Stryker has suffered a major cyberattack involving wiper malware claimed by Handala, a pro-Palestinian hacktivist group linked to Iran.
Handala
Handala is described in the provided content both as an Iran-aligned cyber group/pro-Palestinian hacktivist persona linked to Iran and as a destructive malware/wiper family used in disruptive operations.
Profile source: Mallory opens in a new tabHandala
Family profile
Handala is described in the provided content both as an Iran-aligned cyber group/pro-Palestinian hacktivist persona linked to Iran and as a destructive malware/wiper family used in disruptive operations. The malware is characterized as a destructive wiper capable of irreversibly wiping data from infected systems, rendering systems inoperable, spreading rapidly across networks, and using evasion techniques. Splunk’s 2024 analytics story on the Handala wiper states defenders should monitor for unexpected regasm processes, unauthorized AutoIt script execution, malicious driver drops, abrupt system slowdowns, and creation of unknown files or processes. The content says Handala has been used against critical infrastructure and organizations and can cause major disruption, downtime, financial loss, data loss, and compromise of sensitive information.
The content also links Handala to healthcare-sector targeting. It states that Handala, described there as an Iran-aligned cyber group, targeted a medical technology organization in 2026 with data exfiltration and destructive actions. A separate report says Stryker suffered a major cyberattack involving wiper malware claimed by Handala; Handala allegedly claimed theft of 50 TB of data and wiping of more than 200,000 systems, servers, and mobile devices, while Stryker confirmed a global disruption affecting its Microsoft environment.
A more detailed intrusion chain in the content associates the name Handala with a Delphi-coded second-stage loader observed in Operation HamsaUpdate, a phishing campaign targeting Israeli customers using F5-themed lures. In that campaign, Windows victims were instructed to execute a ZIP-delivered .NET loader masquerading as an F5 update tool. One variant extracted Handala.exe, a Delphi second-stage loader, which launched an AutoIt-based injector chain. The chain used a renamed AutoIt interpreter (Naples.pif) and an obfuscated script to inject RC4-decrypting shellcode, decompress payloads with LZNT1, and communicate over HTTPS with 31.192.237[.]207:2515. In the same campaign, the Windows wiper payload Hatef overwrote files with random data and deleted them across key directories and drives, while the Linux payload Hamsa used a heavily obfuscated bash script to delete user accounts, wipe home directories, destroy partitions, delete system binaries, and reboot the host. Both variants reported execution details to a Telegram bot/channel identified in the content. The report notes that a group calling itself "Handala Hack Team" claimed responsibility, but also states there was insufficient basis for attribution and that a false hacktivist persona was possible.
PolySwarm telemetry cited in the content observed continued circulation of HANDALA alongside other destructive and criminal malware families during the period leading up to and coinciding with the 2026 FIFA World Cup.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
Handala in ATT&CK
9 distinct techniquesReporting
Research mentioning Handala
Beyond the Pitch: Assessing Cyber Risks to the 2026 FIFA World Cup
PolySwarm telemetry observed continued circulation of malware families associated with prior destructive attacks, credential theft, and extortion operations during the period leading up to and coinciding with the tournament, including HANDALA, OlympicDestroyer, NKWIPER, HermeticWiper, RedLine, and BlackCat.
Critical Condition: The 2026 Healthcare Cyber Threat Landscape
Handala is an Iran-aligned cyber group conducting disruptive operations with political messaging.
The Good, the Bad and the Ugly in Cybersecurity - Week 11
Stryker has suffered a major cyberattack involving wiper malware claimed by Handala, a pro-Palestinian hacktivist group linked to Iran.
Analytics Story: Handala Wiper | Splunk Security Content
Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable.
Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk - Intezer
“During our analysis, we unearthed a second-stage loader coded in Delphi—which spearheads the execution of an AutoIt injector. This injector has been given the name ‘Handala’.”