Epic Fury Update: Stryker Attack Highlights Handala's Shift from Espionage to Disruption

On March 11, 2026, the medical technology vendor Stryker disclosed a global cyberattack affecting its Microsoft environment. The company said there was no indication of ransomware or malware, but the full scope and restoration timeline were unknown.

The Iran-linked group Handala Hack Team claimed responsibility, and employee accounts described major operational disruption, including reports of wiped or disabled devices. For a company operating in more than 60 countries, the incident represents a significant business continuity and enterprise operations risk, even as Stryker said its core products remained safe to use.

As a trusted security partner, LevelBlue is actively monitoring threat intelligence and client environments for indicators of emerging risk. We remain on heightened alert and are prepared to support clients and partners with real-time intelligence updates and incident response assistance as needed. We will continue to provide timely updates and actionable guidance as developments unfold.

Key findings

• One of the clearest (First) publicly reported Handala-claimed, Iranian-aligned retaliatory cyber incidents affecting a major U.S. company since the February 28 escalation. The incident is high impact since Stryker operates on a significant global scale, with more than 50,000 employees in over 60 countries, making even a contained Microsoft-environment disruption a material business continuity event.

• The attack is the first confirmed destructive wiper operation against a US Fortune 500 company.

• Public reporting indicates destructive effects, including wiped or disabled employee devices, but the available evidence does not yet confirm the full technical kill chain.

Current Threat Landscape

As of March 12, 2026, the Israel-Iran cyber conflict is no longer a side theater to the kinetic war. Since the February 28 U.S.-Israeli strikes on Iran, the cyber picture has shifted toward persistent retaliatory activity, with U.S. officials warning that Iran-aligned actors and proxies are likely to favor targeted but lower-threshold operations such as defacements, DDoS, and other disruptive attacks in the near term. At the same time, threat intelligence reporting suggests the quieter period seen immediately after the strikes may reflect timing and operational constraints, not restraint, especially given Iran’s blackout conditions and the expectation that more activity could follow once networks and command structures normalize.

The latest shift is not simply “more attacks,” but a change in style. The cyber front is moving away from purely long-horizon espionage and toward faster, deniable, psychologically charged disruption carried out through proxy personas, hacktivist fronts, and hack-and-leak operations. Reuters documented cyber activity against Iranian apps and websites on March 1, while on March 11, an Iran-linked persona, Handala, claimed responsibility for the destructive attack on Stryker, a U.S. medical technology company, in what many analysts view as a sign that retaliation is expanding beyond Israel itself toward commercially significant Western targets tied to the broader conflict environment.

Handala Group Activities

Handala emerged in late 2023 as a pro-Palestinian hacktivist brand, but several researchers and official assessments link it to Iran-aligned threat infrastructure rather than a purely independent activist group. Its operations focus on pressure over stealth, using phishing, social engineering, destructive attacks, and hack-and-leak tactics to create a reputational and psychological impact.

Handala Hack Team is assessed with high confidence as an online persona of Void Manticore (Storm-0842 / Banished Kitten), affiliated with Iran's Ministry of Intelligence and Security (MOIS). Handala Hack Team has conducted at least 131 documented attacks since December 2023, with an accelerating pace in 2026.

The group operates using a documented two-actor handoff: Scarred Manticore (Storm-0861) provides initial access via long-dwell operations, then hands off to Void Manticore (Storm-0842 / Handala) for destructive wiper deployment. This pattern was observed in both the 2022 Albania attacks and the 2023-2024 Israel campaigns.

Figure 1: Latest Handala’s claim.

While some of its public claims appear exaggerated or disputed, others were backed by apparently authentic sensitive data, making Handala best understood as a hybrid actor that combines real intrusions with propaganda and information warfare.

Figure 2: Handala’s claims on hacking Stryker Corporation.

Public reporting confirms that Stryker experienced a global cyberattack affecting its internal Microsoft environment on March 11, 2026, and that the company stated it had no indication of ransomware or malware at the time of its public updates. Stryker’s own statements say the disruption was contained to its internal Microsoft environment and that business continuity measures were activated while restoration efforts continued.

Figure 3: Stryker Corporation Statement.

Multiple media reports also cite employee accounts describing wiped or disabled devices, loss of access to Microsoft services, and Handala branding appearing on some login screens. Handala publicly claimed responsibility the same day and framed the operation as retaliation linked to recent U.S.-Iran tensions, but its broader claims, including very large-scale data theft and wiping numbers, remain unverified publicly.

Stryker is a major U.S. medical-technology company. It makes and sells products used by hospitals and surgeons, including orthopedic implants, surgical equipment, neurotechnology, medical instruments, emergency care products, and digital/robotic surgery systems. Stryker says it had $22.6 billion in global sales in 2024, about 53,000 employees worldwide, and impacts more than 150 million patients annually.

The Attack

The attack began overnight on March 11. Employees in the United States, Ireland, Costa Rica, and Australia reported that their managed Windows devices and mobile phones were remotely wiped in the early hours of the morning. The execution was devastating in its effect.

Public evidence indicates the likelihood that attackers gained access to Stryker's Microsoft Intune account, the company's mobile device management platform. From there, Handala appears to have issued remote wipe commands across enrolled corporate devices, resetting them to factory settings.

Because Handala gained access to the Intune administrative layer that manages all endpoints, Handala did not need to deploy malware to any individual endpoint. By weaponizing the management layer itself, the attacker effectively turned Stryker's device management infrastructure into a mass remote destruction tool.

Using that access, they issued a Remote Wipe command to the entire global fleet simultaneously. Because this is a legitimate native system command meant for lost or stolen devices, it bypasses most traditional Antivirus/EDR solutions that look for malicious code signatures.

In addition to the Intune wipe, Handala has also used a custom wiper, FuxSocy Wiper, a tool they previously used that targets both Windows and Linux. The group also extensively used PowerShell and Windows Management Instrumentation (WMI) to disable recovery options (like deleting Volume Shadow Copies) before a system shuts down.

Initial Access & Lateral Movement

While the exact entry point is still being verified, Handala’s historical playbook and recent activity suggest:

• Phishing & Credential Theft: Using event-themed lures (related to recent US-Iran kinetic escalations) to harvest admin credentials.
• Session Hijacking: Bypassing MFA by stealing session tokens, which allows attackers to log into cloud management consoles (Azure/Entra) as a verified admin.
• Valid Account Abuse (T1078): Using legitimate accounts to move laterally until they reach the "keys to the kingdom"—the Intune/MDM admin roles.

Remediations

LevelBlue is urging organizations to adopt a strong defensive posture similar to the guidance launched by CISA at the outset of the Ukraine-Russia conflict.

As a trusted security partner, LevelBlue is actively monitoring threat intelligence and client environments for indicators of emerging risk. We remain on heightened alert and are prepared to support clients and partners with real-time intelligence updates and incident response assistance as needed. We will continue to provide timely updates and actionable guidance as developments unfold.

LevelBlue has elevated monitoring across all known clients with regional exposure and has implemented the following measures:

• High-Vigilance Monitoring Activated: Enhanced monitoring for clients operating in or connected to the Middle East, with focused attention on Iranian IP space and TTPs associated with known Iranian threat actors.

• Increased Escalation Priority: Accelerated review and response protocols for alerts potentially linked to Iranian infrastructure or threat actor behaviors.

The key lesson from this incident is that modern destructive attacks do not always require ransomware or custom malware to create major business disruption. If an attacker can gain access to a cloud identity layer, an endpoint-management platform, or privileged administrative account, they may be able to trigger large-scale operational damage using legitimate enterprise tools.

That makes remediation less about one specific threat actor and more about reducing the risk of identity compromise, token theft, privilege abuse, and misuse of remote device actions. Microsoft’s own guidance shows that Intune can perform immediate and bulk device actions, including wipe, while Entra Conditional Access and token-protection controls are designed to reduce session replay and abuse of stolen tokens. CISA’s IAM guidance similarly emphasizes phishing-resistant authentication, least privilege, and stronger administrator protections as core defensive measures.

Some measures you can take to avoid similar incidents:

• Follow best practices and security hardening guides for all the cloud resources.

• Privileged access to Entra, Intune, and other administration portals should be tightly limited, continuously reviewed, and separated from ordinary user activity.

• Restrict admin access to managed and compliant devices. Enforce phishing-resistant MFA where possible

• Use dedicated privileged accounts and workstations for administrators, and review built-in roles to ensure no user has broader privileges than necessary.

• Device Management groups with privileged users, executives, or high-impact operational staff should receive added safeguards.

• Device recovery procedures should be tested in advance so that organizations can quickly re-enroll, rebuild, or replace devices.

• Microsoft’s guidance on protecting credential tokens in Entra recommends a layered approach: harden endpoints, apply device- and risk-based Conditional Access, use device-bound tokens where supported.

• This class of threat should be categorized as a business continuity and resilience problem, not only a security-stack problem.

• Organizations should maintain audit visibility across identity and device-management platforms.

The cyberattack against Stryker could have consequences well beyond temporary IT disruption because the company is a large global medical-technology manufacturer whose operations support hospitals, clinicians, field teams, and healthcare customers in dozens of countries. Publicly, Stryker confirmed a global network disruption affecting its Microsoft environment and said it had no indication of ransomware or malware at the time of disclosure.

Even without malware, it’s easy to see that this kind of disruption can still create serious operational consequences: loss of employee access to email, identity services, collaboration platforms, internal business applications, and device-management functions; delays in sales, support, and service workflows; and interruption of coordination across manufacturing, logistics, customer support, and regional business units. Because Stryker operates on a global scale, even a short-lived outage can have a material business impact.

The most serious consequence is the reported wiping or disabling of employee devices. Multiple reports cite employees describing laptops and phones being wiped or rendered unusable, and public reporting has stated some login screens showed Handala branding.

The impact could extend from ordinary downtime to destructive operational impairment requiring endpoint rebuilds, credential resets, re-enrollment into enterprise management, loss of unsynced local data, interruption of mobile communications, and reduced ability for employees to support customers or perform regulated business processes.

In a company serving the healthcare sector, such disruption can also create downstream risk for customers if internal support, distribution, device servicing, or operational response functions are delayed.