On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.
The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.
Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.
Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing “a global disruption to the Company’s Microsoft environment” and stating it had no indication of ransomware or malware and believed the incident was contained. The company’s own filing, however, understated what employees were already reporting on the ground.
Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.
“My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo,” a Reddit user said.
Another claimed the situation as “bad” and said: “Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.
Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.
“We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.
At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.
Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.
We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined.
We are working to ensure our electronic ordering system is back up and running as quickly as possible.
It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility.” – Stryker’s update on the cyberattack
The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.
In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.
So Who Exactly is Handala?
Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran’s Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.
The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.
The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.
Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel’s own National Cyber Directorate.
Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities.
Also read: Iran-linked Threat Group Handala Actively Targets Israel
Void Manticore’s attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.
The group’s prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.
Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.
Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.
Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.
That contract likely put a target on Stryker’s back.
Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker’s environment long before anyone noticed.
Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.
The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe, but the company did not immediately respond to The Cyber Express to confirm or deny these reports until the time of publishing this article.
