Handala Threat Advisory — Stryker Wiper Attack

📋

Executive Summary

On March 11, 2026, Stryker Corporation — a Fortune 200 medical technology company headquartered in Portage, Michigan — experienced a catastrophic cyberattack attributed to Handala (a.k.a. Handala Hack Team), a pro-Palestinian hacktivist group with strong ties to Iran's Ministry of Intelligence and Security (MOIS).

The attack deployed destructive wiper malware that permanently erased data from corporate servers, endpoint devices, and personal smartphones enrolled in Stryker's Microsoft Intune mobile device management. The attackers defaced Microsoft Entra (Azure AD) login pages with Handala's distinctive logo and remotely wiped managed devices at approximately 3:30 AM EDT.

Over 5,500 employees in Cork, Ireland — Stryker's largest hub outside the US — were sent home. Operations halted across manufacturing, R&D, and engineering facilities worldwide. The company's main US headquarters voicemail reported a "building emergency." Stryker stock dropped approximately 4% within hours.

Handala claimed the operation affected 200,000+ systems and exfiltrated 50 terabytes of data. While these figures remain unverified, the operational impact is confirmed by multiple sources including Stryker's own statements, Irish media, and employee reports.

⚠️ Critical: This is NOT Ransomware

Stryker confirmed: "We have no indication of ransomware or malware." This was a destructive wiper attack — the goal was permanent data destruction, not extortion. Wiper attacks may cause irreversible data loss with no recovery path. This aligns with Handala's documented operational doctrine of disruption over monetization.

🎯 Context: Post-Airstrike Retaliation

This attack comes ~2 weeks after US-Israeli strikes against Iran (late February 2026). CSIS analysis warns this marks "the beginning of a new phase of cyber escalation" under Iran's "Great Epic" cyber campaign. Handala explicitly framed this as retaliation for the "attack on a school in Minab" and "ongoing cyber assaults against the Resistance Axis."

🎭

Threat Actor Profile: Handala

Actor Name

Handala / Handala Hack Team

First Observed

December 18, 2023

State Affiliation

Iran — MOIS (Ministry of Intelligence)

Motivation

Political / Destructive / Hack-and-Leak

Primary Targets

Israeli orgs, US allies, Healthcare, Energy

Operational Doctrine

Disrupt + Leak + Amplify

Attribution Confidence

HIGH (multi-vendor convergence)

TLP Classification

TLP:CLEAR

Cross-Vendor Alias Mapping

Multiple independent vendors and government sources have converged on attributing Handala to the same MOIS-linked cluster:

Vendor	Cluster Name	Confidence
Check Point Research	Void Manticore	HIGH
Microsoft	Storm-0842 / Storm-842	HIGH
CrowdStrike	BANISHED KITTEN	HIGH
Recorded Future	Dune	MEDIUM-HIGH
Sophos	COBALT MYSTIQUE	MEDIUM-HIGH
IBM X-Force	Handala Hacking Team	HIGH

Who is Handala?

"Handala" refers to a character created in 1969 by Palestinian political cartoonist Naji al-Ali — a barefoot boy with his back turned, symbolizing Palestinian identity and defiance. The hacktivist group adopted this symbolism upon emergence in December 2023, shortly after the onset of the Gaza conflict.

The group operates as an influence-enabled intrusion threat — not a traditional cybercrime or espionage actor. Their operational model fuses technical compromise with rapid public messaging, timed data leaks, and narrative amplification designed to maximize reputational damage beyond direct system impact.

Key characteristics:

Employs wiper malware, data theft, phishing, extortion, and website defacement
Targets life-critical sectors: healthcare, energy, financial services, satellite communications
Operates data leak sites + Telegram channels for claim amplification
At least one member assessed to be fluent in Hebrew (Cisco Talos assessment)
Known to exaggerate or fabricate breach claims — actor claims should be treated as collection leads, not confirmation
Exploits current events for phishing lures (CrowdStrike outage, geopolitical escalations)

Target Sectors

⏱️

Activity Timeline (2023–2026)

Oct–Nov 2023

Pre-Brand Operations (MOIS Cluster Activity)

Microsoft and Check Point document MOIS-linked destructive activity in Israel using BiBi wiper variants. Storm-0861 hands off access to Storm-0842 for destructive operations. SharePoint exploitation (CVE-2019-0604), ASPX webshells, LSASS dumping.

Dec 18, 2023

Handala Persona Emerges

First X (Twitter) post. Rapid establishment of Telegram channel (@HANDALA_RSS) and social media presence. Victim naming and psychological pressure framing from day one.

Dec 2023–Feb 2024

Early Claim-Led Campaigns

Phishing, defacement, and leak-claim activity with ideological framing. Reputation-building through repeated claim cadence. Targets primarily Israeli organizations.

Mar–Jun 2024

Target Set Expansion

Expands to defense/technology-adjacent targets. Ransomware-style extortion narratives. "New victim list" waves across channels.

May 2024

Attribution Convergence

Check Point directly links Handala to Void Manticore. Multiple vendors confirm MOIS cluster alignment. Infrastructure overlap with known Iranian APT infra (64.176.172.0/24).

Jul 2024

CrowdStrike-Lure Wiper Campaign

Exploits CrowdStrike BSOD outage with phishing campaign. Fake "update" PDF → malicious NSIS installer → AutoIt shellcode → wiper payload. Uses Storj for hosting. Telegram bot as C2.

Aug 2024

Platform Pressure

X account suspended (Aug 21, 2024). Migrates to @Handala_Backup. Continues operations via Telegram. ODNI/FBI/CISA election-influence statement issued in same period.

Feb 2025

Channel Goes Silent

Primary Telegram channel goes silent (~Feb 9, 2025). Activity continues under cluster attribution (Void Manticore / BANISHED KITTEN) without actor self-claims.

Jul 2025

Channel Resumes

Handala Telegram channel activity resumes. Continued targeting of Israeli and allied organizations.

Mar 11, 2026

🔴 STRYKER WIPER ATTACK

Catastrophic wiper attack on Stryker Corporation. 200K+ devices claimed wiped, 50TB data claimed exfiltrated. Entra login defacement. 5,500+ employees sent home in Ireland. Global operations halted across 79 countries. Explicitly framed as retaliation for US-Israeli strikes on Iran.

🏥

The Stryker Incident — March 11, 2026

Victim Profile: Stryker Corporation

Company

Stryker Corporation (NYSE: SYK)

Headquarters

Portage, Michigan, USA

2025 Revenue

$25.12 Billion

Employees

~56,000 across 75+ countries

Industry

Medical Technology & Devices

Products

Orthopedic implants, surgical instruments, hospital beds, robotic surgery systems

Largest Non-US Hub

Cork, Ireland (5,500+ employees)

Recent Launch

SmartHospital Platform (HIMSS 2026, days before attack)

Incident Timeline

~03:30 AM EDT

Wiper Detonation

Intune-managed devices begin being remotely wiped. Work computers and personal smartphones with Stryker work profiles affected. Entra (Azure AD) login pages defaced with Handala logo.

Early Morning

Global Shutdown

All Stryker laptops and network-connected systems rendered inoperable. Internal email states "experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network."

Morning (Ireland)

5,500+ Employees Sent Home

Cork facilities — product design, engineering, manufacturing — fully shut down. Ireland's National Cyber Security Centre (NCSC) notified and assisting.

Morning (US)

Michigan HQ Evacuated

Voicemail at Stryker's main US headquarters reports a "building emergency." Employees in Michigan sent home.

~11:45 AM ET

Stock Impact

SYK shares down ~4%. Stryker issues statement confirming "global network disruption to our Microsoft environment as a result of a cyberattack."

Afternoon

Handala Claims Responsibility

Lengthy Telegram statement claiming 200K+ systems affected, 50TB exfiltrated. Describes attack as "only the beginning of a new chapter in the cyber war." Microsoft engineers deployed for incident response.

Confirmed Technical Impact

Intune-managed device wipe — Work computers AND personal phones with corporate profiles remotely wiped
Entra (Azure AD) login defacement — System login pages replaced with Handala branding
Server data destruction — Corporate servers and proprietary applications rendered inoperable
Email/comms blackout — Internal email, collaboration tools, and work systems inaccessible
Manufacturing halt — Product design, engineering, and manufacturing operations stopped globally
Supply chain disruption — Medical device supply chain at risk across Europe, Asia, and US

⛓️

Attack Chain — MITRE ATT&CK Mapping

Initial Access

Phishing / Credential Theft / Admin Account Compromise

Execution

NSIS Installer → Batch Script → AutoIt Shellcode

Evasion

AV Process Check + Time Delay + Obfuscation

Privilege Esc

BYOVD (ListOpenedFileDrv) + Admin Abuse

Collection

System Info → Telegram Bot C2

Impact

Disk Wipe + Intune MDM Abuse + Defacement

Detailed Kill Chain (Based on Documented Handala Tradecraft)

1. Initial Access — Handala typically uses spear-phishing with current-events lures. For the Stryker attack, initial access vector is under investigation. Previous campaigns used phishing PDFs masquerading as software updates, SMS phishing, and abuse of trusted supplier channels. The attackers gained access to administrative accounts with Intune/Entra management privileges.

2. Payload Delivery — Documented Handala toolkit uses NSIS (Nullsoft Scriptable Install System) installers containing obfuscated batch scripts. Files within the NSIS package use no-file-extensions to evade static analysis. Commercial file-sharing services (Storj, Mega) used for payload hosting.

3. Execution — Batch script ("Carroll") copies itself to .cmd extension and executes. Contains garbage/invalid Windows commands interspersed with real instructions to hinder analysis. Checks for AV processes (Webroot, Quick Heal, Avast, AVG, Bitdefender, Norton, Sophos) and introduces 90–180 second delays if not found.

4. Defense Evasion — Multi-component payload distributed across several files, concatenated at runtime into AutoIt3.exe and .a3x script. Simple string obfuscation in AutoIt component. Architecture-aware shellcode (x32/x64) using RtlDecompressFragment() API.

5. Impact — Wiper overwrites files with 4,096 bytes of random data (files < 4,096 bytes overwritten with zeroes). Files deleted after overwrite. BYOVD technique using ListOpenedFileDrv_32.sys driver to access kernel memory for file enumeration. Deceptive "update installation" message box displayed while wiping occurs. System information exfiltrated to Telegram bot C2 before destruction.

🗺️

MITRE ATT&CK TTPs

Tactic	Technique ID	Technique Name	Handala Context
Initial Access	T1566.001	Spear Phishing Attachment	PDF with malicious URL, current-events lures
Initial Access	T1566.002	Spear Phishing Link	SMS phishing, links to Storj/Mega hosted payloads
Initial Access	T1190	Exploit Public-Facing Application	Historical: SharePoint CVE-2019-0604 exploitation
Execution	T1059	Command & Scripting Interpreter	NSIS installer → batch script → AutoIt execution chain
Execution	T1059.003	Windows Command Shell	Obfuscated .cmd batch scripts with garbage commands
Execution	T1059.010	AutoHotKey & AutoIT	AutoIt shellcode loader, architecture-aware (x32/x64)
Execution	T1204.002	User Execution: Malicious File	Victim opens phishing PDF and downloads fake update
Persistence	T1505.003	Web Shell	ASPX webshells (pickers.aspx, error4.aspx, ClientBin.aspx)
Privilege Escalation	T1068	Exploitation for Privilege Escalation	BYOVD: ListOpenedFileDrv_32.sys for kernel memory access
Defense Evasion	T1027	Obfuscated Files or Information	Batch script garbage code, no-extension files in NSIS
Defense Evasion	T1497.003	Time Based Evasion	90–180s sleep via ping -n when no AV detected
Credential Access	T1003.001	LSASS Memory Dumping	Credential harvesting from compromised hosts
Discovery	T1590	Gather Victim Network Information	IP, hostname, username, domain, disk space collection
Discovery	T1589	Gather Victim Identity Information	Public IP check via icanhazip[.]com
Lateral Movement	T1021.001	Remote Desktop Protocol	RDP/SMB-heavy lateral movement patterns
Lateral Movement	T1021.002	SMB/Windows Admin Shares	Internal pivoting via administrative shares
Collection	T1005	Data from Local System	System enumeration before wiper detonation
Exfiltration	T1020	Automated Exfiltration	Victim data auto-sent to Telegram bot C2
Exfiltration	T1567.002	Exfil Over Web Service	Telegram API used for C2 and data exfiltration
Impact	T1485	Data Destruction	File overwrite with random data + deletion
Impact	T1561.002	Disk Structure Wipe	4,096-byte random overwrite renders systems unbootable
Impact	T1490	Inhibit System Recovery	Destruction of recovery mechanisms alongside data
Impact	T1491	Defacement	Entra/Azure AD login page branded with Handala logo

🔍

Indicators of Compromise (IOCs)

ℹ️ IOC Handling Notice

Treat channel/claim-only indicators as soft IOCs until telemetry confirms compromise. Revalidate all network indicators against current blocklists and passive-DNS before production blocking. Hashes below are from documented Handala campaigns (Jul 2024 wiper + historical MOIS cluster). Stryker-specific IOCs are pending disclosure.

File Hashes (SHA-256) — Handala Wiper Family

SHA-256	Description	Source
d0c03d40772cd468325bbc522402f7b737f18b8f37a89bacc5c8a00c2b87bfc6	BiBi Wiper variant	Check Point / MOIS cluster
deeaf85b2725289d5fc262b4f60dda0c68ae42d8d46d0dc19b9253b451aea25a	Destructive payload	Check Point / Void Manticore
87f0a902d6b2e2ae3647f10ea214d19db9bd117837264ae15d622b5314ff03a5	Wiper component	Check Point
85fa58cc8c4560adb955ba0ae9b9d6cab2c381d10dbd42a0bceb8b62a92b7636	GoXML.exe encryptor	Check Point
74d8d60e900f931526a911b7157511377c0a298af986d42d373f51aac4f362f6	cl.exe wiper component	Check Point
cc77e8ab73b577de1924e2f7a93bcfd852b3c96c6546229bc8b80bf3fd7bf24e	rwdsk.sys driver	Check Point
9e519211947c63d9bf6f4a51bc161f5b9ace596c2935a8eedfce4057f747b961	ListOpenedFileDrv_32.sys (BYOVD)	Splunk/Talos

Network Indicators

Indicator	Type	Context
64.176.169.22	IPv4	MOIS cluster infrastructure
64.176.172.101	IPv4	Void Manticore C2
64.176.172.165	IPv4	Void Manticore C2
64.176.172.235	IPv4	Void Manticore infrastructure
64.176.173.77	IPv4	MOIS cluster infrastructure
64.176.172.0/24	CIDR Range	Recurring Handala/Void Manticore infra block
icanhazip[.]com	URL	Public IP check (victim recon, not inherently malicious)
api.telegram[.]org/bot*	URL Pattern	C2 communication via Telegram Bot API
storjshare[.]io	Domain	Payload hosting (Jul 2024 campaign)

Host Artifacts

Artifact	Type	Description
Carroll	File	Obfuscated batch script (copied to Carroll.cmd)
Carroll.cmd	File	Executed batch script with AV evasion + payload staging
AutoIt3.exe	File	Concatenated from fragments, loads .a3x shellcode
L (no extension)	File	.a3x AutoIt compiled script (wiper loader)
ListOpenedFileDrv_32.sys	Driver	BYOVD driver for kernel file enumeration
OpenFileFinder.dll	DLL	Loads BYOVD driver as service
error4.aspx	Webshell	ASPX persistence (historical)
ClientBin.aspx	Webshell	ASPX persistence (historical)
pickers.aspx	Webshell	ASPX persistence (historical)
cl.exe	Executable	Wiper component (context-dependent — correlate with hash)
GoXML.exe	Executable	Encryptor/wiper paired with cl.exe
rwdsk.sys	Driver	RawDisk driver used in destructive operations
Directory: 564784	Directory	Created to stage AutoIt components

Telegram Channels

Channel	Status	Use
t.me/HANDALA_RSS	Primary (went silent Feb 2025, resumed Jul 2025)	Claims, leak announcements, C2 coordination
@Handala_Backup	Active (post-X ban migration)	Backup claims channel

📏

Sigma Detection Rules

SIGMA — Handala Wiper Batch Script Execution

title: Handala Wiper - Carroll Batch Script Execution
id: a7e3f0f0-hand-ala1-2026-stryker001
status: experimental
description: Detects execution pattern of Handala wiper batch script (Carroll → Carroll.cmd copy and execute)
references:
    - https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
    - https://blog.talosintelligence.com/
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.execution
    - attack.t1059.003
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_copy:
        CommandLine|contains|all:
            - 'copy'
            - 'Carroll'
            - '.cmd'
    selection_cmd_exec:
        CommandLine|contains:
            - 'Carroll.cmd'
    condition: selection_cmd_copy or selection_cmd_exec
falsepositives:
    - Unlikely in legitimate environments
level: critical

SIGMA — Handala AV Process Reconnaissance

title: Handala Wiper - Antivirus Process Discovery
id: a7e3f0f0-hand-ala2-2026-stryker002
status: experimental
description: Detects batch script checking for multiple AV processes before payload staging (Handala evasion pattern)
references:
    - https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.discovery
    - attack.t1518.001
    - attack.defense_evasion
    - attack.t1497.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_tasklist:
        CommandLine|contains: 'tasklist'
    filter_av_names:
        CommandLine|contains:
            - 'wrsa.exe'
            - 'opssvc.exe'
            - 'avastui.exe'
            - 'avgui.exe'
            - 'bdservicehost.exe'
            - 'nswscsvc.exe'
            - 'sophoshealth.exe'
    condition: selection_tasklist and filter_av_names
falsepositives:
    - IT inventory scripts that enumerate running AV processes
level: high

SIGMA — Handala BYOVD Driver Load

title: Handala Wiper - BYOVD ListOpenedFileDrv Driver Loading
id: a7e3f0f0-hand-ala3-2026-stryker003
status: experimental
description: Detects loading of ListOpenedFileDrv driver used by Handala for kernel-level file enumeration before wiping
references:
    - https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.privilege_escalation
    - attack.t1068
    - attack.persistence
    - attack.t1543.003
logsource:
    category: driver_load
    product: windows
detection:
    selection_driver:
        ImageLoaded|endswith:
            - 'ListOpenedFileDrv_32.sys'
            - 'ListOpenedFileDrv.sys'
    selection_pdb:
        ImageLoaded|contains: 'openfilefinder'
    condition: selection_driver or selection_pdb
falsepositives:
    - Legitimate use of OpenFileFinder utility (rare)
level: critical

SIGMA — Handala AutoIt Shellcode Injection via Regasm

title: Handala Wiper - AutoIt Injection into Regasm.exe
id: a7e3f0f0-hand-ala4-2026-stryker004
status: experimental
description: Detects AutoIt-based shellcode injection into Regasm.exe process (Handala wiper delivery)
references:
    - https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.execution
    - attack.t1059.010
    - attack.defense_evasion
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection_autoit_parent:
        ParentImage|endswith: 'AutoIt3.exe'
    selection_regasm_child:
        Image|endswith: 'RegAsm.exe'
    condition: selection_autoit_parent and selection_regasm_child
falsepositives:
    - AutoIt scripts legitimately invoking .NET assembly registration (uncommon)
level: critical

SIGMA — Handala Time-Based Evasion (Ping Delay)

title: Handala Wiper - Ping-Based Sleep Evasion
id: a7e3f0f0-hand-ala5-2026-stryker005
status: experimental
description: Detects use of ping -n with high count for time-based evasion (90-180 second delays)
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.defense_evasion
    - attack.t1497.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'ping -n'
    filter_high_count:
        CommandLine|re: 'ping\s+-n\s+(9[0-9]|1[0-8][0-9])\s+'
    condition: selection and filter_high_count
falsepositives:
    - Network testing scripts using long ping counts
level: medium

SIGMA — Handala Telegram C2 Exfiltration

title: Handala Wiper - Telegram Bot API Communication
id: a7e3f0f0-hand-ala6-2026-stryker006
status: experimental
description: Detects outbound HTTP(S) connections to Telegram Bot API used as C2 by Handala wiper
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.exfiltration
    - attack.t1567.002
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
    product: network
detection:
    selection:
        url|contains:
            - 'api.telegram.org/bot'
        method: 'POST'
    condition: selection
falsepositives:
    - Legitimate Telegram bot integrations (correlate with process context)
level: high

SIGMA — Suspicious NSIS Installer with No-Extension Files

title: Handala Wiper - NSIS Package Suspicious File Creation
id: a7e3f0f0-hand-ala7-2026-stryker007
status: experimental
description: Detects NSIS installer creating files without extensions in suspicious paths (Handala payload staging)
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.execution
    - attack.t1059
    - attack.defense_evasion
logsource:
    category: file_event
    product: windows
detection:
    selection_nsis:
        Image|endswith:
            - '\makensis.exe'
            - '\nsis.exe'
    selection_suspicious_path:
        TargetFilename|contains:
            - '\windows\temp\'
            - '\users\public\'
            - '\AppData\Local\Temp\'
            - '\564784\'
    filter_no_extension:
        TargetFilename|re: '\\[^.\\]+$'
    condition: (selection_nsis or selection_suspicious_path) and filter_no_extension
falsepositives:
    - Legitimate NSIS installers (rare to create no-extension files)
level: high

SIGMA — Mass File Overwrite (Wiper Behavior)

title: Handala Wiper - Mass File Overwrite Detection
id: a7e3f0f0-hand-ala8-2026-stryker008
status: experimental
description: Detects rapid file modification pattern consistent with wiper behavior (mass 4096-byte overwrites)
author: HAWK-EYE Threat Intelligence
date: 2026/03/11
tags:
    - attack.impact
    - attack.t1485
    - attack.t1561.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        EventType: 'FileModified'
    timeframe: 60s
    condition: selection | count() by Image > 100
falsepositives:
    - Disk encryption tools, legitimate bulk file operations
level: critical

🧬

YARA Detection Rules

YARA

rule Handala_Wiper_Carroll_Batch {
    meta:
        description = "Detects Handala wiper obfuscated batch script (Carroll)"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        reference = "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"
    
    strings:
        $cmd_copy = "cmd /k copy" ascii nocase
        $carroll = "Carroll" ascii
        $cmd_ext = ".cmd" ascii
        $exit = "& exit" ascii
        
        // AV process checks
        $av1 = "wrsa.exe" ascii nocase
        $av2 = "opssvc.exe" ascii nocase
        $av3 = "avastui.exe" ascii nocase
        $av4 = "avgui.exe" ascii nocase
        $av5 = "bdservicehost.exe" ascii nocase
        $av6 = "nswscsvc.exe" ascii nocase
        $av7 = "sophoshealth.exe" ascii nocase
        
        // Time delay evasion
        $ping_delay = "ping -n" ascii nocase
    
    condition:
        filesize < 500KB and
        (($cmd_copy and $carroll and $cmd_ext) or
         (3 of ($av*) and $ping_delay))
}

rule Handala_Wiper_AutoIt_Loader {
    meta:
        description = "Detects Handala AutoIt-based wiper payload loader"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        severity = "CRITICAL"
    
    strings:
        $autoit_header = "#AutoIt3Wrapper" ascii
        $rtl_decompress = "RtlDecompressFragment" ascii wide
        $shellcode_x86 = { 55 8B EC 83 EC ?? 53 56 57 }
        $shellcode_x64 = { 48 89 5C 24 ?? 48 89 74 24 ?? 57 48 83 EC }
        $regasm = "RegAsm" ascii wide nocase
        $inject_api = "NtWriteVirtualMemory" ascii wide
        $create_proc = "CreateProcessA" ascii wide
    
    condition:
        filesize < 5MB and
        ($autoit_header or $rtl_decompress) and
        ($regasm or $inject_api or $create_proc) and
        any of ($shellcode_*)
}

rule Handala_Wiper_Disk_Overwrite {
    meta:
        description = "Detects Handala wiper disk overwrite component"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        severity = "CRITICAL"
    
    strings:
        // File overwrite patterns
        $overwrite_func = { 8B ?? ?? 83 ?? 00 10 00 00 }  // 4096 byte check
        $random_fill = "RtlGenRandom" ascii wide
        $zero_fill = { C7 ?? 00 00 00 00 C7 ?? 04 00 00 00 00 }
        
        // System info gathering (pre-wipe recon)
        $hostname = "COMPUTERNAME" ascii wide
        $username = "USERNAME" ascii wide
        $domain = "USERDOMAIN" ascii wide
        $diskspace = "GetDiskFreeSpaceEx" ascii wide
        
        // Telegram C2
        $telegram = "api.telegram.org" ascii wide
        $bot_token = "/bot" ascii wide
        $send_msg = "sendMessage" ascii wide
        $send_doc = "sendDocument" ascii wide
        
        // IP check
        $ip_check = "icanhazip.com" ascii wide
    
    condition:
        filesize < 10MB and
        (2 of ($overwrite_func, $random_fill, $zero_fill)) and
        (2 of ($hostname, $username, $domain, $diskspace)) and
        ($telegram or $ip_check)
}

rule Handala_BYOVD_ListOpenedFileDrv {
    meta:
        description = "Detects BYOVD driver used by Handala for kernel file enumeration"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        severity = "HIGH"
    
    strings:
        $pdb = "openfilefinder_src" ascii nocase
        $driver_name = "ListOpenedFileDrv" ascii wide nocase
        $device_io = "DeviceIoControl" ascii wide
        $file_object = "FILE_OBJECT" ascii wide
    
    condition:
        uint16(0) == 0x5A4D and
        filesize < 100KB and
        ($pdb or $driver_name) and
        ($device_io or $file_object)
}

rule Handala_NSIS_NoExtension_Payload {
    meta:
        description = "Detects NSIS installer with no-extension payload files (Handala delivery)"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        severity = "HIGH"
    
    strings:
        $nsis_header = { EF BE AD DE 4E 75 6C 6C }  // NSIS magic
        $nsis_str = "Nullsoft" ascii
        $cmd_copy_pattern = "cmd /k copy" ascii nocase
        $autoit_ref = "AutoIt" ascii nocase
        $concat_pattern = /copy\s+\/b\s+\w+\+\w+/ ascii nocase
    
    condition:
        ($nsis_header or $nsis_str) and
        ($cmd_copy_pattern or $autoit_ref or $concat_pattern)
}

rule Handala_BiBi_Wiper_Family {
    meta:
        description = "Detects BiBi wiper variants associated with Handala/Void Manticore"
        author = "HAWK-EYE Threat Intelligence"
        date = "2026-03-11"
        reference = "Check Point Research - Void Manticore"
        severity = "CRITICAL"
    
    strings:
        $bibi_str1 = "BiBi" ascii wide nocase
        $bibi_str2 = "[+] Stats:" ascii
        $wiper_msg = "You have been pwned" ascii wide nocase
        $ext_target = ".pdf" ascii
        $ext_target2 = ".docx" ascii
        $ext_target3 = ".xlsx" ascii
        
        // Disk operations
        $raw_disk = "\\\\.\\PhysicalDrive" ascii wide
        $partition = "\\\\.\\PHYSICALDRIVE" ascii wide
        $mbr_access = { B8 00 00 00 00 BA 00 00 00 00 }
    
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        (($bibi_str1 or $bibi_str2 or $wiper_msg) and
         ($raw_disk or $partition or $mbr_access))
}

🛡️

Defensive Recommendations

🔴
Immediate Actions (Next 24 Hours)

Block IOCs — Import all network indicators (64.176.172.0/24 range, Telegram bot API patterns) into firewalls, proxy, and EDR blocklists
Deploy YARA/Sigma rules — Push detection rules to SIEM and endpoint agents immediately
Audit Intune/MDM permissions — Review who has device wipe capabilities. Restrict to minimum necessary admins. Enable approval workflows for mass wipe operations
Audit Entra/Azure AD admin accounts — Force password reset on all Global Admin and Intune Admin accounts. Enable FIDO2/hardware key MFA (not SMS/authenticator app alone)
Verify offline backup integrity — Confirm air-gapped backups exist and are recoverable. Test restoration procedures. Wiper attacks may target backup infrastructure
Alert SOC teams — Brief analysts on Handala TTPs, specifically: Carroll batch script pattern, AutoIt injection into Regasm.exe, BYOVD driver loading, Telegram C2

🟡
Short-Term Hardening (Next 7 Days)

Implement BYOVD protection — Enable Microsoft Vulnerable Driver Blocklist (HVCI). Block unsigned/known-vulnerable driver loading via Windows Defender Application Control (WDAC)
Harden AutoIt/scripting — Block or alert on AutoIt3.exe execution in corporate environments via AppLocker/WDAC. Most enterprises have no legitimate need for AutoIt
Restrict NSIS installer execution — Flag and quarantine NSIS-packaged executables that are not from verified software vendors
Phishing resilience — Push targeted awareness on current-events lures. Handala exploits breaking news for phishing campaigns. Brief staff on fake "update" and "fix" social engineering
Segment MDM infrastructure — Isolate Intune/SCCM admin interfaces behind conditional access policies. Require compliant device + named location + phishing-resistant MFA
Review supplier/partner access — Handala has used trusted supplier channels and CRM pathways for initial access. Audit third-party integrations with elevated permissions
Prepare communications playbook — Handala's operational doctrine weaponizes narrative velocity. Claims and leaks will outpace forensic validation. Have pre-approved holding statements ready that separate verified facts from adversary propaganda

🟢
Strategic Resilience (Next 30 Days)

Wiper-resilient architecture — Implement immutable infrastructure patterns. Use ephemeral workstations where possible. Ensure golden image recovery can rebuild endpoints within hours, not days
Air-gapped backup verification — Conduct quarterly restore drills. Ensure backup systems cannot be reached from compromised admin accounts. Test "nuclear option" — full environment rebuild from scratch
Zero Trust for admin pathways — Implement Privileged Access Workstations (PAWs) for all Entra/Intune/Exchange administration. No admin operations from standard endpoints
Threat hunt for precursor activity — Hunt for ASPX webshells (error4.aspx, ClientBin.aspx, pickers.aspx), unusual Telegram API traffic, and files in directory named "564784"
Tabletop exercise — Run a wiper attack scenario. Key question: if all managed devices are wiped simultaneously, what is your recovery time? If the answer is "weeks," your architecture needs work
GCC/Middle East organizations — While Handala primarily targets Israeli entities, spillover to regional partners is documented. Organizations with Israeli business relationships or US defense contracts face elevated risk. Review supply chain exposure

📊

Threat Landscape Visualization

Attack Techniques by Frequency

Campaign Timeline: Handala Operations

📚

References & Sources

Splunk + Cisco Talos — "Handala's Wiper: Threat Analysis and Detections" (2024)
Check Point Research — "Void Manticore: Destructive Activities Targeting Israel" (May 2024)
Microsoft — "Storm-0842 / Storm-842 Activity Tracking" (2024–2026)
CrowdStrike — "BANISHED KITTEN Threat Profile" (2024–2026)
Andrey Pautov / Medium — "CTI Research: Handala Hack Group" (March 6, 2026)
IBM X-Force Exchange — "Handala Hacking Team Profile" (2024–2026)
Newsweek — "Stryker cyberattack: Alleged Iran-linked group Handala causes outage" (March 11, 2026)
CyberSecurity News — "Stryker Cyber Attack - Hackers Claim System Breach and Device Wipe" (March 11, 2026)
Krebs on Security — "Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker" (March 11, 2026)
WANA News Agency — "Hacker Group Handala Claims Hack of Stryker Corporation" (March 11, 2026)
RTE Ireland — "Stryker's Cork base impacted by global cyber attack" (March 11, 2026)
Cork Beo — "Cork Stryker plants hit by suspected global Iranian-linked cyberattack" (March 11, 2026)
CSIS — "Iran Cyber Escalation Assessment Post-February 2026 Strikes" (March 2026)
Trellix — "Handala's Wiper Targets Israel" (July 2024)
ODNI/FBI/CISA — Joint Statement on Iranian Cyber Influence Operations (August 2024)