STRYKER says a malicious file used by attackers has been identified during its probe into the Iran-linked attack, a development disclosed in a SecurityWeek update on 24 March 2026. Handala, widely believed to be a hacktivist persona linked to Iran’s Ministry of Intelligence and Security, claimed to have wiped more than 200,000 devices and forced Stryker to shut down offices in dozens of countries.
Stryker added that there was no evidence of malware or ransomware being deployed on its systems, though the most likely scenario is that the hackers wiped systems by abusing Stryker’s Microsoft Intune platform, with some indication that credentials obtained via infostealer malware were used to gain access.
Early in the investigation, Stryker believed there was no ransomware or malware, but later found that the threat actor used a malicious file to run commands and hide activity within its environment; the file was not capable of spreading inside or outside the organisation. The FBI has issued an alert related to the attacks, and the US government has officially linked Handala to Iran’s MOIS.