On Tuesday morning, employees at Stryker Corporation’s headquarters in Cork, Ireland walked into work and found every screen displaying the same image: a cartoon of a barefoot boy staring defiantly over his shoulder.

Their laptops wouldn’t boot. Their phones had been factory reset. Manufacturing systems across 79 countries: offline. The cartoon was the logo of Handala Hack Team. And the tool they used to pull it off? The same one Stryker’s own IT department uses every day to manage its devices.

Microsoft Intune.

Handala didn’t deploy custom malware. They didn’t need a zero-day exploit. They compromised Stryker’s Intune administration and pushed legitimate remote wipe commands to every enrolled device: Windows, macOS, iOS, Android. Laptops, phones, tablets. 200,000 devices, according to Handala’s claim. Including employees’ personal devices.

Stryker (NYSE: SYK), a $100 billion medtech company with 56,000 employees, told workers to immediately uninstall Intune, Company Portal, Teams, and VPN apps from their personal phones. Employees resorted to WhatsApp to communicate. SYK shares dropped roughly 4.5%. Ireland’s National Cyber Security Centre was notified.

This is the first confirmed large-scale weaponization of enterprise device management in a cyber attack. And it should concern anyone running Intune, Jamf, SCCM, Google Workspace MDM, or any other platform that has remote wipe authority over your fleet.

Want to make sure that your company isn’t the next target? We built a complete intelligence package to help you respond to 4 of the top Iranian cyber threat groups. Situation reports, threat actor profiles, and hunting queries you can run today (click on the image below:

(Alternative link: https://intruvent.com/iran-cyber-threat/)

This Isn’t a Hacktivist Group. This isn’t a ransomware operation. This is a skilled, determined nation state actor. One of many professional threat actor groups that work for the Iranian Government.

Handala is the latest person for this skilled adversary, the name comes from Naji al-Ali’s famous 1969 political cartoon character, a ten-year-old refugee.

Check Point Research connected Handala to Void Manticore in May 2024. Void Manticore, also tracked as Storm-0842 by Microsoft and BANISHED KITTEN by CrowdStrike, is a destructive operations unit inside Iran’s Ministry of Intelligence and Security (MOIS). They operate under the Counter-Terrorism Division, led by Seyed Yahya Hosseini Panjaki, a sanctioned intelligence official who also goes by “Seyed Yahya Hamidi.”

Here’s how the MOIS model works. One unit, Scarred Manticore (Storm-0861), handles the espionage phase: breaking in, establishing persistent access, collecting intelligence. When Tehran decides it’s time to break things, that access gets handed off to Void Manticore for the destructive phase. Check Point calls it the “one-two punch” model. It was used in the 2022 Albania campaign. It’s been used repeatedly against Israel. The gap between initial intrusion and destruction can exceed twelve months.

Before Handala, this same unit operated as “HomeLand Justice” (Albania), “Karma”, and “DarkBit”.

The Escalation Arc You Should Know

Void Manticore’s capabilities have gotten steadily more dangerous since 2022. Here’s the trajectory:

Albania, July 2022: CL Wiper and GoXML ransomware against government systems. Entry via a SharePoint vulnerability. CISA published a full advisory (AA22-264A) after the FBI confirmed Iranian state attribution.

Israel, October 2023: BiBi-Linux — their first custom wiper targeting Israel, named to mock PM Netanyahu. Corrupts files with random data and slaps on a “.BiBi” extension. A Windows variant followed within weeks.

Early 2024, Operation HamsaUpdate: Supply-chain-style delivery. Wipers disguised as security updates. Both Windows and Linux variants. Telegram bots for command and control.

July 2024, The CrowdStrike Lure: When CrowdStrike’s Falcon agent caused a global outage, Handala exploited the chaos within hours. Phishing emails from a spoofed domain delivered a wiper through a sophisticated chain that included Bring Your Own Vulnerable Driver (BYOVD) for privilege escalation and a technique that copies a clean .text section over the hooked version to neutralize endpoint detection.

Late 2024: Check Point observed Void Manticore pairing the commercial Rhadamanthys infostealer with custom wipers. Researchers described this as a shift from imitating cybercriminals to actively leveraging the cybercrime ecosystem.

January 2025, School Sirens: Handala hijacked emergency PA systems in 20 Israeli kindergartens, broadcasting rocket sirens and audio on a Sunday morning. A mass SMS campaign followed.

March 11, 2026, Stryker: MDM weaponization. No custom malware required.

Look at that arc. Web shells in 2022. Custom wipers in 2023. Supply-chain delivery in 2024. Psychological warfare in 2025. Legitimate enterprise tool weaponization in 2026. Each phase more operationally sophisticated than the last.

Why This Changes the Threat Model

The Stryker attack inverts a fundamental assumption in endpoint security: that your management tools are on your side.

Every organization running Intune has given it the ability to remotely wipe any enrolled device. That is one of the main functions of enterprise MDM. IT teams use it daily: offboarding employees, handling lost devices, enforcing compliance. The capability isn’t a vulnerability. It’s a feature.

But when an attacker gains Intune administrative access, every enrolled device becomes a target for destruction with a single API call. No malware to deploy. No EDR to evade. No YARA rules to match. The wipe command comes from a trusted source through a trusted channel, executed by a trusted agent already installed on every device.

The Microsoft Graph API exposes this programmatically. An attacker with a compromised admin token or service principal can script a POST request to /deviceManagement/managedDevices/{id}/wipe and hit every device in the tenant. The entire operation can be automated.

For the technically curious: passive analysis of public data on Stryker’s external footprint shows a cloud-first environment: Azure, M365, Entra ID. No internet-facing Pulse Secure, Fortinet, PAN-OS, or Citrix appliances visible in public scan data. That’s significant because Scarred Manticore’s standard playbook relies on exploiting perimeter VPN appliances. Those targets don’t appear to exist here.

The most probable initial access path? Cloud identity compromise: adversary-in-the-middle phishing to hijack Entra ID session tokens, credential stuffing, or OAuth consent phishing. All well-documented in the Iranian state playbook.

[Editor’s note: we wrote about the “red hot” AiTM technique family on Tuesday’s edition of Prevent This. If a small firm like Intruvent has multiple cases in our lab where AiTM was the vector, it shows that it is VERY wide spread]

One more data point. Stryker disclosed a data breach affecting the period May through June 2024. That timeline aligns uncomfortably well with Scarred Manticore’s documented persistence model: 12+ months of silent access before handoff to the destructive team. Whether that 2024 breach was the initial intrusion that enabled the March 2026 handoff remains unconfirmed. But that pattern fits, too.

The Bigger Picture: Operation Epic Fury

The Stryker attack didn’t happen in a vacuum.

On February 28, the US and Israel launched Operation Epic Fury: a coordinated military campaign against Iranian military infrastructure. US Cyber Command degraded Iran’s internet connectivity to 1-4%. Supreme Leader Khamenei was killed in a targeted strike.

Within hours, Iran activated the Electronic Operations Room on Telegram to coordinate retaliatory cyber operations. Palo Alto’s Unit 42 counted approximately 60 hacktivist groups mobilized under this umbrella, though CrowdStrike assessed that much of the activity was claim-driven rather than evidence-backed.

Handala’s claims were different. Handala backed them up with confirmed destruction.

Twelve days in, the military situation continues to escalate. CENTCOM reports 5,500+ targets struck. Iran’s True Promise IV missile campaign has reached 37 waves. Israeli forces have entered southern Lebanon. Oil prices spiked to $119/barrel before the IEA released 400 million barrels from strategic reserves. Iranian drones struck three AWS data centers in the UAE and Bahrain. The Strait of Hormuz remains effectively closed.

Mojtaba Khamenei, the killed Supreme Leader’s son, was named as Iran’s third Supreme Leader on March 8. The IRGC pledged full obedience. Iran’s Foreign Minister stated that Iran is not seeking a ceasefire.

In this environment, cyber operations aren’t a side note. They’re a primary instrument of Iranian asymmetric response.

We published a comprehensive situation report on the Iran conflict that covers all of this and more — including a full sector risk assessment and 19-action response framework. It’s available free and ungated on our new Iran Cyber Threat Intelligence Center.

What Should You Do Right Now

If you run Intune or any MDM platform:

1. Restrict remote wipe permissions to the absolute minimum number of accounts

2. Require approval workflows for bulk device actions

3. Enforce phishing-resistant MFA on all admin accounts… not SMS, not push notifications. FIDO2 or Windows Hello for Business

4. Implement Conditional Access policies requiring compliant, managed devices for admin portal access

5. Enable Privileged Identity Management (PIM) with time-limited activations

6. Segment MDM administrative access from general IT accounts

7. Review your BYOD enrollment: ensure personal devices use MAM-only (App Protection Policies) rather than full MDM, so a compromised admin can’t wipe employees’ personal data

If you have exposure to the conflict (reports state that ALL US AND ISRAELI BUSINESSES are targets:

1. If you can, elevate SOC to 24/7 staffing

2. Alert/Activate incident response retainers. At the very least, get your responders to a ready state. Better yet, see if they can do a Compromise Assessment for you.

3. Review cloud infrastructure for single-region Middle East dependencies

4. Assess supply chain exposure to Strait of Hormuz disruption

5. Brief executive leadership on the sustained nature of the threat — a diplomatic resolution is assessed as very unlikely within 30 days

Deploy the hunting queries on our Iran Cyber Threat Intelligence Center. We’ve published copy-paste-ready KQL and Sigma detection rules for Handala’s MDM weaponization, Lemon Sandstorm’s VPN exploitation, Agrius wiper families, and MuddyWater’s RMM tool abuse.

What Else Is Moving

Handala is the loudest actor in this conflict (to date), but not the only one. MuddyWater is deploying new Dindoor and FakeSet backdoors against US financial and aviation targets. Lemon Sandstorm has been pre-positioned inside Western critical national infrastructure for at least two years and may activate dormant access for disruptive ICS/SCADA operations. Agrius is assessed as likely to target energy and financial services within the next 30 days. CrowdStrike recently identified a new group, Hydro Kitten, targeting Western financial services.

We’ve published full threat actor profiles and hunting guides for each of these groups. All TLP:CLEAR. All free and ungated. Go get them:

intruvent.com/iran-cyber-threat

The Bottom Line

Handala spent two years conducting psychological warfare and operating under multiple personas. The Stryker attack shows they’ve crossed a capability threshold.

MDM weaponization requires no custom malware, no zero-day exploits, and no advanced tradecraft. It requires administrative access to a platform that already has permission to wipe every device in your organization.

The countermeasures aren’t exotic. They’re the same controls security teams have been advocating for years: least privilege, phishing-resistant MFA, just-in-time access, conditional access policies, and monitoring for anomalous admin actions. The difference is that, as of March 11, 2026, those controls are no longer theoretical best practices. They’re the difference between operations continuing and 200,000 devices going dark.

If your Intune admin accounts are protected by SMS-based MFA and permanently assigned Global Administrator roles, you already know what needs to change.

Stay vigilant. Stay prepared. And stay tuned.

Research Sources: CISA Advisory AA22-264A, Check Point Research, Palo Alto Unit 42, Splunk, Trellix, Intezer, SecurityJoes, BlackBerry Research, Krebs on Security, Zetter Zero Day

For the complete IOC list, detection queries, and hunt procedures, visit the Iran Cyber Threat Intelligence Center.