Stryker Hit by Wiper Malware Attack Claimed by Iranian-Linked Hacktivist Group Handala

By Ash K
Stryker Hit by Wiper Malware Attack Claimed by Iranian-Linked Hacktivist Group Handala

Stryker Corporation, one of the world’s largest medical technology companies, is reportedly dealing with a major cyberattack involving destructive wiper malware that has disrupted operations across its global network. The attack has been claimed by Handala, a hacktivist group believed to have links to Iran and known for conducting politically motivated cyber operations against corporate and infrastructure targets.

The group claims it infiltrated Stryker’s internal network, exfiltrated approximately 50 terabytes of sensitive corporate data, and deployed malware designed to wipe tens of thousands of systems. According to statements released by the attackers, more than 200,000 endpoints including servers, laptops, and mobile devices were erased during the operation, triggering widespread outages across the company’s international infrastructure.

Stryker, a Fortune 500 company headquartered in the United States, manufactures surgical tools, orthopedic implants, neurotechnology systems, and hospital equipment used by healthcare providers worldwide. The company reported global revenue of $22.6 billion in 2024 and operates in dozens of countries, making the scale of the disruption particularly significant.

Attack reportedly wiped thousands of corporate devices

The attack appears to have involved large-scale remote wiping of corporate endpoints managed through enterprise device management systems. Employees across multiple regions reported that company-issued laptops and managed mobile devices were suddenly reset overnight, causing widespread data loss and forcing many staff members offline.

Some employees also reported that personal mobile devices enrolled in the company’s mobile device management environment were remotely wiped after the attack triggered mass device resets. These reports suggest the attackers may have gained administrative access to Stryker’s endpoint management infrastructure, allowing them to deploy destructive commands across thousands of devices simultaneously.

In addition to device wiping, the attackers allegedly defaced the company’s Microsoft Entra login portal by displaying the Handala logo. Identity systems such as Entra, which manage authentication and access across enterprise applications, are often prime targets in large-scale cyber intrusions because control of identity infrastructure can enable attackers to manipulate or disable large portions of a corporate network.

Operations disrupted across multiple countries

Employees from several regions, including the United States, Ireland, Costa Rica, and Australia, reported that internal systems became inaccessible following the attack. In some locations, staff were forced to revert to manual processes after business applications and internal services were rendered unavailable.

Reports from affected offices indicated that Stryker instructed employees to remove corporate applications and device management tools from personal devices, including collaboration platforms, VPN clients, and mobile management software. These measures are often taken during cyber incidents to prevent further propagation of malicious activity through corporate mobile infrastructure.

Internal communications circulated to employees described the event as a severe global disruption impacting corporate laptops and network-connected systems. According to reports, the company engaged Microsoft to assist with incident response and recovery efforts while attempting to restore affected infrastructure.

Large multinational organizations often rely on centralized identity and endpoint management systems to maintain security across global operations. While these platforms provide powerful control over distributed devices, they can also become highly impactful attack vectors if compromised.

Hacktivist group Handala claims responsibility

The cyberattack has been claimed by Handala, a hacktivist group that emerged in late 2025 and is believed by researchers to be linked to Iran’s Ministry of Intelligence and Security. The group has previously conducted cyber operations targeting Israeli organizations, government entities, and companies connected to regional geopolitical conflicts.

Handala is known for deploying destructive malware designed to wipe both Windows and Linux systems while simultaneously stealing sensitive data from compromised networks. This combination of data theft and destructive activity reflects a strategy intended to maximize both operational disruption and reputational damage for targeted organizations.

In its public statement regarding the Stryker incident, the group claimed that the attack forced the shutdown of company offices across 79 countries. While these claims have not been independently verified in full, reports from employees and internal communications suggest the attack had a significant operational impact.

Wiper malware attacks are growing in frequency

Wiper malware differs from traditional ransomware because its primary goal is destruction rather than financial extortion. Instead of encrypting systems and demanding payment for recovery, wipers erase data and render devices unusable, often leaving organizations with limited recovery options.

Such attacks have historically been associated with state-sponsored cyber operations and geopolitical conflicts. Over the past decade, wiper campaigns have targeted critical infrastructure, financial institutions, government agencies, and technology companies across multiple regions.

The use of wiper malware against a global healthcare technology provider highlights how cyber operations can extend beyond government targets to include private sector organizations with significant international presence.

Security experts note that wiper attacks can be particularly damaging for organizations with complex operational environments, as recovery may require rebuilding large numbers of systems from scratch while simultaneously investigating how the attackers gained access.

Recovery efforts and ongoing investigation

Stryker has reportedly begun large-scale recovery operations to restore systems affected by the incident. Restoring enterprise infrastructure after a destructive cyberattack often involves rebuilding servers, re-enrolling devices into management platforms, and conducting extensive security audits to ensure attackers no longer have access.

Investigations into the attack are ongoing, with cybersecurity teams analyzing how the attackers initially gained access to the network and how they were able to deploy destructive commands across the organization’s infrastructure.

The incident underscores the growing risk posed by politically motivated cyber operations targeting large multinational corporations. As geopolitical tensions increasingly spill into cyberspace, companies operating global digital infrastructure face rising threats from sophisticated attackers capable of combining espionage, sabotage, and data theft within a single campaign.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.