On 11 March 2026, an Iranian two-team operation destroyed 200,000 enterprise devices at Stryker without deploying a single piece of malware. One compromised Global Administrator account. One MDM console. Five hours. Swarm Brief 2602 maps the TTPs behind the Handala and MuddyWater operation and the scenario CovertSwarm would run against your environment.
Swarm Brief 2602 / March 2026
An Iranian two-team operation wiped 200,000 devices at Stryker through Microsoft Intune in under five hours. No malware was deployed. No zero-days were exploited. The management console executed legitimate commands.
An Iranian two-team operation dismantled 200,000 enterprise devices without deploying a single piece of malware.
On 11 March 2026, Handala wiped more than 200,000 devices across Stryker, a Fortune 500 medical technology company operating in 79 countries. Handala used a compromised Global Administrator account to issue remote wipe commands through Microsoft Intune. No malware was deployed. No zero-days were exploited. The execution window was under five hours.
Separately, Symantec confirmed that MuddyWater, an IRGC-affiliated APT group, deployed signed backdoors across a US bank, a US airport operator, and a US defense software company from early February 2026. Tenable assesses that MuddyWater’s two-team doctrine, gaining access and handing it to a destructive team, was the model used at Stryker. The specific initial access method at Stryker has not been publicly confirmed.
This brief covers what is known about both operations, maps the TTPs attributed to each group, and presents the scenario CovertSwarm would run to test whether your environment would survive the same approach.
IRGC has publicly declared US-Israeli economic and technology interests as targets. Recorded Future and Flashpoint identify Amazon, Google, Microsoft, Oracle, Palantir, and Nvidia among the named organizations. AWS datacenters in Bahrain and the UAE have already been struck. Over 60 pro-Iranian hacktivist groups mobilized within hours of US and Israeli military strikes on Iran in February.
Tenable’s analysis of the broader campaign warns that MuddyWater’s pre-positioned access across US infrastructure will persist for months or years after any ceasefire. Stryker is the first confirmed destructive use of this access. It is unlikely to be the last.
Attackers can activate dormant access on strategic timelines because pre-positioning is designed to survive the news cycle. The access established in February is still active. The question is where else it exists.
Symantec’s Threat Hunter Team confirmed that Iranian APT MuddyWater (Seedworm) deployed a previously undocumented backdoor called Dindoor inside a US bank, a US airport operator, and the Israeli arm of a US defense software company. A second Python-based backdoor, Fakeset, was found on the airport network and a US non-profit. Dindoor uses the Deno JavaScript runtime and was signed with a certificate issued to “Amy Cherne,” giving it the appearance of legitimate software. The activity began in early February 2026.
MuddyWater acts as the initial access broker: it establishes persistence, exfiltrates data, and hands the network to a second team for the destructive phase. Tenable assesses that this two-team doctrine was the model for the Stryker attack, though the specific initial access method at Stryker has not been publicly confirmed.
Attackers can maintain persistent access inside regulated infrastructure for weeks using backdoors that endpoint controls classify as legitimate. Dindoor runs inside a signed runtime. The malicious behavior is in the script it executes, not in the binary itself.
On 11 March, Handala wiped more than 200,000 devices, servers, and mobile endpoints at Stryker, a Fortune 500 medical technology company operating across 79 countries. The destructive phase used Microsoft Intune. Handala compromised a Global Administrator account in Microsoft Entra ID and issued legitimate remote wipe commands through the MDM console. No malware was deployed. No zero-days were exploited. The management platform did exactly what it was designed to do.
Handala claims to have exfiltrated 50 terabytes of data and defaced Stryker’s Entra login pages. Employees across 79 countries were sent home. The execution window was under five hours.
Attackers can destroy an entire enterprise device fleet with one compromised admin account and one API call. The MDM console is not a vulnerability. It is a capability. When the credentials controlling it are compromised, the management plane becomes the weapon.
Each Swarm Brief includes a scenario mapping how CovertSwarm would replicate the documented attack chain against your environment.
Rather than testing to a generic framework, each scenario follows the specific TTPs the threat actors used: their access methods, persistence mechanisms, and impact objectives.
The objective is not to simulate an attack. It is to establish whether your environment would detect, interrupt, or survive the same approach.
CovertSwarm will begin by targeting the identity plane. Passive reconnaissance will map the target’s Microsoft Entra tenant structure, Global Administrator accounts, and Intune enrollment configuration through publicly exposed endpoints and OSINT. Initial access comes through voice phishing. An operator will call a target employee posing as IT support and direct them to a credential-harvesting proxy that captures both credentials and MFA tokens in real time. This mirrors the social engineering techniques attributed to the broader SLSH alliance, which operates in coordination with Iranian state groups.
Once inside the identity provider, CovertSwarm will attempt to escalate to Global Administrator privileges. This may involve abusing Entra ID role assignment paths, exploiting conditional access policy gaps, or chaining permissions from a compromised mid-tier admin account. The objective is to reach a privilege level that controls Intune, Entra ID, and the broader Microsoft 365 tenant.
With Global Admin access established, CovertSwarm will demonstrate the destructive capability Handala executed at Stryker: issuing remote wipe commands through the Intune console to managed devices. This tests whether break-glass procedures, conditional access policies, and admin account monitoring can detect and interrupt the attack before execution completes. CovertSwarm will also attempt to modify Entra login pages and disable competing admin accounts, replicating the full scope of the Stryker operation.
The following table maps the attack chain to MITRE ATT&CK and identifies the flags CovertSwarm will use to measure assessment progress.
| Phase | Flag | MITRE ATT&CK ID |
|---|---|---|
| Reconnaissance | Enumerate Microsoft Entra tenant structure, Global Admin accounts, and Intune enrollment configuration via publicly exposed endpoints | T1589.001 |
| Reconnaissance | Identify target employees for voice phishing via LinkedIn and public sources | T1589.002 |
| Initial Access | Conduct voice phishing campaign impersonating IT support to harvest credentials and real-time MFA tokens | T1566.004 |
| Privilege Escalation | Escalate from compromised account to Global Administrator via Entra ID role assignment or conditional access gaps | T1078.004 |
| Persistence | Register rogue application in Entra ID to maintain access beyond password resets and session revocations | T1098.003 |
| Defense Evasion | Disable competing admin accounts and modify conditional access policies to prevent lockout | T1562.001 |
| Impact | Issue legitimate remote wipe commands via Intune MDM console to managed devices | T1561.002 |
| Impact | Deface Microsoft Entra login pages to demonstrate control of identity infrastructure | T1491.002 |
| Impact | Demonstrate data exfiltration path via cloud storage APIs from compromised tenant | T1567.002 |
Most security programs are built around evidence of compliance: periodic assessments, documented controls, and findings that close before the next audit cycle opens. The Handala operation engaged none of those controls. It used legitimate credentials, a legitimate management console, and a five-hour execution window. The gap between what a program is designed to find and what an adversary is willing to do is the gap that matters.
Sources:
Handala & MuddyWater: MDM Weaponization at Enterprise Scale
On 11 March 2026, an Iranian two-team operation destroyed 200,000 enterprise devices at Stryker without deploying a single piece of malware. One compromised Global Administrator account.…
Why Robbing Banks Is Easy (And Why That Should Terrify You)
A globally recognized ethical hacker shares real social engineering stories from legally robbing banks across five continents. The tools change. The human vulnerabilities don’t.
Swarm Intelligence: Stryker’s Intune wipe proves your BCDR plan has a single point of failure
No malware. No ransomware. One compromised Global Admin account and the management console your IT team used this morning. The Stryker incident proves that when the…