by the group. The discovery of these channels provided a new direction for the investigation, allowing further analysis of how the actors organized their activities and interacted with collaborators across the Telegram ecosystem.

Expanding the Telegram Network

Further examination of the Telegram infrastructure linked to VFVCT revealed another channel associated with the group. The channel presented itself as a backup channel for the V For Vendetta Cyber Team. The channel description reiterated the same contact information observed earlier, reinforcing its connection to the same operational ecosystem.

• https://t.me/+tKk***********Y9

Activity within the channel provided additional insight into how the group communicated announcements and coordinated activities. Several posts referenced ongoing operations, recruitment efforts, and upcoming data releases. In one message, the operators announced the existence of a dedicated database-sharing channel, stating that datasets would be distributed through:

• https://t.me/DbShare************a

The same message indicated that a VFVCT database release was planned for the end of Ramadan, suggesting that the group used Telegram not only for communication but also for scheduling and promoting future leak activities.

Other posts contained statements outlining the group’s adversarial stance toward several governments. One message described a campaign targeting South Korea, India, and Indonesia, claiming possession of large datasets associated with each country. While the claims themselves could not be independently verified at the time of investigation, the language and messaging style were consistent with the rhetoric often used by hacktivist-oriented groups attempting to frame their operations as politically motivated campaigns.

The presence of these announcements and operational messages demonstrated that the Telegram channels served as a primary communication layer for the actors behind the Persephone platform. Rather than being limited to leak announcements, the channels functioned as a space for recruitment, messaging, and coordination, providing further visibility into the ecosystem surrounding the platform.

Identifying Additional Infrastructure and Contact Channels

Continued monitoring of messages within the VFVCT Telegram channels revealed further references to infrastructure and contact methods used by the group. Several posts shared links and identifiers that appeared to support the group’s operations beyond Telegram itself.

One such reference pointed to a GitHub Pages site:

• https://******.github.**/******/

In a message shared within the channel, this site was described by the actors as part of their DLS (data leak site) or ransomware-related infrastructure. While the domain is hosted through GitHub’s static website service, the link was circulated by the actors themselves as an operational resource connected to their activities.

Additional references surfaced during the monitoring of the channel’s historical messages. Some posts promoted collaboration opportunities and invited individuals with technical expertise to participate in ransomware operations. In one instance, a message encouraged interested participants to contact the group through vfvct@******.** regarding potential ransomware partnerships. These posts suggested that the actors were actively seeking individuals with skills in malware development, networking, or infrastructure management.

The Telegram channels also contained branding elements used by the group. Among them was a logo associated with the V For Vendetta Cyber Team, featuring imagery consistent with hacktivist-style symbolism. Such visual elements are commonly used by cyber groups to establish recognizable identities across multiple platforms.

Understanding the Role of THE PERSEPHONE Platform

While the Telegram channels clearly demonstrated the involvement of VFVCT, an important question remained: what exactly was the role of THE PERSEPHONE itself? To better understand the platform, the investigation returned to the website:

• https://thepersephone.******.org/

A closer examination of the site revealed that it was not presented as the project of a single group. Instead, the landing page prominently displayed references to three separate actors: VFVCT, RasCorp Group, and ClayRat. The page introduced THE PERSEPHONE as a shared platform associated with these groups and described their cooperation under the banner of “United Cyber Operations.”

This presentation suggested that THE PERSEPHONE functioned as a collaborative leak platform rather than the independent operation of one threat actor. The site included several sections containing introductory messages, operational rules, and lists of datasets attributed to different actors participating in the ecosystem. In this structure, the platform appeared to act as a centralized location where breaches and announcements could be published collectively.

Among the entries visible on the site were datasets such as “israel_citizen_database.csv”, alongside other leak announcements attributed to actors connected with the ecosystem. Each entry included brief descriptions and timestamps indicating when the data had been published. The presence of multiple datasets under a single platform reinforced the idea that the site was intended to aggregate leaks from the participating groups.

Identifying the Administrator Behind the VFVCT Channels

As the investigation progressed through the Telegram infrastructure linked to VFVCT, attention turned toward identifying the individuals responsible for managing the channels and coordinating communication within the ecosystem. Monitoring activity within the Project_Vendetta group and related channels revealed repeated references to a Telegram account operating under the username @D*********a.

The account, displayed under the name “Diablo Gato,” appeared to play an administrative role within the VFVCT communication network. Messages circulated within the channels often directed potential collaborators or interested participants to contact this account, suggesting that it functioned as one of the primary points of contact for the group.

To better understand the history of this account, StealthMole’s historical indexing feature was used to review earlier records associated with the profile. The historical data showed that the account had undergone multiple changes in both username and profile images, indicating attempts to periodically modify its online identity. Among the earlier identifiers linked to the account was the username Elisha24, which appeared in archived records dating back to October 2024.

Further examination of the account’s activity across Telegram revealed that it was present in multiple channels related to hacking communities and cyber discussions. In at least one of these channels, RipperSec Chat, the account claimed to be located in Malaysia and communicated using the Malay language in certain exchanges. While such claims cannot be independently verified, they provide contextual clues regarding the persona behind the account.

The account’s presence across several Telegram communities, combined with its role as a contact point within VFVCT channels, suggested that @D********a was likely involved in coordinating aspects of the group’s activities or managing communications within the broader ecosystem surrounding THE PERSEPHONE platform.

Additional Communication Channels and Operational Artifacts

Further monitoring of the VFVCT Telegram channels uncovered additional artifacts that appeared to be associated with the group’s broader communication and operational infrastructure. Among the identifiers shared within the channels was a TOX ID, a decentralized messaging protocol often used by threat actors seeking anonymous peer-to-peer communication. The identifier observed during the investigation was:

• 3574*****************************************************48

The presence of this identifier indicated that the actors maintained communication options beyond Telegram, potentially enabling direct contact with collaborators through encrypted channels that do not require centralized services.

Another artifact identified during the investigation was a Session messenger ID:

• 0558************************************************57e

Session is an encrypted messaging platform that routes communication through decentralized networks, providing an additional layer of anonymity. Its use is frequently observed among cyber actors who seek to avoid reliance on mainstream communication platforms.

In addition to these messaging identifiers, references were also found to a separate website:

• https://d********s.w******.net

The domain appeared to be hosted through a free web hosting provider, suggesting that it may have been used as a temporary or experimental resource by the actors. Such disposable infrastructure is commonly employed by cyber groups to host content, test tools, or distribute materials without maintaining long-term infrastructure.

Taken together, these artifacts indicated that the ecosystem surrounding THE PERSEPHONE extended beyond the visible leak platform and Telegram channels. Instead, the actors appeared to maintain a layered communication environment, incorporating multiple messaging protocols and externally hosted resources to support coordination and outreach within their network.

Conclusion

The investigation into THE PERSEPHONE began with the discovery of a leak website hosting multiple datasets under a single platform. What initially appeared to be a standalone leak portal gradually revealed a more complex structure as additional artifacts were identified across Telegram channels, underground discussions, and supporting infrastructure. Rather than representing the operation of a single group, the evidence indicated that THE PERSEPHONE functioned as a shared platform within a broader collaborative ecosystem.

Analysis of the website content and associated communications showed that VFVCT, RasCorp, and ClayRat were all referenced within the same operational environment. The platform appeared to serve as a central location where datasets and announcements could be published collectively, while Telegram channels, particularly the ones belonging to VFVCT, provided the communication layer used for recruitment, coordination, and promotion of activities.

Further investigation into the communication infrastructure revealed multiple identifiers connected to the ecosystem, including Telegram channels, bot accounts, messaging identifiers, and externally hosted resources. These artifacts illustrated how the actors maintained a distributed communication environment, relying on several platforms to coordinate activities and engage with potential collaborators.

Overall, the findings suggest that THE PERSEPHONE operates less as an independent threat actor and more as a collaborative hub, bringing together multiple groups that contribute different capabilities to the broader operation. By examining the infrastructure, communication channels, and identities surrounding the platform, the investigation provides insight into how such alliances can function within the cyber threat landscape and how shared platforms can enable coordinated activity among otherwise separate actors.

Editorial Note

Investigations involving cyber actors operating across multiple platforms rarely provide complete visibility into every aspect of an operation. Online identities, infrastructure, and affiliations can change quickly, and actors often obscure their roles within collaborative environments. As a result, attribution should be approached cautiously and treated as an evolving assessment rather than a final conclusion.

This case highlights how StealthMole’s monitoring capabilities can connect seemingly separate indicators, allowing analysts to trace relationships across different layers of an ecosystem and better understand how coordinated cyber operations take shape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Handala’s Digital Battlefield: Uncovering the Infrastructure of an Anti-Israel Hacktivist Campaign

In recent years, geopolitical tensions have increasingly spilled into cyberspace, giving rise to a wave of hacktivist groups that frame cyberattacks as acts of political resistance. Among these actors, Handala has emerged as a particularly visible presence within the pro-Palestinian cyber ecosystem. Named after the iconic Palestinian cartoon character created by Naji al-Ali, the group draws heavily on the symbolism associated with the figure: a barefoot child who stands with his back turned, representing resistance, displacement, and a refusal to accept injustice. By adopting this name and imagery, the group positions its cyber activities as part of a broader ideological struggle rather than purely criminal operations.

Handala began appearing in online spaces around late 2023, as the Israel–Hamas conflict intensified and hacktivist activity surged across multiple regions. Like many politically motivated cyber groups, its messaging blends propaganda, political statements, and claims of cyber intrusions. Over time, the group has targeted a range of Israeli institutions and organizations, frequently publishing announcements or alleged data leaks across forums, messaging platforms, and dedicated leak sites. These activities have gradually drawn attention within both cybersecurity circles and online hacktivist communities.

Despite its growing visibility, much about Handala remains unclear. The group operates under shifting online identities, frequently moving between platforms and channels while maintaining a steady stream of announcements and leak claims. This fluid online presence makes it difficult to understand how the group organizes itself, where it communicates, and how its operations are distributed across the internet.

This investigation began with a simple question: how does Handala sustain its cyber campaign online? By tracing the group’s digital footprint across forums, messaging platforms, and dark web infrastructure, the analysis gradually reveals a broader network of channels, domains, and communication pathways that support its activities. What initially appeared to be isolated leak posts ultimately points to a far more interconnected ecosystem operating behind the scenes.

Incident Trigger and Initial Investigation

The investigation began with a keyword search for “Handala” within StealthMole’s Government Monitoring tool. This initial query surfaced several posts linked to the group that referenced alleged cyberattacks targeting Israeli government entities. Among the indexed results were three incidents published on BreachForums between 2024 and 2026, indicating that the group had previously used underground forums to publicize its activities.

One of these threads, titled “Israel Police Hacked,” was particularly notable. Although it appeared in StealthMole monitoring results during 2026, the original forum post dated back to 9 February 2025, suggesting that the content had resurfaced through reposting or renewed attention within underground communities.

To determine whether these forum posts represented isolated claims or part of a broader pattern of activity, the investigation expanded to StealthMole’s Leaked Monitoring tool. This search revealed a much larger dataset associated with the group, identifying 176 potential victims linked to Handala-related leak announcements.

The results also showed a clear shift in how the group published its disclosures. Earlier posts were distributed primarily through underground forums and Telegram channels, but more recent entries pointed to a dedicated leak platform operated by the group itself.

Two key communication channels repeatedly appeared in connection with these announcements:

• https://t.me/s/Handala_hack
• https://t.me/Handala_Backup

Among the leaked monitoring results, the most recent entry stood out as a significant development. Unlike earlier disclosures that relied on forums or messaging platforms, this post was hosted directly on the group’s own website.

• https://handala******.**/un********/

The page carried the title “Unprecedented Disclosure of 50 Senior Israeli Air Force Officers’ Information” and presented the announcement as a major data exposure linked to Israeli military personnel. Because this disclosure represented the latest activity attributed to the group and was hosted on infrastructure directly controlled by the actors, it became the primary focal point for further analysis.

With the source of the announcement identified, the investigation pivoted to the domain hosting the leak. By running the domain through additional StealthMole tools, including Dark Web Tracker and Telegram Tracker, the analysis began mapping the broader ecosystem connected to the group. What initially appeared to be a single leak announcement soon expanded into a much larger network of domains, messaging channels, and communication platforms supporting Handala’s online operations.

Expanding the Investigation: Mapping Handala’s Online Infrastructure

With the leak page identified, the investigation shifted toward understanding the infrastructure supporting Handala’s operations. The domain hosting the disclosure was used as the first pivot point, allowing StealthMole tools to identify additional communication channels and online platforms connected to the group.

The domain handala*******.**, which hosted the March 2026 disclosure, appeared to function as a central hub for the group’s announcements and leak posts.

• https://handala**********.**

Running this domain through StealthMole’s Dark Web Tracker revealed multiple associated communication channels and identifiers linked to the group’s online presence.

One of the most significant findings was a network of Telegram channels connected to the Handala ecosystem. These channels appear to serve different roles, including announcements, backup communication channels, and distribution of leak-related content.

Telegram Channels Identified

• https://t.me/Handala_Leak
• https://t.me/handala_hack3
• https://t.me/handala_hack6
• https://t.me/Handala_backup
• https://t.me/handala_hack20
• https://t.me/handala_channel
• https://t.me/Handala_hack
• https://t.me/handala_rss
• https://t.me/HANDALA*****

The presence of numerous channels suggests that the group relies heavily on Telegram as its primary communication platform. Hacktivist groups frequently maintain multiple channels to ensure continuity of operations, especially when primary accounts are suspended or removed by platform moderators.

In addition to Telegram channels, StealthMole also identified a Session messenger ID, indicating that the group provides alternative encrypted communication methods.

Session ID

• 05402*************************************************c929

The discovery of this identifier suggests that the operators offer additional channels for private communication beyond public messaging platforms. Privacy-focused messaging services such as Session are often used by online communities seeking to maintain anonymity while coordinating activities or communicating with external contacts.

Together, these findings indicate that the leak website is only one component of a larger communication ecosystem. The group appears to rely on a distributed network of platforms, ranging from public messaging channels to encrypted communication identifiers, to promote its announcements and maintain contact with followers.

Telegram Activity and Platform Migration

Further analysis of the identified Telegram channels provided additional insight into how Handala manages its online presence and adapts to platform restrictions. Several messages within the channels referenced the suspension of social media accounts associated with the group, indicating repeated moderation actions against its online profiles.

For example, activity observed within the channel HANDALA_HPR2 referenced a Twitter account linked to the group:

• https://x.com/HPRSEC

At the time of investigation, this account had been suspended on 9 March 2026, illustrating the ongoing disruption faced by the group on mainstream social media platforms.

Additional evidence of these disruptions appeared within another Telegram channel:

Telegram Channel

• https://t.me/handala_rss

Messages in this channel reported that another account associated with the group had also been suspended earlier that week.

Suspended Account

• https://x.com/HANDALA_FRONT

The suspension was reported on 6 March 2026, suggesting that multiple Handala-affiliated social media profiles had been removed in a short period of time. Earlier investigations had also identified the following account linked to the group’s activities:

Previously Identified Account

• https://twitter.com/handala_hack

The repeated suspension of these accounts appears to have contributed to the group’s increasing reliance on Telegram as its primary platform for announcements and communication.

Further examination of the group’s backup Telegram channel also revealed a series of invite links pointing to additional private or temporary groups that had been used at various points over the past year.

Telegram Invite Links Identified

• https://t.me/+gy8TRxf4pVljMzI0 (February 2025)
• https://t.me/+cFjcge2T7Y85NTg0 (February 2025)
• https://t.me/+drbzBna3Bis1ZTM0 (January 2025)
• https://t.me/+qhaXhUkMG1NiNjZl (December 2024)

These invite links suggest that the group periodically creates new channels or private groups, possibly in response to account suspensions or to maintain restricted communication spaces for specific audiences.

Overall, the findings highlight a pattern of platform migration, where Handala shifts its communication channels whenever accounts are suspended or restricted. Telegram appears to function as the central hub of this ecosystem, while other platforms are used intermittently for broader outreach before eventually being abandoned or removed.

Dark Web and Supporting Infrastructure

As the investigation continued, further analysis of the Telegram channels uncovered additional infrastructure associated with Handala’s operations. One of the most notable discoveries emerged from the Telegram channel:

Telegram Channel

• https://t.me/handala_channel

Messages within this channel referenced an onion service associated with the group, indicating the presence of infrastructure hosted within the Tor network.

Onion Website

• http://vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion/

Running this address through StealthMole’s Dark Web Tracker revealed that the site appeared to function as another platform for publishing breach claims and distributing supporting materials. The page identified during the investigation included a post titled “Amos Spacecom Hacked,” which referenced an alleged compromise related to satellite communications infrastructure.

The page also contained links to files labeled as proof-of-concept (PoC) materials, suggesting that the group uses the onion site to distribute sample data or supporting evidence intended to validate its claims.

Further analysis of the onion infrastructure revealed additional resources connected to the group’s activity.

Additional Telegram Channel

• https://t.me/handala_poc

This channel appears to be associated with the distribution of proof-of-concept material or leaked data samples related to the group’s announcements.

In addition to messaging channels, the investigation also identified the use of external file-hosting platforms for distributing files linked to the group’s disclosures.

File Hosting Link

• https://mega.nz/file/25wmUD****************************fM

The presence of a Mega file link suggests that the group may use cloud-based storage services to distribute data samples or archive materials related to its leak announcements.

Another domain connected to the group’s ecosystem was also identified during the investigation.

Additional Surface Domain

• http://handala*******.***/

Although the exact function of this website could not be fully verified during the investigation, its appearance alongside other Handala-linked infrastructure suggests that it may serve as an additional platform for hosting announcements, propaganda, or related content.

These findings indicate that Handala’s online presence extends beyond messaging platforms and forums. Instead, the group appears to operate a layered infrastructure that includes surface web domains, Tor-hosted services, and external file-hosting platforms. This distributed approach allows the group to maintain the availability of its content even when individual platforms or accounts are suspended.

Conclusion

The investigation reveals that Handala’s activities are supported by a layered online ecosystem rather than a single platform or communication channel. Instead of relying on one outlet to publicize its operations, the group distributes its presence across multiple services, combining messaging platforms, dedicated leak websites, dark web infrastructure, and external file hosting services.

Among these platforms, Telegram appears to function as the central hub of the group’s communication network. The numerous channels identified during the investigation serve different roles, including public announcements, backup communication spaces, and distribution points for leak-related content. The existence of several backup channels and invite-only groups also indicates that the group anticipates disruptions and maintains alternative channels to ensure continuity of communication.

At the same time, Handala appears to rely on its own websites and Tor-hosted infrastructure to publish leak announcements. Hosting disclosures on actor-controlled platforms allows the group to retain control over its messaging while reducing dependence on third-party forums or social media services that may remove or restrict its content.

External file hosting platforms, such as Mega, appear to complement this infrastructure by enabling the distribution of sample datasets or supporting materials linked to leak claims. Separating file hosting from the main disclosure pages allows the group to share larger files while maintaining a lightweight publication platform for announcements.

Another notable pattern is the group’s repeated movement between platforms. Several social media accounts associated with Handala were found to have been suspended, indicating ongoing moderation actions on mainstream platforms. In response, the group’s communication appears to have shifted increasingly toward Telegram channels and dedicated websites, where the operators have greater control over their presence.

These findings suggest that Handala operates through a distributed digital ecosystem designed to maintain visibility and resilience. By spreading its activities across multiple platforms and infrastructure layers, the group is able to continue publishing announcements and promoting its campaigns even when individual accounts or channels are disrupted or removed.

Editorial Note

Investigations into cyber and dark web activities rarely produce absolute certainty. Hacktivist groups frequently operate under pseudonyms, rotate communication channels, and shift infrastructure over time, making definitive attribution and operational assessment inherently challenging. This case illustrates how StealthMole’s monitoring capabilities can help analysts navigate that uncertainty by tracing connections across forums, messaging platforms, and hidden services, gradually revealing the broader ecosystem that supports such operations.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com