Handala Wiped 200,000 Stryker Devices Using Microsoft Intune — No Malware Needed

Iran-linked threat actor Handala — the public persona of Void Manticore, a unit within Iran's Ministry of Intelligence and Security — wiped 200,000 systems, servers, and mobile devices at Stryker Corporation in March 2026. The attack did not use custom wiper malware. It used Microsoft Intune, Stryker's own mobile device management platform, with admin-level credentials. The result was identical to a wiper attack but left almost no malware artifacts to analyze.

What Stryker Is and Why Iran Targeted It

Stryker Corporation is a Fortune 500 medical technology company headquartered in Kalamazoo, Michigan. Revenue: $25 billion annually. Employees: 56,000 across 79 countries. Products include surgical robots, hip and knee implants, hospital beds, and emergency medical equipment used in both civilian hospitals and military medical supply chains.

The targeting rationale is documented in Handala's own communications. Stryker holds a $450 million U.S. military medical supply contract — making it part of the military-industrial infrastructure that Iran designates as legitimate retaliation targets. Stryker also acquired Israeli orthopedic firm Orthospace in 2019, which Handala explicitly cited as a second justification.

The timing connects to a February 28 Iranian school attack. A missile strike on a school in Iran killed 175 people. Handala announced the Stryker operation as direct retaliation within two weeks. Palo Alto Networks Unit 42 published a threat brief on March 26 titled "March 2026 Escalation of Cyber Risk Related to Iran" covering this campaign.

The Intune MDM Attack Vector — No Malware Required

This is the technically significant part. Traditional wiper malware — the kind deployed in the 2022 Ukraine attacks (HermeticWiper, CaddyWiper) or the 2012 Saudi Aramco Shamoon attack — requires delivery, execution, and evasion of endpoint protection. It generates detection telemetry. It can be analyzed and attributed.

The Handala Stryker attack used none of that. Instead, Void Manticore operators obtained admin-level credentials for Stryker's Microsoft Intune deployment. Intune is the MDM platform that most large enterprises use to manage Windows, iOS, and Android devices at scale. An admin with sufficient privileges can push OS reset commands to enrolled devices — remotely wiping them to factory state. This is a feature, not a vulnerability.

The attack flow:

1. Credential access — likely through phishing, credential stuffing, or purchasing from an initial access broker
2. Privilege escalation within the Intune tenant to a role with device wipe permissions
3. Bulk OS reset commands pushed to all enrolled endpoints
4. 200,000 devices wiped simultaneously

The Michigan headquarters was physically closed during remediation. Hospitals that used Stryker equipment for vital-sign data transmission temporarily lost that connectivity.

The Lockheed Martin Escalation on March 26

Two weeks after the Stryker wipe, Handala issued a new threat. The group claimed to have obtained personal data of 28 U.S. engineers at Lockheed Martin working on the F-35, F-22, and THAAD missile defense systems. A 48-hour ultimatum was issued — the specific demand and outcome are not publicly confirmed as of March 30.

Lockheed Martin has not confirmed a breach. Unit 42's March 26 update specifically called out this escalation and raised the assessed threat level for U.S. defense industrial base targets. Whether the Lockheed claim is genuine access or a disinformation operation designed to cause reputational damage is not yet confirmed.

What Void Manticore Is

Void Manticore is the threat intelligence designation (used by Palo Alto Networks Unit 42) for the same group that Microsoft tracks as Storm-0842 and CrowdStrike tracks as Scarred Manticore. The group operates under Iran's Ministry of Intelligence and Security (MOIS), distinct from the IRGC-linked groups (APT33, APT34) that typically conduct espionage operations.

Void Manticore's playbook prioritizes destruction over espionage. Previous documented victims include Israeli organizations during the 2023-2024 conflict and Albanian government infrastructure in 2022. The group partners with another Iran-linked actor, Scarred Manticore (MOIS), which handles initial access while Void Manticore focuses on impact.

The public-facing Handala persona posts to Telegram, announces victims, and publishes exfiltrated data — functioning as both the operational arm and the psychological operations arm of the campaign.

Developer and Infrastructure Security Implications

Every organization using cloud MDM is affected by this attack vector in theory. The Intune wipe capability exists by design — it is how enterprise IT teams handle lost devices, terminated employee equipment, and compromised endpoints. Removing it is not a viable option. The attack surface is the credential and access control layer, not the tool itself.

Specific actions developers and infrastructure teams should take:

Audit Intune admin roles now. The principle of least privilege applies directly. Who has "Wipe" permission in your Intune deployment? How many accounts? Are they all human accounts or do any service principals have wipe capability? Most organizations that have not explicitly audited this have more accounts with wipe access than necessary.

Enforce phishing-resistant MFA on all MDM admin accounts. Hardware security keys (FIDO2) or certificate-based authentication make credential phishing ineffective. SMS-based MFA does not. If your Intune Global Admins and Intune Service Admins authenticate with SMS or authenticator app push notifications, they are vulnerable to real-time phishing and MFA fatigue attacks.

Enable Privileged Identity Management for high-risk Intune roles. Microsoft Entra PIM requires just-in-time activation for privileged roles — admin access is not persistent but must be explicitly activated for a time-limited window with approval workflows. A stolen credential for a PIM-protected account cannot immediately execute bulk wipes.

Monitor for unusual bulk MDM commands. Wiping 200,000 devices is not a normal operational action. Security information and event management (SIEM) rules that alert on MDM wipe commands above a threshold — say, more than 5 devices in 10 minutes outside a change management window — would have caught this attack in progress.

Key Takeaways

• Handala (Void Manticore/MOIS) wiped 200,000 Stryker devices using Microsoft Intune MDM admin access — no wiper malware deployed
• Stryker targeted for its $450M U.S. military medical supply contract and 2019 Israeli firm acquisition
• Attack timeline: Feb 28 Iranian school strike → Stryker wipe within 2 weeks → Lockheed Martin escalation March 26
• No malware means minimal EDR telemetry — the attack is detectable only through MDM audit logs and anomaly detection
• The technique works against any organization using cloud MDM (Intune, Jamf, Workspace ONE) with weak admin credential controls
• Mitigations: Audit wipe-capable roles, enforce FIDO2 MFA on MDM admins, enable PIM for just-in-time access, SIEM rules for bulk wipe commands