Handala Hack: The Iranian Group Disrupting Western Targets

A relatively new Iranian-linked hacking group, known as Handala Hack, has rapidly gained prominence through a series of disruptive cyberattacks against Western interests. Initially operating with a low profile, Handala Hack has escalated its activities, most recently executing a destructive attack against medical technology firm Stryker, impacting operations across 79 countries. This article examines the group’s origins, tactics, and motivations, as well as the broader implications for cybersecurity.

Origins and Identity

Handala Hack first emerged in December 2023, presenting itself as a pro-Palestinian hacktivist collective. The group derives its name and imagery from Handala, a well-known character created by Palestinian artist Naji al-Ali, symbolizing Palestinian resistance [1]. While, security researchers, particularly within Israel’s cybersecurity industry, now widely believe Handala Hack to be a front for Iran’s Ministry of Intelligence (MOIS) [2], [3].

Recent Activities: The Stryker Attack

On March 11, 2026, Handala Hack launched a significant cyberattack against Stryker Corporation, a major medical technology company. The attack involved abusing Stryker’s Microsoft Intune MDM platform to issue remote wipe commands to over 200,000 corporate and BYOD-enrolled devices [1]. This “living-off-the-land” technique bypassed traditional endpoint security controls, causing widespread disruption. Stryker’s Lifenet EKG transmission system was disrupted, with Maryland reporting statewide non-functionality, directly impacting patient safety [1]. The company filed a regulatory disclosure with the SEC acknowledging ongoing operational disruption [1]. CISA has launched a formal investigation.

Handala Hack claimed to have exfiltrated 50 terabytes of data prior to the wipe, though this claim remains unconfirmed [1].

Motivations and Retaliation

The group publicly stated that the Stryker attack was in retaliation for the killing of at least 165 civilians at a girls’ school in Iran by an American Tomahawk missile, as well as ongoing cyber assaults against the “Axis of Resistance” [2]. Analysts suggest that such attacks serve a psychological purpose, allowing Iran to retaliate against adversaries with limited military means [2]. By targeting a critical infrastructure provider like Stryker, Iran aims to demonstrate its ability to inflict damage on the US and its allies.

Broader Implications

Handala Hack’s activities highlight a growing trend of Iranian state-sponsored cyberattacks disguised as hacktivism. By operating under the guise of a grassroots movement, these actors can conduct destructive operations while maintaining a degree of plausible deniability [2]. The Stryker attack as well establishes a new threat model for enterprise cloud environments, demonstrating the vulnerability of centralized endpoint management platforms to large-scale attacks.

Previous Activity

Prior to the Stryker attack, Handala Hack had engaged in a series of destructive wiping attacks and influence operations, though it maintained a comparatively lower profile [2]. In July 2025, the group targeted five Iran International journalists, including one based in Canada, in a “hack and leak” operation [1].