No Malware Required

On the morning of March 11, 2026, Stryker Corporation employees across 79 countries turned on their devices and found them wiped to factory settings: no ransomware note, no encrypted files. Just blank screens where work used to be.

The attackers, a hacktivist group called Handala, never deployed a single piece of malware. They logged into Microsoft Intune, Stryker’s mobile device management console, and issued remote wipe commands using the platform’s own legitimate features. Between 80,000 and 200,000 endpoints went dark, and manufacturing and order processing went offline for several days.

What makes this worth studying is the access chain that got them there.

How They Got In

Researchers identified 278 sets of compromised Stryker credentials circulating between October 2025 and March 2026, concentrated in the weeks immediately before the attack. The leading hypothesis is infostealer malware: software that silently harvests admin credentials and SSO session tokens from an infected endpoint, then passes them to brokers or directly to the threat actor. The infected machine doesn’t need to be inside Stryker’s network. It just needs to belong to someone with the right access.

With those credentials, the attack chain is short. Handala authenticated to Microsoft Entra ID using the compromised account and claimed Global Administrator rights. From there, they navigated to the Intune console and pushed an OS reset policy to all enrolled devices across 79 countries. No privilege escalation exploit and no lateral movement through internal systems. The administrative plane handed them everything.

Check Point Research found that Handala had established network access months before March 11. The destructive wipe was the last step, not the first.

What Your Detection Tools Won’t Catch

Your detection and response tools are built to catch malware. They watch for suspicious executables and lateral movement, the signals that show up when something malicious is running. A valid admin credential authenticating to Entra ID and issuing a wipe policy looks like IT operations. Nothing anomalous gets flagged until 200,000 devices are already gone.

Handala also adapted their operational infrastructure to avoid detection. They shifted from commercial VPN nodes to Starlink IP ranges, blending into satellite broadband traffic and stripping any geographic signature from their connections.

Stryker’s environment hadn’t failed. Everything in it worked exactly as designed.

Why You’re in the Target Set

Handala has documented ties to foreign state interests and a track record of targeting organizations with US and its allies. State-adjacent actors increasingly treat large commercial enterprises as proxies in geopolitical conflicts, whether or not those enterprises have any direct involvement. Stryker’s business had no connection to the triggering event. The company was visible, and that was enough.

Most security teams are still running threat models built around financially motivated criminal actors. Those actors want payment. Handala sent no ransom demand. The disruption was the point, and there was nothing to pay to avoid it. It marked a major shift in the threat landscape.

Any large enterprise with identifiable US ties now sits inside a threat envelope that most IT risk models weren’t designed for.

The Questions to Bring to Your Next Security Review

The attack surface here was a privileged credential with access to a powerful automated action, circulating outside the organization for months before anyone acted on it.

• Ask whether your organization would detect 278 employee credentials on infostealer markets over a five-month period. 
• Ask whether an Intune Administrator authentication from an unfamiliar IP range at 2 a.m. would generate an alert. 
• Ask whether your team has ever run a tabletop exercise in which the attacker’s only tool is your MDM console.

Stryker is fully operational again. But the several days of halted manufacturing and order processing started with a credential harvested from an infected endpoint, sold, and used to authenticate to a cloud console with eyes on it every day. If you don’t know how many of your admin credentials are currently circulating outside your environment, you don’t know your real exposure.