Stryker Says Malicious File Found During Probe Into Iran-Linked Attack

Summary

Medical technology company Stryker has disclosed technical details of the Iran-linked Handala cyberattack that disrupted operations globally in March. The investigation, conducted with Palo Alto Networks Unit 42 and US government agencies, revealed a custom malicious file used to hide attacker activity; however, no wiper malware or ransomware was deployed. The attackers likely abused Stryker's Microsoft Intune instance after obtaining credentials through infostealer malware, and the FBI has separately published alerts on MOIS-linked malware campaigns using masquerading and persistent implant payloads.

Full text

Medical technology giant Stryker has shared an update regarding its investigation into the recent Iran-linked cyberattack, revealing that a malicious file used by the attackers has been identified. The Stryker incident came to light on March 11, with the hacker group Handala taking credit for the attack. Handala, widely believed to be a hacktivist persona controlled by Iran’s Ministry of Intelligence and Security (MOIS), claimed to have wiped more than 200,000 devices, forcing Stryker to shut down offices in dozens of countries. Some early reports indicated that Handala used wiper malware in the attack — the group has been known to use such malware — but Stryker said it found no evidence of malware or ransomware being deployed on its systems. The most likely scenario based on the evidence available to date is that the hackers wiped systems by abusing Stryker’s Microsoft Intune instance, which is used to remotely manage desktop and mobile endpoints and applications within the organization. There is some indication that Handala leveraged credentials obtained via infostealer malware to gain access. Stryker said the incident disrupted order processing, manufacturing, and shipping. In a statement issued on Monday, the company said it has made “meaningful progress” in restoring impacted systems.Advertisement. Scroll to continue reading. For the first time, the company has also shared some technical information from the investigation into the incident. “Early in our investigation, we believed there was no indication of ransomware or malware,” Stryker said. “Further into the course of our investigation, alongside Palo Alto Networks Unit 42 and other experts, we identified that the threat actor used a malicious file to run commands which allowed them to hide their activity while in our systems.” It added, “To be clear, this file was not capable of spreading — either inside or outside of our environment. Most importantly, at no point has our investigation identified malicious activity directed towards our customers, suppliers, vendors or partners.” Based on this brief description, the malicious file mentioned by Stryker may have been a small custom binary or script rather than actual malware. However, this shows that the hackers deployed their own tools on the compromised systems and did not rely solely on existing software to carry out their activities. In addition to sharing updates on its investigation and restoration efforts, Stryker has made public an assessment from Palo Alto Networks to show that the incident has been contained. The US government has officially linked Handala to Iran’s MOIS and has taken down several websites used by the threat actor. In addition, the FBI has issued an alert sharing information about attacks allegedly carried out by MOIS threat actors such as Handala, including the malware they use. “FBI obtained malware samples through investigations. The samples were categorized as masquerading malware (stage 1), persistent implant (stage 2), and related stage 2 malware that contained additional or unique functions. Stage 1 usually masqueraded as commonly used applications like Pictory, KeePass, and Telegram and contained the binaries for the next stage of malware.The persistent implant malware spawned following the masquerading malware’s execution and possible user interaction with the malicious application. At this stage, the Iran MOIS cyber actors configured a command and control (C2) using a Telegram bot, allowing bidirectional communication between the compromised device and api.telegram[.]org. FBI considered the masquerading malware and persistent implant to be core functionality for the malware campaign.” Stryker has confirmed that it is working with US government agencies in its investigation of the incident, but the malware described in the FBI alert is unlikely to be related to the attack on the medtech company if indeed no malware was involved. Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Critical Quest KACE Vulnerability Potentially Exploited in AttacksUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesAisuru and Kimwolf DDoS Botnets Disrupted in International OperationMarquis Data Breach Affects 672,000 IndividualsCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch Latest News Mazda Says Employee, Partner Information Stolen in CyberattackRSAC 2026 Conference Announcements Summary (Pre-Event)M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 SecondsChip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain AttackQNAP Patches Four Vulnerabilities Exploited at Pwn2Own Tycoon 2FA Fully Operational Despite Law Enforcement TakedownOracle Releases Emergency Patch for Critical Identity Manager Vulnerability Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• domain — api.telegram[.]org
• malware — Masquerading malware (stage 1)
• malware — Persistent implant (stage 2)