Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company's networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai's compromise. Rauch said that the "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables." Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg - or not.

Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained

Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks

In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company's logs uncovered two additional findings.

"First, we have identified a small number of additional accounts that were compromised as part of this incident," the company noted.

But the main concern is the next finding: "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods." 

The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: "In both cases, we have notified the affected customers."

Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.

Seventeen months after international law enforcement dismantled one of the world's most damaging infostealing malware networks, a second defendant has arrived in a U.S. federal courtroom — this time extradited from Armenia — as the prosecution of the RedLine infostealer operation continues to work through the criminal network that built and sustained it. Hambardzum Minasyan, an Armenian national, appeared in an Austin federal court after being extradited to the United States to face charges related to his alleged role in the RedLine infostealer scheme. The Justice Department's Office of International Affairs secured Minasyan's arrest and extradition on March 23, 2026, with significant assistance from Eurojust's ICHIP attorney adviser based at The Hague. Minasyan faces three counts: conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison on the access device fraud charge and up to 20 years each on the remaining two counts. An infostealer is malware designed to silently harvest credentials, browser cookies, saved passwords, financial data, and cryptocurrency wallet information from an infected device, then transmit that data to attackers — often in seconds, without any visible sign of compromise. The indictment alleges that Minasyan and his co-conspirators maintained digital infrastructure, including command-and-control servers and administrative panels, to deploy the malware and collected payments from affiliates using RedLine against victims. Minasyan specifically registered two virtual private servers and two internet domains to support the RedLine scheme, created repositories on an online file-sharing site to distribute RedLine to affiliates, and registered a cryptocurrency account in November 2021 to receive payments. RedLine operated on a Malware-as-a-Service model. It is a criminal franchise structure where the core developers build and maintain the malware platform, then license it to affiliates who run their own infection campaigns in exchange for a fee. Affiliates distributed RedLine to victims using malvertising, phishing emails, fraudulent software downloads, and malicious software sideloading, with various ruses — including COVID-19 and Windows update lures — used to trick victims into downloading the malware. RedLine and its derivative Meta infostealer could also enable cybercriminals to bypass multifactor authentication through the theft of authentication cookies and session tokens. Multifactor authentication is a security layer requiring users to verify their identity through a second method beyond a password; stealing session cookies allows attackers to impersonate an already-authenticated user and render that protection useless. The Lapsus$ threat group used RedLine to obtain passwords and cookies from an employee account at a major technology company and subsequently used that access to obtain and leak limited source code. RedLine also infected hundreds of systems belonging to U.S. Department of Defense personnel, and authorities have described its victim count in the millions globally. Minasyan's extradition represents the second defendant charged in connection with Operation Magnus, the joint international takedown announced in October 2024.

Read: Law Enforcement Puts a Damning Dent in RedLine and Meta Infostealer Operations

Operation Magnus — a Joint Cybercrime Action Taskforce operation supported by Europol — resulted in Dutch authorities seizing three servers running the malware, Belgian authorities seizing communication channels and Telegram accounts used by the operators, and the recovery of a database of thousands of RedLine and Meta clients. That client database gave investigators a roadmap for follow-on prosecutions that continues to generate results. The first defendant charged, Russian national Maxim Rudometov, was identified as a developer and administrator of RedLine and unsealed in the Western District of Texas in October 2024. Rudometov, believed to reside in Krasnodar, Russia, is not expected to face extradition given his location.

Read: U.S. Charges Man Behind RedLine Infostealer that Infected U.S. DoD Personnel Systems

Minasyan's extradition from Armenia, by contrast, demonstrates the value of maintaining extradition treaty relationships and Eurojust cooperation frameworks that can reach defendants outside of jurisdictions beyond U.S. reach. The investigation is a joint effort by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and the Army Criminal Investigation Division. The case demonstrates a sustained prosecution strategy, where rather than treating Operation Magnus as a one-time disruption event, the DOJ has continued converting the intelligence gained from seized infrastructure and client databases into individual criminal referrals across multiple jurisdictions.

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.

The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.

Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.

Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground.

Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.

"My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said.

Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.

"We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack

The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.

In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.

So Who Exactly is Handala?

Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.

The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.

The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.

Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate.

Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption]

Also read: Iran-linked Threat Group Handala Actively Targets Israel

Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.

The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.

Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.

Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.

[caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption]

Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.

That contract likely put a target on Stryker's back.

Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed.

Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.

The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe. However, a spokesperson for the company told The Cyber Express that all such claims are "fake news" and do not hold any substance. “Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026 from threat actors claiming an intrusion into our systems in Israel. Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the spokesperson said. Updated on March 13, 2026 1:24 AM ET: The article was updated with a statement from Verifone spokesperson confirming no evidence of intrusion and no authenticity in Handala's claims.