Inside the Stryker Breach: How Iranian Hackers Used a Hidden File to Paralyze a Medical Tech Giant

It was a Monday morning when Stryker, a global leader in medical technology, woke up to a nightmare: offices shuttered across continents, order processing crippled, and a notorious Iranian-linked hacktivist group claiming to have wiped hundreds of thousands of devices. Yet, as the dust settles, the true story of what happened inside Stryker’s networks is more nuanced - and potentially more alarming - than early headlines suggested.

When the Handala group - believed to be an Iran-backed persona - announced it had devastated Stryker’s IT infrastructure, the cybersecurity world braced for a classic wiper malware scenario. Handala’s history of using destructive code to erase data from victim networks made this assumption logical. Yet Stryker’s forensic teams, joined by experts from Palo Alto Networks Unit 42, found no evidence of traditional malware or ransomware.

Instead, the attackers’ weapon of choice was more subtle: a custom malicious file, likely a lightweight binary or script, designed not to spread but to execute commands and erase traces of the hackers’ presence. This file allowed the threat actors to operate under the radar, leveraging Stryker’s own Microsoft Intune - a legitimate tool for managing company devices - to wipe systems remotely. The hackers are suspected to have obtained access through credentials stolen by infostealer malware, not by directly infecting Stryker’s environment with new malware strains.

While the technical sophistication of the attack is notable, what sets it apart is the blurring line between traditional malware attacks and “living off the land” tactics. By using Stryker’s own infrastructure against itself and minimizing the use of detectable malicious code, the attackers complicated both detection and response.

Despite early chaos, Stryker reports “meaningful progress” in restoring systems. Importantly, the company asserts that there is no evidence the attack targeted or compromised data belonging to customers, suppliers, or partners. Nevertheless, the incident has triggered a broader conversation about the evolving nature of state-linked cyber threats and the risks posed to critical health infrastructure.

The US government has linked Handala to Iran’s intelligence apparatus and taken down several of its online assets. Meanwhile, the FBI continues to warn organizations about the group’s evolving tactics, which often involve malware disguised as legitimate applications and persistent implants capable of bidirectional communication with command servers.

As the dust settles, Stryker’s ordeal stands as a warning: in the shadowy world of cyber conflict, sometimes the most dangerous threats are the ones that don’t look like malware at all. The playbook is changing - and defenders must adapt just as quickly as the attackers.

WIKICROOK

• Wiper Malware: Wiper malware is malicious software that permanently deletes or corrupts files, making recovery impossible and causing severe data loss or system disruption.
• Infostealer Malware: Infostealer malware is malicious software that covertly gathers sensitive information, like passwords and financial data, from infected computers.
• Microsoft Intune: Microsoft Intune is a cloud-based tool for managing and securing devices, apps, and users, helping organizations protect data and ensure compliance.
• Living off the Land: Living Off the Land means attackers use trusted, built-in system tools for malicious purposes, making their activities harder to detect.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.