Iran-Linked Handala Hackers Wipe 200,000 Devices at Stryker in Destructive Cyberattack
On March 11, employees at Stryker Corporation, a prominent medical technology firm, encountered a shocking sight when they powered on their computers: blank screens displaying an unfamiliar logo. This logo, depicting a small barefoot boy with a slingshot, is the emblem of the hacktivist group Handala.
The cyberattack on Stryker, which provides surgical equipment and orthopedic implants globally, is considered one of the most devastating cyber incidents affecting a U.S. healthcare company. With reported revenues of $25 billion in 2025 and a workforce of approximately 56,000, Stryker’s products are integral to hospital supply chains worldwide. Unlike typical ransomware attacks, this incident was characterized by destruction rather than extortion.
Stryker confirmed the breach in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), describing a “global disruption to the Company’s Microsoft environment.” The filing stated there was no indication of ransomware or malware, asserting that the incident was contained. However, reports from employees contradicted this, indicating widespread issues.
Employee Reports of Device Wiping
Employees across the United States, Ireland, Costa Rica, and Australia reported that their managed Windows laptops and mobile devices had been remotely wiped. One Reddit user noted that three Stryker-managed devices were wiped around 3:30 AM EDT, with the Entra login page defaced by the Handala logo. Another employee described the situation as dire, mentioning that many colleagues’ phones had been wiped, and they were instructed to remove company applications from personal devices. This disruption resulted in loss of access to essential data and services, including email and two-factor authentication systems.
Handala claimed responsibility for wiping over 200,000 systems, servers, and mobile devices, extracting 50 terabytes of data in the process. This forced Stryker to halt operations across 79 countries. In a midnight update, Stryker stated it was actively working on restoring operations following the cyberattack.
Nature of the Attack
The attack exploited Microsoft Intune, a cloud-based platform used by enterprises to manage device policies. A wiper, which is a type of malware designed to permanently erase data, was deployed instead of traditional ransomware. An attacker with administrative access to Intune effectively holds a “kill switch” for all enrolled devices, allowing for a coordinated and destructive operation.
Who is Handala?
Handala, also known as the Handala Hack Team, Hatef, and Hamsa, emerged in December 2023 as a hacktivist group linked to Iran’s Ministry of Intelligence and Security (MOIS). Initially targeting Israeli organizations, Handala has utilized destructive malware to wipe both Windows and Linux devices. The group derives its name from a Palestinian cartoon character created by Naji al-Ali, symbolizing a child refugee.
While Handala presents itself as a hacktivist organization, multiple threat intelligence firms suggest it is part of a broader strategy employed by Void Manticore, a MOIS-affiliated actor focused on psychological and reputational disruption. This includes breaching systems, conducting hack-and-leak operations, and strategically timing the release of stolen information.
Research from Check Point has identified overlaps between Handala and other MOIS-affiliated groups, including shared criminal tools. Handala has previously used Rhadamanthys, a commercial infostealer, in conjunction with custom data wipers in phishing campaigns.
Attack Patterns and Previous Targets
The operational strategy of Handala follows a consistent pattern, beginning with initial access through unpatched web servers and VPN gateways. This is followed by lateral movement using tools like PowerShell, culminating in the deployment of destructive wipers designed to erase file systems.
Handala’s previous targets have included sensitive sectors, with claims of wiping Israeli military weather servers and intercepting security feeds in Jerusalem. Recently, the group published identifying details for 50 senior Israeli Air Force officers, including names, IDs, and addresses.
The attack on Stryker was reportedly a retaliation for a U.S. military strike on a school in Minab, Iran, which resulted in the deaths of over 175 individuals, many of whom were children.
Implications for Stryker
Although Stryker has no direct military connections, it secured a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military, which may have made it a target for Handala. Reports indicate that MOIS-affiliated groups had infiltrated U.S. and Israeli infrastructure weeks prior to military operations, suggesting that Handala may have had access to Stryker’s environment long before the attack.
Researchers have also noted that Handala utilized Starlink IP ranges to probe external applications for vulnerabilities, blending reconnaissance traffic with legitimate satellite internet usage to evade detection.
The hacker collective has also claimed responsibility for hacking Verifone, a leading provider of payment solutions, although the company has not confirmed or denied these reports.
As reported by thecyberexpress.com, the ramifications of this attack are still unfolding, with Stryker working diligently to restore its operations and secure its systems against future threats.
