The Handala Hindsight: How Three Years Of Warning Signs Led To The Stryker Wipe

On March 11, 2026, the medical technology giant Stryker Corporation experienced a large-scale cyber incident representing an escalation in Iranian cyber operations. The Iran-linked group Handala claimed it had wiped over 200,000 systems across 79 countries. While these figures are likely inflated as part of information operations, subsequent reporting suggests approximately 80,000 affected devices. The operational impact was significant: employees across the globe were unable to access their corporate devices, with login screens replaced by Handala branding.

Handala is widely assessed to operate as more than a “hacktivist” collective; it functions as a persona leveraged by Iran’s Ministry of Intelligence and Security (MOIS) to conduct destructive cyber operations. In this incident, Handala leveraged privileged administrative access within Microsoft Intune to control and wipe devices at scale. This activity reflects a shift from data exposure toward enterprise-scale disruption, consistent with previously observed Iranian cyber operations.

The Laboratory of Conflict: Why the Warning Signs Were Ignored

The Stryker incident reflects a potential escalation in Iranian cyber activity. Handala’s prior activity, particularly in Israel, is best understood as a multi-year operational environment in which capabilities and tradecraft were refined.

The Proving Ground: Since 2023, Handala has targeted Israeli sectors including healthcare, technology, government, energy, and defense, likely refined tooling, access methods, and disruptive capabilities, including wiper functionality.
Operational Synergy: Observed activity suggests a “hand-off” model, where cyber espionage groups like APT43 (OilRig) secure initial access before activity is carried out by separate clusters or personas, including Handala, for disruptive or destructive effects.
Proxy Integration: Handala operates alongside hacktivist personas and state-aligned clusters, contributing to a resilient operational ecosystem.
Beyond the Digital Border: As observed in the 2025 “Rest in Peace” operation referenced below, Handala’s activity has extended to psychological intimidation and individual targeting, indicating an expansion beyond purely digital operations.

From “Hacktivism” to State-Linked Disruption in Israel

Handala’s activity has evolved beyond DDoS and data leaks to include disruption and psychological targeting.

The RedWanted Platform

The launch of the “RedWanted” platform in November 2025 represents a notable development. The platform appears to function as a publicly accessible, searchable, bounty-style site that extends targeting beyond digital systems to individuals, introducing elements of real-world intimidation influence.

Targeting the “Brain Power”: Operations extend to individuals linked to sensitive organizations including the Weizmann Institute of Science, Elbit Systems, and Soreq Nuclear Research Center, as well as associated scientists and researchers.
The “Bounty” Model: The site appears to operate as a targeting mechanism, displaying images of individuals with a “crosshair” overlay, and encouraging users to gather information, including references to locating nearby traffic cameras or conducting physical observation.
Psychological Pressure: By leaking personal information and reportedly placing “Rest in Peace” flowers in a target’s vehicle, the activity suggests potential real-world intimidation tactics, extending beyond purely digital operations.

Operational Influence: This activity may provide context for the Stryker incident, demonstrating how the combination of data exposure and public intimidation can be used to pressure individuals and organizations in sensitive sectors.

Beyond Hacktivism: The Manticore Operational Ecosystem

To understand Handala, it is useful to examine the broader “Manticore” ecosystem, an analytical framework describing clusters associated with Iranian cyber operations that perform distinct but complementary roles. In this model, different units focus on functions such as espionage, influence, and disruptive activity. The term “Manticore,” drawn from Persian mythology, is used here as a conceptual shorthand rather than a formal designation.

Disruptive Operations: Void Manticore (Handala)
Tracked by researchers as Void Manticore (Banished Kitten, Storm-0842, Dune, Bad Karma, No Justice, and Red Sandstorm), this cluster is widely assessed to be aligned with Iran’s Ministry of Intelligence and Security (MOIS).

Specialty: Disruptive and destructive operations, including data exposure and wiper activity associated with later-stage intrusion phases.
Tooling: Their most well-documented capability includes the “Bibi Wiper,” malware designed to overwrite files and render systems inoperable.

Espionage Operations: Scarred Manticore
While Handala is more visible, Scarred Manticore is associated with lower-profile, access-oriented activity. This cluster is linked to activity commonly attributed to groups such as APT43 (OilRig).

Specialty: Long-term espionage and initial access operations.
Operational Model: These actors may maintain persistent access within target environments, mapping infrastructure and harvesting credentials before activity is conducted by separate clusters. This pattern is consistent with a “hand-off” model observed in Iranian cyber operations.

Influence Operations: Maimed Manticore
Maimed Manticore is associated with influence and information operations, functioning as part of a broader ecosystem of state-aligned narrative and propaganda activity.

Specialty: Creation and dissemination of content designed to influence perception, often leveraging social media platforms and coordinated inauthentic behavior.
Tactics: Activities may include the use of fabricated personas, amplification networks, and websites designed to mimic legitimate sources, contributing to the spread of aligned narratives.

IRGC-CEC Operations and Corporate Fronts

Unlike the MOIS, which leverages personas such as Handala for disruptive cyber operations, including wipers and data exposure, the IRGC-CEC is associated with activity aligned to Iran’s military apparatus. Its operations prioritize disruptive cyber activity and influence operations, often conducted through front personas such as CyberAv3ngers, targeting high value Israeli and Western entities.

November 18, 2021: U.S. Treasury sanctions Iranian cyber actors for attempting to influence the 2020 U.S. Presidential Election

Emennet Pasargad (a.k.a. Shahid Shushtari)
Tracked by the intelligence community as Cotton Sandstorm, Emennet Pasargad is a sanctioned Iranian entity associated with cyber and influence operations. The organization has demonstrated a pattern of rebranding and alias usage, including names such as Net Peygard Samavat, Eleyanet Gostar, and Imannet Pasargad, likely to evade sanctions and attribution.

The Facade: The entity operates as a nominally legitimate company within Iran, providing infrastructure, funding, and operational support for state-aligned cyber actors.
Associated Personas: Emennet Pasargad has been linked to multiple online personas and clusters, including Holy Souls, Neptunium, and CyberAv3ngers.
- Holy Souls: Linked to data exposure activity, including the 2023 Charlie Hebdo-related incident.
- CyberAv3ngers: Associated with targeting critical infrastructure, including industrial control systems such as Unitronics PLCs.

Sanctions and Operational Activity

Emennet Pasargad is sanctioned by the U.S. government and linked to Iranian state-aligned cyber and influence operations, including U.S. election interference, disinformation campaigns, and cyber activity targeting media and voting-related infrastructure.

More recent reporting indicates the group has incorporated generative AI into influence operations, including campaigns such as “For Humanity,” which involved compromising a U.S.-based IPTV service to distribute propaganda related to the Israel-Hamas conflict.

The ICS Saboteurs: CyberAv3ngers
Since 2023, the IRGC-CEC has used the “CyberAv3ngers” persona to target Western and Middle Eastern critical infrastructure. The group consistently targets technologies associated with Israeli manufactures, aligning with broader Iranian cyber activity.

Targeting Water Infrastructure: Beyond the 2023 attack on Municipal Water Authority of Aliquippa, the group has expanded to desalination and filtration systems. In March 2026, CyberAv3ngers was reportedly linked to activity affecting the Ras Abu Jarjur desalination plant in Bahrain. By exploiting internet-exposed Unitronics Vision Series (e.g. TCP port 20256), operators may manipulate industrial processes, including reverse osmosis and chemical treatment. This highlights the potential for cyber operations to impact physical infrastructure.

Specialized Tooling: IOCONTROL: This group uses IOCCONTROL, a Linux-based wiper targeting industrial control systems (ICS) across sectors such as food processing, rail, and municipal water. By disrupting operator visibility and control, it can create conditions where physical processes may be affected without immediate detection.

The Bridging Point: Mr. Soul
Mr. Soul (a.k.a Mr. Sol) is an Iranian-linked developer associated with tooling and online activity, potentially linking multiple operational clusters.

Operational Shift: By late 2025, Mr. Soul shifted from low-profile activity to promoting Handala-linked operations via Telegram, aligning more closely with Handala than other associated clusters.
Cross-Cluster Alignment: This shift may indicate increasing alignment between IRGC and MOIS linked activity, suggesting a more coordinated operational posture.
Sanctioned Leadership: The U.S. sanctioned Mahdi Lashgariam as a senior IRGC-CEC figure. His relationship to the Mr. Soul persona remains unclear, but the overlap highlights links between leadership and observed activity.
Tooling Attribution: Mr. Soul is associated with IOCONTROL, which has been linked to disruptive ICS-focused operations.

The Operational Hand-Off Model

The interaction between clusters such as Scarred Manticore and Handala is best understood as a structured, multi-phase operational model, rather than a loosely coordinated effort. Observed activity suggests a repeatable pattern involving access, persistence and subsequent disruptive action, consistent with the March 11 Stryker Corporation incident.

Phase 1: Access and Persistence (“Low and Slow” Infiltration)
Initial access activity is typically associated with espionage-oriented clusters such as Scarred Manticore (linked to APT34), whose objective is environmental visibility and credential access rather than immediate disruption.

Objective: Establish persistent access, map network architecture, and obtain high-privilege credentials (e.g. domain or cloud administrative access).
Tradecraft: Activity has included use of frameworks such as LIONTAIL and techniques such as DNS tunneling, enabling long-term access while blending with legitimate traffic and evading detection.
Data Exposure Risk: During this phase, actors may collect sensitive data, including internal communications and credentials, which can later be used to amplify disruption or public exposure.

Phase 2: Disruption and Impact (“Handala” Activity)
Once access and credentials are established, activity may transition to clusters such as Handala (Void Manticore), which conduct disruptive or destructive operations.

Operational Shift: Handala leverages previously obtained access to escalate privileges and execute disruptive actions within the environment.
Destructive Activity: This phase may involve deployment of wiper malware or other destructive techniques, impacting data integrity and system availability.

Abuse of Native Tools: In more advanced cases, actors leverage legitimate enterprise management platforms, such as Microsoft Intune, to issue authorized commands (e.g., device resets) at scale, effectively using the organization’s own infrastructure to carry out disruption.

Handala claims to have wiped 22TB worth of data from 14 Israeli companies on Passover.

Pattern Replication: CyberToufan

Another group that mirrors aspects of Handala’s activity is CyberToufan (Cyber Toufan Al-Aqsa). While operating as a distinct persona, CyberToufan demonstrates similar operational patterns and messaging, suggesting reuse of tradecraft across clusters.

Replicated Model: Both personas exhibit a similar operational pattern, in which access-oriented activity, often associated with groups such as APT34, is followed by more visible disruptive activity. This two-phase approach aligns with previously observed Iranian cyber operations.
Shared Infrastructure Indicators: Overlap between the groups is visible in elements such as Telegram bots, leak site formatting, and communication patterns, suggesting shared tooling or infrastructure components, rather than purely independent activity.
Psychological Targeting: Both personas incorporate human-centric targeting, including exposure of internal communications and sensitive materials. While Handala has utilized platforms such as RedWanted, CyberToufan has conducted “boardroom-style” leaks, releasing recordings and internal content to demonstrate access within targeted organizations.

*November 4th, 2025, CyberToufan claimed on Telegram to have infiltrated Elbit Systems and Rafael Advanced Defense Systems, two prominent defense contractors.*

On January 15th, 2026, an image shared on the CyberToufan Telegram channel highlighted a range of aerospace, defense, and engineering firms, with several organizations allegedly compromised and their data exposed on the channel.

Defensive Posture: Disrupting the Operational Model

To mitigate activity associated with Handala and related clusters, organizations should consider the following controls:

Restrict “Wipe” Permissions: Implement multi-admin approval (MAA) in Microsoft Intune for high impact actions. No single account should be able to initiate large-scale device resets.
Enforce Phishing-Resistant MFA: Require FIDO2 hardware security keys (e.g. YubiKey) for privileged accounts to mitigate adversary-in-the-middle (AiTM) attacks.
Secure “Break-Glass” Accounts: Maintain isolated emergency accounts, secured with hardware-based authentication and high-priority alerting for any login attempts.
Audit External Exposure: Use tools such as Shodan and Censys to identify exposed services, including RDP, VPNs, and public repositories.

Closing Part 1: The Illusion

The March 11, 2026, incident affecting Stryker Corporation was not an isolated event, but the culmination of a multi-year evolution in Iranian cyber operations. Activity observed across sectors and regions reflects a consistent operational model combining access, disruption, and narrative amplification.

Rather than independent “hacktivist” activity, this pattern suggests a structured ecosystem in which personas such as Handala serve as the public-facing layer of broader state-aligned capabilities. The Stryker incident demonstrates how this model can scale beyond regional targets into enterprise environments.

Part 2: The Hydra’s Reach

Part 2 moves beyond the Handala persona to examine the individuals and groups operating behind and alongside these identities, shifting from the operational model to the actors who sustain and amplify it. Building on investigative reporting, including work by Nariman Gharib and the Iran International team, it highlights how elements of this ecosystem have begun to lose anonymity, while activity across multiple groups since 2023 suggests increasing convergence in tactics, infrastructure, and messaging. The following analysis focuses on key actors and how they extend the reach and impact of this broader operational framework.