TLDR;

On March 11, 2026, the Iran-linked hacktivist group Handala claimed a devastating wiper attack against Stryker Corporation, one of the world's largest medical device manufacturers. This is not an isolated incident — it is a deliberate geopolitical escalation targeting US companies with perceived ties to Israel. Read the full Stryker Security Advisory Here.

WHAT HAPPENED: THE STRYKER ATTACK

Stryker Corporation — Fortune 500, $25 billion in annual revenue, 56,000 employees, operating in over 60 countries — woke up on March 11, 2026, to find their global IT infrastructure wiped.

The attack began early Wednesday morning. Employees across the United States, Europe, Asia, and other regions suddenly found themselves locked out of laptops, phones, internal systems, and corporate communications. On every affected device running Windows, one thing appeared in place of the Stryker login screen: the logo of Handala, an Iran-linked hacktivist group.

Who Is Handala / Void Manticore?

Handala presents itself as a pro-Palestinian hacktivist group that emerged in late 2023, but the Handala persona is the public face of a much older and more sophisticated actor.

Behind the Handala brand, multiple independent security researchers — including Palo Alto Networks Unit 42, Brandefense, and Microsoft — assess with high confidence that Handala is one of several online personas maintained by Void Manticore, an Iranian state-linked threat actor that has been operating since at least 2022. Void Manticore is tracked across the industry under several names:

• Void Manticore (Palo Alto Unit 42)
• STORM-842 / Storm-0842 (Microsoft)
• Homeland Justice (early campaign name, 2022)
• BANISHED KITTEN (CrowdStrike)
• Karma (alternate persona)

The group is assessed to operate in alignment with Iran's Ministry of Intelligence and Security (MOIS), acting as a strategic extension of Iranian state interests while maintaining plausible deniability through its hacktivist framing. Their operations are explicitly political: public statements, leak packages, and social media narratives are all designed to align with and amplify Iranian state messaging.

Void Manticore's technical toolkit is layered and evolving:

• Phishing and credential harvesting using highly convincing current-event lures, often spoofing legitimate security vendors or government agencies
• Exploitation of unpatched internet-facing services: VPN gateways, web servers, and remote access solutions are common initial access vectors alongside phishing
• Living-off-the-land lateral movement using PowerShell, scheduled tasks, and native OS tools — minimizing the malware footprint and evading detection
• Custom multi-stage wiper malware targeting both Windows and Linux environments, including known families CaddyWiper and ZeroCleare
• Wipers that masquerade as ransomware — they display ransom-style messages, but no decryption mechanism exists. The goal is destruction, not payment
• Coordinated information operations: exfiltrated data is published to
  Telegram channels and social media as a deliberate post-compromise phase, designed to amplify political and reputational damage beyond the technical disruption
• Website defacement for propaganda effect and psychological pressure

How the Attack Was Executed

This is where security teams need to pay close attention. Based on reporting from KrebsOnSecurity, investigators believe the attackers did not deploy traditional wiper malware in the initial phase. Instead, they abused a legitimate Microsoft enterprise tool:

This attack vector matters because it means traditional endpoint detection tools may not have flagged the initial phase. The wipe was executed through legitimate administrative channels. This is what makes it particularly difficult to detect and defend against — and why access control to MDM admin accounts is now a critical priority.

Read the full Stryker Security Advisory Here.