Stryker Hackers Allegedly Wiped Tens of Thousands of Devices Without Deploying a Single Line of Malware

Hacking group Stryker claims to have wiped tens of thousands of devices using only legitimate system administration tools, bypassing traditional security defenses entirely. The alleged campaign highlights growing risks from living-off-the-land attacks that use no malware whatsoever.
Stryker Hackers Allegedly Wiped Tens of Thousands of Devices Without Deploying a Single Line of Malware
Written by Victoria Mossi

No ransomware. No trojans. No custom exploits. A hacking group calling itself Stryker claims to have wiped between 40,000 and 80,000 devices across a range of targets — and they say they did it all using legitimate tools already sitting on the victims’ networks. If the claims hold up, it’s one of the most striking examples yet of how living-off-the-land techniques have matured from a stealthy persistence method into a full-blown destructive capability.

The group’s alleged campaign, first reported by TechRadar, targeted organizations across multiple sectors. Stryker reportedly gained access through exposed or poorly secured remote access infrastructure — think misconfigured RDP endpoints and VPN appliances with known vulnerabilities — then used native system administration tools to propagate across internal networks and issue wipe commands to endpoints and servers. The result: mass data destruction without ever triggering traditional antivirus or endpoint detection signatures.

That’s the terrifying part.

Living-off-the-land binaries, or LOLBins, have been a known adversary technique for years. Tools like PowerShell, PsExec, WMI, and Windows Management Instrumentation Command-line (WMIC) ship with every Windows installation. They’re designed for system administrators. And they’re trusted implicitly by most security tools. Attackers who restrict themselves to these built-in utilities can move laterally, escalate privileges, and execute commands while generating network traffic that looks almost indistinguishable from routine IT operations. Security researchers have tracked nation-state groups like Volt Typhoon using these methods for espionage. But Stryker’s alleged use of the same approach for destructive wiping operations represents a different kind of threat — one where the goal isn’t to steal data or hold it hostage, but to annihilate it.

The group reportedly made its claims on dark web forums and Telegram channels, posting what it described as evidence of the campaign. Independent verification of the full scope remains difficult. But several cybersecurity researchers who examined the posted evidence told reporters the claims appeared at least partially credible, noting that the described techniques align with well-documented attack patterns and that some of the targeted organizations had confirmed service disruptions consistent with the timeline Stryker provided.

So what does a malware-free wipe actually look like in practice? The attack chain, as described, starts with initial access through internet-facing services. From there, the attackers use credential harvesting — again, with built-in tools — to obtain domain administrator privileges. Once they have those keys, they can push scripts or commands across the network using Group Policy Objects, PsExec, or remote PowerShell sessions. The final payload isn’t a binary. It’s a command: format drives, delete volume shadow copies, overwrite boot records. All executed through tools that the operating system itself provides.

This makes detection extraordinarily hard. Traditional signature-based antivirus is useless here because there’s no malicious file to flag. Even behavioral detection struggles when the commands being executed are identical to what a sysadmin might legitimately run during a decommissioning operation or system migration. The difference between a legitimate mass reimage and a destructive attack can come down to authorization — something that no endpoint agent can easily verify in real time.

The implications for defenders are uncomfortable but clear. Perimeter hardening matters more than ever. Exposed RDP and unpatched VPN appliances remain the most common initial access vectors in destructive attacks, according to CISA’s Known Exploited Vulnerabilities catalog. Organizations that haven’t implemented phishing-resistant MFA on all remote access points are essentially leaving the front door unlocked.

But perimeter security alone isn’t enough. Internal network segmentation, strict privilege tiering, and aggressive monitoring of administrative tool usage are the defensive layers that could catch — or at least slow — an attack like this. Microsoft’s own guidance on securing privileged access recommends implementing a tiered administration model where domain admin credentials are never exposed on standard workstations. Most organizations haven’t done this.

Monitoring is where the real gap lives. Security operations teams need to baseline normal administrative behavior and alert on anomalies — mass remote execution commands, bulk drive formatting operations, sudden spikes in PsExec usage across multiple endpoints. These signals exist. They’re just buried in noise unless you’re specifically looking for them.

And that’s the core problem. The security industry has spent two decades building tools to detect malicious software. Stryker’s alleged campaign is a reminder that the most dangerous attacks may not involve any malicious software at all. The tools are already there. The permissions are already granted. The attackers just need the credentials.

Whether Stryker’s full claims are verified or not, the technique is real, documented, and increasingly common. The line between administration and attack has never been thinner.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us