Wiper malware attack hits global MedTech giant Stryker

Medical technology company Stryker Corporation has suffered a major cyberattack after destructive wiper malware disrupted systems across its global network. The attack has been claimed by the pro-Palestinian hacktivist group Handala Hack Team, which is widely believed to be linked to Iran’s Ministry of Intelligence and Security.

According to the group, attackers stole roughly 50 terabytes of data before wiping more than 200,000 systems, servers and mobile devices. Staff in multiple regions, including the United States, Ireland, Costa Rica and Australia, reported that corporate laptops and mobile devices enrolled in company management systems were remotely reset during the night.

The disruption has forced offices in dozens of countries to suspend normal operations, with some locations reverting to manual processes after losing access to internal applications and services.

Stryker confirmed the incident in a regulatory filing, stating that the attack caused a global disruption to its Microsoft environment. The company has activated its cyber incident response plan and is working with external cyber security specialists to investigate and restore affected systems.

Microsoft Patch Tuesday fixes 79 security flaws

Microsoft has released its March 2026 Patch Tuesday updates, addressing 79 security vulnerabilities across its software ecosystem, including two publicly disclosed zero-day flaws. While neither of the zero-days is known to have been exploited in active attacks, organisations are being urged to prioritise patching due to the potential severity of several issues.

Among the vulnerabilities fixed are 46 elevation of privilege flaws, 18 remote code execution bugs, and multiple information disclosure and denial-of-service vulnerabilities. Two of the most notable fixes include a SQL Server privilege escalation issue (CVE-2026-21262) that could allow attackers to gain SQLAdmin rights, and a .NET denial-of-service vulnerability.

Microsoft also patched two Microsoft Office remote code execution flaws that can be triggered through the preview pane, making Office updates particularly important this cycle. Additionally, an Excel vulnerability could potentially allow data exfiltration via Microsoft Copilot if exploited.

Alongside Microsoft’s updates, several other vendors issued security advisories this month, including Adobe, Cisco, Fortinet, Google, Hewlett Packard Enterprise, and SAP. Organisations are advised to review patches promptly to reduce exposure.

“Zombie Zip” technique evades antivirus detection

Security researchers have revealed a new technique called “Zombie ZIP” that allows malicious payloads to be hidden inside specially crafted ZIP archives capable of evading many antivirus and endpoint detection tools. The method developed by researchers reportedly bypasses 50 of the 51 security engines tested on VirusTotal.

The technique works by manipulating ZIP file headers so security scanners believe the archive contains uncompressed data. In reality, the payload remains compressed using the standard Deflate algorithm. Because many antivirus tools trust the header information, they scan what appears to be harmless raw data, allowing the malicious content to remain undetected.

Standard extraction tools such as WinRAR and 7-Zip typically fail to extract these files, often displaying errors or corrupted output. However, a specially designed loader can ignore the misleading header and correctly decompress the hidden payload.

The vulnerability, tracked as CVE-2026-0866, has prompted a warning from CERT Coordination Center, which advises security vendors to strengthen archive inspection and validate compression methods more carefully. Users are also urged to treat unexpected ZIP files with caution.

Hackers target misconfigured salesforce experience cloud sites

Salesforce has warned customers that attackers are targeting misconfigured Experience Cloud websites that allow guest users to access more data than intended. The activity centres on the /s/sfsites/aura API endpoint, where poorly configured guest user permissions can allow unauthenticated visitors to query sensitive Salesforce CRM data.

According to the advisory, attackers are abusing a modified version of AuraInspector, an open-source auditing tool originally developed by Mandiant to identify configuration issues within the Salesforce Aura framework. Threat actors have adapted the tool to perform large-scale scans of publicly exposed Experience Cloud sites looking for excessive guest permissions.

The cybercrime group ShinyHunters claims responsibility for the campaign and alleges it has compromised hundreds of organisations by exploiting these misconfigurations.

Salesforce maintains that the issue is not a platform vulnerability but the result of incorrect customer configurations. The company is urging organisations to audit guest user permissions, disable unnecessary API access, and enforce the principle of least privilege to reduce the risk of data exposure.

BlackSanta malware campaign targets hr teams

Security researchers have uncovered a long-running cyber campaign targeting human resources departments with a sophisticated malware strain known as BlackSanta. According to a report from Aryaka, the Russian-speaking threat actor behind the operation has been active for over a year, combining social engineering with advanced evasion techniques to infiltrate corporate systems.

The attack chain is believed to begin with spear-phishing emails directing victims to download ISO files disguised as job applications hosted on cloud platforms such as Dropbox. Once opened, the malicious files trigger PowerShell scripts that extract hidden code using steganography and execute it directly in system memory.

A key component of the campaign is the BlackSanta EDR killer, designed to disable endpoint security tools before deploying additional payloads. The malware modifies Microsoft Defender settings, suppresses system alerts, and terminates security processes at the kernel level using vulnerable drivers.

Researchers say the operation demonstrates strong operational security, using stealthy infection chains and environment checks to avoid detection while maintaining long-term persistence inside targeted networks.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.