Cyber Warfare
Iranian Hackers Just Wiped 200,000 Phones Overnight. Here's Exactly How They Did It.
The attack on Stryker wasn't science fiction. It was a single command. And your phone is just as vulnerable.
Handala Manifesto — Posted to Defaced Login Screens Worldwide
2026-03-11
"We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success."
"In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted. Stryker's offices in 79 countries have been forced to shut down."
"All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption."
"The era of the 'Epstein' rings and the demons of our time is over. Even if you close your windows, we will build our nests everywhere. Get ready for the mosquito..."
That message appeared on login screens at offices in 79 countries on Wednesday morning, March 11, 2026. It was signed by Handala, a pro-Iranian hacker group with documented ties to Iran's Ministry of Intelligence and Security.
The company on the receiving end was Stryker Corporation, one of the largest medical device manufacturers on earth. By the time most Americans sat down for breakfast, Stryker's entire global Windows environment was gone. Computers wiped. Servers dark. Phones reset to factory settings. Employees in the US, Ireland, Australia, and India locked out of everything simultaneously.
The era of cyberattacks that just steal your data is over. These attackers didn't want a ransom. They didn't ask for anything. They just turned the lights off.
200K+
Devices Wiped
50TB
Data Stolen
79
Countries Affected
Stryker: A Company Built Into Every Hospital on Earth
Stryker is not a fringe target. With over $25 billion in annual revenue and 56,000 employees spanning 61 countries, it is one of the most deeply embedded companies in global healthcare. It makes the defibrillators in your local ER, the surgical robots in operating rooms, the ambulance stretchers that carry accident victims to the hospital. Its products touch more than 150 million patients every year.
At approximately 3:30 a.m. Eastern time on Wednesday, employees began receiving frantic messages from colleagues around the world. Computers were locking up. Servers were going offline. Mobile phones were flashing unfamiliar logos and wiping themselves clean. A voicemail message at Stryker's main US headquarters told callers the company was experiencing a "building emergency." Staff in Ireland, Stryker's largest hub outside the US, were sent home. More than 5,000 workers in Cork alone were told to communicate via WhatsApp while the company assessed the damage.
In Maryland, the consequences reached past the corporate campus into actual patient care. The state's Institute for Emergency Medical Services sent an urgent alert to hospitals that Stryker's Lifenet electrocardiogram transmission system was "non-functional in most parts of the state." Paramedics were instructed to relay EKG readings verbally over radio until the system was restored.
Stryker confirmed the attack in a LinkedIn statement, describing it as a "global network disruption to our Microsoft environment." The company added it found no evidence of ransomware or traditional malware. As of Thursday morning, the timeline for full restoration is unknown.
"The entire company is at a complete stop. The servers at the DataCenter are inaccessible."
How They Got In: The Microsoft Tool That Became a Weapon
Most cyberattack coverage focuses on viruses, ransomware, and phishing schemes. The Stryker attack was different, and the difference matters enormously.
According to reporting from KrebsOnSecurity, Handala did not deploy malware. They did not need to. Instead, the group gained access to administrator credentials inside Stryker's Microsoft Intune environment, a cloud-based mobile device management platform used by tens of thousands of corporations worldwide.
Intune is designed for exactly this kind of remote control. IT departments use it to push software updates, enforce security policies, lock lost devices, and wipe them remotely. It is a feature, not a vulnerability. An administrator anywhere in the world can log in and issue a single command that every enrolled device obeys immediately, without question, and without notifying the person holding it.
Handala logged in. They issued the command. Two hundred thousand devices obeyed.
Laptops went dark. Phones reset to factory settings. Servers became inaccessible. Reddit threads filled up with Stryker workers describing what they were seeing in real time. Employees who had Microsoft Outlook installed on their personal phones — not even company-issued devices — watched their personal phones get wiped too. Because those phones had Intune installed. And Intune didn't distinguish between corporate property and someone's personal device. It just executed the command.
Your Phone Is Enrolled Too. You Just Don't Know It.
Every standard smartphone sold today is designed, from the factory, to accept remote commands from a server its owner will never see. In a corporate setting, that server belongs to the employer. On a consumer iPhone, it belongs to Apple. On an Android, it belongs to Google.
If you use a company-issued phone, or have ever installed employer apps on your personal device, there is a meaningful chance it is enrolled in an MDM platform. That enrollment means an administrator can locate your device, push software to it, lock it, or wipe it without any action on your part. The command bypasses you entirely. It goes straight to the operating system.
When an administrator account gets compromised — as it did at Stryker — the attacker inherits every permission that IT department ever had. They do not need to hack 200,000 devices individually. They hack the server that controls all of them, and the devices do the rest themselves.
As a security analysis published Wednesday by WION News noted: when an iPhone or Android receives a legitimate wipe command from its trusted MDM server, the operating system obeys immediately and without question. The phone does not warn you. There is no confirmation dialog. The data is just gone.
"Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we're increasing our exposures to nation states who seek to disrupt and destroy."
— Joshua Corman, cybersecurity expert, via CNN
Handala, the Iran War, and a Growing Target List
Handala is not a new actor. The group surfaced in late 2023 and has been assessed by Palo Alto Networks as an online persona maintained by Void Manticore, a threat group sponsored directly by Iran's Ministry of Intelligence and Security. Their operations historically focused on Israeli targets, including military weather servers, security camera networks in Jerusalem, and an Israeli oil and gas exploration company.
Wednesday's attack marks a significant escalation. It is among the first major pro-Iranian cyberattacks against US corporate infrastructure since the US and Israel began military operations against Iran last month. The group cited the American bombing of a girls school in Minab, Iran on March 3, which killed more than 170 people, most of them children. The New York Times reported Wednesday that a US military investigation has concluded the United States was responsible for the Tomahawk missile strike.
The connection to Stryker appears partly opportunistic and partly deliberate. The company acquired Israeli medical tech firm OrthoSpace in 2019, a detail the Handala manifesto referenced directly.
- IRGC Published Target List — US Tech Infrastructure
The broader threat picture has darkened considerably. Iran's Islamic Revolutionary Guard Corps issued a formal warning this week that US and Israeli-linked "economic centers and banks" across the region are now legitimate targets. State-affiliated Iranian media published the target list above, describing these companies' regional infrastructure as "Iran's new targets." An Iranian security source told Al Jazeera the conflict was entering "a new phase."
What This Means for the Phone in Your Pocket
The Stryker attack is a clean illustration of a threat that has existed for years but rarely gets discussed plainly.
Every standard smartphone sold today is designed to accept remote commands from a server its owner will never control. In a corporate setting, that server belongs to the employer. On a consumer phone, it belongs to Apple or Google. When nation-state actors start targeting that infrastructure, the architecture stops being invisible and starts being a liability. Not a theoretical liability. A documented, verified, Wednesday-morning liability that knocked out a $25 billion company before most of America had poured its first cup of coffee.
The question worth asking is a simple one: when the next attack happens, whose side is your phone on?
If you've been thinking about that question lately, the Ghost Phone was built for exactly this moment. No MDM. No remote wipe command. No server that someone else controls.
Sources: KrebsOnSecurity, TechCrunch, CNN, Bloomberg, Al Jazeera, SecurityWeek, Zetter Zero Day, WION News, The New York Times
