Iran-Backed Hackers Claim Wiper Attack on Stryker Medtech

A threat actor with documented links to Iran’s Ministry of Intelligence and the Islamic Revolutionary Guard Corps (IRGC) has claimed responsibility for a destructive data‑wiping operation against Stryker, a Michigan‑based global medical‑technology firm. The group posted a manifest on a Telegram channel on 9 March 2026, asserting that it had breached Stryker’s corporate network and deployed a purpose‑built wiper to erase critical systems. The claim was subsequently corroborated by independent forensic analysts who observed the same destructive patterns in the affected environments.

Technical analysis of the malware, designated internally as “ZeroCleare‑V2,” reveals a multi‑stage attack chain typical of Iranian wiper families. Initial access was achieved through exploitation of a known vulnerability (CVE‑2023‑44487) on an unpatched VPN gateway, allowing the adversaries to deploy a low‑level driver that overwrites the Master Boot Record (MBR) and fills selected disk sectors with random bytes. The payload then schedules a forced reboot task, rendering affected volumes unreadable without offline backups. The wiper also deletes shadow copies and disables Windows recovery options, ensuring that traditional restoration methods are ineffective.

Stryker confirmed in a brief statement that the incident impacted a limited set of internal engineering servers and back‑up storage, but emphasized that patient‑care devices and clinical systems remained untouched. The company engaged a leading incident‑response firm, isolated the compromised segments, and notified the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). At this stage, forensic teams have found no evidence of data exfiltration; the primary intent appears to be disruption rather than espionage.

The attack aligns with the tactics, techniques, and procedures (TTPs) of APT35 (also known as Phosphorus), an Iranian‑linked group that has repeatedly targeted medtech and critical‑infrastructure sectors with wipers such as Shamoon and ZeroCleare. Threat‑intelligence reports advise organizations to enforce rigorous patch management, especially on edge devices, maintain immutable offline backups, segment operational technology networks, and monitor for lateral movement via SMB and RDP. Security teams should also review logs for the specific IOCs—sha256 hashes of the malicious driver, the scheduled task name “WinUpdate_Svc,” and the file‑overwrite pattern identified in the incident—to detect and mitigate similar intrusions promptly.