Medtech Giant Stryker Offline After Iran-Linked Wiper Malware Attack
Fortune 500 medical technology company Stryker — manufacturer of surgical and neurotechnology equipment with over 53,000 employees and $22.6 billion in 2024 global sales — has been forced into a global operational shutdown after the pro-Iranian hacktivist group Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices across the company’s 79-country office footprint, simultaneously exfiltrating 50 terabytes of critical data before triggering the wiper. Stryker confirmed the attack in an SEC Form 8-K filing dated March 11 acknowledging “a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company’s Microsoft environment,” with employees across the United States, Ireland, Costa Rica, and Australia reporting that MDM-enrolled devices — including personal phones enrolled for work access — were remotely wiped, Entra login pages defaced with Handala’s logo, and impacted locations reverting to pen-and-paper workflows as internal services and applications became unavailable. Handala, which is linked to Iran’s Ministry of Intelligence and Security and first emerged in December 2023, has historically focused on Israeli organizations but has steadily broadened its targeting to U.S. defense-adjacent companies, and the Stryker attack closely follows similar destructive intrusions against a U.S. defense and aerospace software supplier and a U.S. bank reported earlier this month by Symantec. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks
IBM X-Force researchers have documented Slopoly, a new post-exploitation framework assessed with high confidence to have been generated with AI assistance, deployed by the financially motivated threat actor Hive0163 — a group primarily known for Interlock ransomware attacks — during a series of early 2026 intrusions where Slopoly was used after initial access to maintain persistent server-side footholds lasting more than a week while data exfiltration and eventual ransomware staging proceeded in parallel. Implemented across PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux environments, Slopoly communicates with remote C2 infrastructure to launch SOCKS5 proxy tunnels, spawn reverse shells, and deliver additional payloads, and shares architectural DNA with the group’s NodeSnake implant — suggesting iterative AI-assisted refinement of a common codebase rather than ground-up development. IBM’s researcher Golo Mühr noted that while Slopoly is not technically sophisticated compared to nation-state tooling, the speed at which it was developed and deployed is the real warning sign: AI is dramatically compressing the time between “idea” and “functional malware,” and defenders should expect Hive0163 and similar groups to accelerate their tooling refresh cycles in ways that quickly outpace signature-based detection approaches.
Iranian Influence Operation Using Fake Personas to Deceive U.S. Instagram Users Disrupted, Meta Says
Meta announced Wednesday that it disrupted an Iranian state-linked influence operation that had been running since 2024 on X before expanding to Facebook and Instagram in summer 2025, using roughly 300 accounts and pages built around “sophisticated fake personas” — including a political scientist, a women’s rights activist, and a satirical cartoonist — each given detailed AI-generated profile photos, fabricated backstories, and occupational credibility as cover for gradually introducing anti-U.S. and politically divisive messaging to American users after first building genuine relationships through non-political engagement. Meta’s director of global threat disruption, David Agranovich, described the tactic as a classic long-game influence operation: earn trust through authentic-seeming interaction, then weaponize that trust for narrative injection — a pattern the company linked through behavioral and infrastructure signals to previously identified Iranian operations, shutting it down before it had gained significant real-user traction, with only about 41,000 accounts following the Instagram personas. Notably, Meta said it has not yet observed major new Iranian influence campaigns specifically tied to the ongoing military escalation between Iran, Israel, and the U.S., though analysts caution that the disruption of this network may simply push activity toward platforms or personas that have not yet been identified.
Critical Zero-Click Flaw in n8n Allows Full Server Compromise
Pillar Security researchers have disclosed two severe vulnerabilities in n8n — the widely deployed AI workflow automation platform that serves as a credential vault and orchestration hub for enterprise systems including AWS, GitHub, OpenAI, Anthropic, and Salesforce — that together enable full server compromise: CVE-2026-27577 (CVSS 9.4), a sandbox escape in the expression compiler where a missing case in the AST rewriter allows any authenticated user to achieve full remote code execution, and CVE-2026-27493 (CVSS 9.5), a zero-click unauthenticated “double-evaluation bug” in n8n’s Form nodes that turns any public-facing contact or intake form into an arbitrary shell command execution point accessible without any credentials whatsoever. Post-exploitation is described as trivially straightforward: reading the N8N_ENCRYPTION_KEY environment variable allows an attacker to decrypt every stored credential in n8n’s database — AWS keys, database passwords, OAuth tokens, API keys — and on multi-tenant n8n Cloud deployments, Pillar confirmed that sandbox escapes extend across tenant boundaries, meaning a single public form on one customer’s workflow could serve as the entry point to compromise shared infrastructure affecting all tenants on the cluster. CISA added both CVEs to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to patch; self-hosted operators should update to n8n versions 2.10.1, 2.9.3, or 1.123.22 and immediately rotate all stored credentials if running an affected version.
US Military Contractor Likely Built iPhone Hacking Tools Used by Russian Spies in Ukraine
TechCrunch has learned from two former employees that the “Coruna” iPhone exploit kit — disclosed last week by Google as a 23-component toolkit used in at least three separate hacking campaigns spanning a government spyware customer, Russian military intelligence operatives targeting Ukrainians, and Chinese cybercriminals — was developed, at least in part, by L3Harris’s covert hacking and surveillance technology division known as Trenchant, a unit that builds offensive cyber tools for sale to the U.S. government. The disclosure raises urgent questions about how a toolkit built for Western intelligence use ended up in the hands of Russian GRU operators and then leaked further into the Chinese criminal ecosystem — a proliferation pathway that mirrors historical cases like EternalBlue, the NSA-developed exploit weaponized in the WannaCry and NotPetya attacks. Researchers at iVerify, which independently analyzed Coruna, said the toolkit’s design reflects the hallmarks of a professional commercial surveillance vendor rather than an in-house nation-state development effort, and the Trenchant attribution is consistent with L3Harris’s known product portfolio — the company acquired phone-hacking firm Harris Corporation’s Stingray surveillance line and has since expanded deeply into offensive mobile exploitation capabilities for government customers.
