Stryker, Handala, MOIS, and MuddyWater: The Full Kill Chain and the Unified Detection Pack (v3)

TL;DR

Stryker was not a ransomware event. It was a state-run destructive operation executed in two phases by two MOIS teams that had been sitting inside the target for weeks. MuddyWater (Seedworm, Mango Sandstorm, Temp.Zagros) did the access work. Handala (Void Manticore, Banished Kitten, Red Sandstorm) pulled the trigger. The trigger itself was not malware. It was a legitimate Microsoft Intune API call from a Global Administrator whose session token still carried a valid MFA claim.

If you run Intune, Entra ID PIM, or any cloud MDM, the gap that enabled this attack is almost certainly still open in your tenant today.

Part 1: The Attack, End to End

February 2026 — MuddyWater Gets In

Starting in early February 2026, MuddyWater began a campaign against U.S. and Israeli targets covering financial services, airports, defense contractors, a Canadian nonprofit, and the Israeli subsidiary of a U.S. software company supporting the defense and aerospace supply chain. Stryker was one of the organizations quietly seeded during this window.

Initial access was the same playbook they have run for years: password spraying against OWA and VPN portals, spear-phishing with Office lures and remote access tool links, and exploitation of perimeter appliances. They rode in, dropped two new backdoors (Dindoor on Deno runtime, Fakeset on Python), staged legacy tooling (Stagecomp, Darkcomp), and started the slow work: credential harvesting, cloud admin enumeration, AD recon, PIM inventory, and mapping the Intune estate.

They exfiltrated quietly via Rclone to Wasabi and Backblaze B2 buckets, using the same command pattern they have used in past campaigns.

March 6, 2026 — The sdrhi Server Shows Its Face

On March 6 we caught an exposed Iranian operational server, hostname sdrhi, IP 157.20.182.49, Germany-hosted, running Python SimpleHTTP on port 8888 with an open directory. Inside was a full year of operational tradecraft covering Israeli, Egyptian, UAE, Jordanian, and Saudi targets. Passports, credit cards, payroll, ZKTeco biometric dumps from EgyptAir Riyadh, a Neo-reGeorg ASPX webshell sitting on the Portuguese Immigration Service’s Exchange server, custom asyncio-based OWA brute forcers, a modified FortiOS exploit creating super_admin accounts, weaponized Nuclei templates, Flask exfil servers, and the same Rclone-to-Wasabi pattern MuddyWater was running elsewhere.

That server was the canary. It was not the shooter. It showed the shape of the operation.

March 11, 2026, 03:30 EDT — Handala Fires

Handala did not deploy a wiper at Stryker. They did not drop a binary. They did not run a PowerShell loader. They logged into the Intune admin center with a compromised Global Administrator account, issued a bulk Wipe and Retire sequence through the Intune API, and walked out. In five hours, approximately 200,000 systems, servers, and mobile devices were destroyed across 61 countries. Personal devices with Outlook configured through Intune BYOD enrollment got wiped too. Approximately 56,000 employees were idled.

The Handala branding (logo on the login screen, propaganda messaging) is being used on the devices that rebooted past the wipe point. That part is traditional Handala. The delivery mechanism, the scale, and the lack of malware are not.

Why the MFA Did Not Save Them

The PIM Authentication Context gap. Entra ID PIM has a checkbox called “Require Azure MFA on activation.” It looks like it does what it says. It does not. If the session activating a privileged role has already satisfied MFA within its token lifetime, PIM accepts that prior claim. A stolen session token carrying a valid MFA claim can elevate to Global Administrator without ever producing a fresh challenge. No FIDO2 tap. No number match. Nothing.

MuddyWater harvested sessions during pre-position. Handala used them.

Part 2: The Two-Team MOIS Operational Model

This is worth naming clearly because most defenders still model Iranian activity as a single actor with one tool.

The handoff model used to be Scarred Manticore to Void Manticore. In 2026 it is MuddyWater to Handala. Same concept. Different brands.

Part 3: The Unified Indicator Set

Everything we have been able to confirm or corroborate. Treat the Handala (historical wiper) IOCs and the MuddyWater pre-position IOCs as the high-value hunts. Treat the Stryker-specific row as a behavioral anchor, because there are no malware artifacts from that event. The full machine-readable IOC set is available as a CSV download.

Network Infrastructure

Full indicator table with 78 entries including all file hashes, domains, ASNs, Telegram C2 tokens, filesystem artifacts, and CVEs is in the IOC CSV.

Key File Hash Families

• Dindoor (Deno runtime, signed Amy Cherne) — 10 SHA256 hashes
• Fakeset (Python backdoor, signed Amy Cherne and Donald Gay) — 11 SHA256 hashes
• Stagecomp / Darkcomp (legacy MuddyWater loaders) — 4 SHA256 hashes
• Handala historical wiper toolchain (wiper, dropper, BYOVD driver, phishing PDF) — 7 hashes

CVEs Weaponized by This Cluster

• CVE-2024-55591 — FortiOS authentication bypass (modified exploit creates super_admin accounts)
• CVE-2025-54068 — Laravel Livewire v3 RCE
• CVE-2026-1281 — Ivanti EPMM
• CVE-2026-24061 — GNU Inetutils telnetd authentication bypass
• CVE-2023-6895 — IP camera RCE
• CVE-2017-7921 — Hikvision auth bypass (historical reuse)
• N-able N-Central WebSocket injection (no public CVE at time of writing)

Part 4: Detection Pack v3 — Unified

Detection Pack v3 merges v1 (10 rules on the Handala wiper toolchain), v2 (5 rules on pre-positioning and the PIM gap), and adds new rules for MuddyWater backdoor coverage and the cross-cutting infrastructure. 25 rules total.

Deploy all rules as scheduled analytics with a 24-hour evaluation window. If any one fires, assume the second team is already inside. The full Sigma bundle is available as a YAML download.

Part 5: Configuration Hardening

Detection without prevention loses this one. Do the following, in order, this week.

1. Close the PIM Authentication Context Gap

• Create a named Authentication Context in Entra ID (for example c1:PrivElevation).
• Build a Conditional Access policy scoped to that context requiring phishing-resistant MFA (FIDO2, Windows Hello for Business, or certificate-based authentication). Not the checkbox. A fresh challenge, bound to that context, every time.
• Open PIM role settings for Global Administrator, Intune Administrator, Cloud Device Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, and Authentication Administrator. Bind each to the Authentication Context.
• Apply a secondary Conditional Access policy directly to the Global Administrator directory role that forces the same phishing-resistant MFA on every session, not just activation.

2. Turn on Intune Multi-Admin Approval

• Intune admin center → Tenant administration → Multi Admin Approval.
• Create an Access Policy covering Apps, Scripts, and Device actions (Wipe, Retire, Delete).
• Designate an approver group. No single admin should be able to execute destructive device actions solo.

3. Break the Stale Session Pattern

• Set Global Administrator sign-in frequency to 4 hours maximum in Conditional Access.
• Set Global Administrator session lifetime to non-persistent.
• Revoke tokens on any Global Admin you have not touched in 30 days, and remove standing access (PIM eligible only).

4. Reduce Blast Radius on MDM

• Scope Intune device action permissions to role assignments, not the tenant root.
• Limit Wipe and Retire to a dedicated role group reviewed quarterly.
• Enable Device limit on Intune enrollment to stop personal BYOD enrollment from carrying corporate MDM power.

5. Hunt Historically

• Sign-in logs, past 90 days, filter to Global Admin role activations where the session tied to a prior MFA claim older than 4 hours.
• Intune audit log, past 90 days, group by initiator for Wipe and Retire counts.
• Rclone process creations, past 180 days, filter destination to wasabisys.com, backblazeb2.com, put.io.
• DNS queries to dnshook.site, uppdatefile.com, serialmenot.com, moonzonet.com, past 180 days.
• Driver load events for ListOpenedFileDrv_32.sys, ever.
• Sign-ins from AS14593 or any Iranian ASN touching admin roles, past 180 days.

Part 6: What to Watch Next

The Stryker model is replicable. Every Iranian operation for the rest of this year, and every criminal affiliate that borrows the playbook, is going to look at this and ask the same question: why deploy a wiper when the customer paid for one already. Microsoft Intune is the highest-leverage destructive tool in the enterprise now. So is JAMF. So is Workspace ONE. So is Kandji. The control plane is the weapon.

MuddyWater is still live on U.S. networks. The Seedworm campaign did not end with Stryker. Dindoor samples keep dropping. If you have not hunted for Deno in your estate, hunt for Deno today. That runtime has no business being there.

If you run the Detection Pack v3 queries this week and find nothing, good. Set them as scheduled analytics with a 24-hour window and move on. If you find one hit, assume the second team is already inside.

MITRE ATT&CK Coverage

Initial Access: T1078 (Valid Accounts), T1566.001/.002 (Phishing), T1110.003 (Password Spraying), T1190 (Exploit Public-Facing Application), T1195 (Supply Chain Compromise).

Execution & Persistence: T1059.001 (PowerShell), T1059.007 (JavaScript/Deno), T1547.001 (Registry Run Keys), T1505.003 (Web Shell).

Credential Access: T1621 (MFA Request Generation), T1557 (AiTM), T1555 (Credentials from Password Stores).

Lateral Movement: T1021.001 (RDP), T1219 (Remote Access Software — NetBird, AnyDesk, ScreenConnect).

Exfiltration: T1567.002 (Exfil to Cloud Storage via Rclone).

Impact: T1485 (Data Destruction), T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1072 (Software Deployment Tools — Intune/GPO/SCCM).

Questions, additions, or a detection that belongs in v4? james@threathunter.ai.