Iranian MOIS-Linked Threat Actors Increasingly Leverage Cybercrime Tools and Infrastructure
Check Point Research reported that Iranian Ministry of Intelligence and Security (MOIS)-linked actors are increasingly moving beyond simply posing as cybercriminals and are instead directly engaging with the cybercrime ecosystem—using criminal tooling, services, and operational models to support state objectives while complicating attribution. The activity is highlighted in operations tied to Void Manticore (including the Handala Hack persona) and MuddyWater, where researchers observed repeated overlaps with criminal tools and infrastructure, suggesting an affiliate-style or service-consumption model that improves resilience and capability.
Reporting on the research noted that Void Manticore has incorporated the commercially sold infostealer Rhadamanthys (marketed on cybercrime forums) into campaigns, including phishing activity targeting Israeli entities; the infostealer has been paired with custom wipers and lure themes such as impersonated F5 updates and even messages spoofing the Israeli National Cyber Directorate (INCD). The same coverage reiterated that MuddyWater continues MOIS-aligned espionage activity and is also associated with cybercrime-style tooling and services, reinforcing the assessment that Iranian state operators are increasingly blending state tradecraft with criminal malware, infrastructure, and monetized services rather than relying solely on false-flag “ransomware” or hacktivist branding.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
JUMPSEC links MuddyWater ChainShell campaign to CastleRAT MaaS
JUMPSEC documented a 'ChainShell' campaign in which MuddyWater used the Russian CastleRAT malware-as-a-service platform against Israeli targets. A misconfigured command-and-control server exposed both custom Iranian malware and TAG-150 CastleRAT samples, with attribution supported by reused SSL.com certificates and campaign identifiers tied to earlier MuddyWater activity.
Check Point publishes report on MOIS use of cybercrime ecosystem
On March 10, 2026, Check Point Research published findings that Iranian MOIS-linked actors are using criminal malware, services, and ransomware infrastructure as operational resources, not just as cover, complicating attribution.
Researchers link Shamir attack to Iranian strategic objectives
Subsequent analysis assessed the Shamir Medical Center incident as more directly tied to Iranian actors operating through a ransomware-as-a-service affiliate ecosystem, rather than a routine criminal ransomware case. The attack was also connected to a broader MOIS- and Hezbollah-linked campaign targeting hospitals.
Shamir Medical Center hit in ransomware incident
In October 2025, Israel's Shamir Medical Center suffered a ransomware attack that was initially presented as a Qilin ransomware affiliate operation.
MuddyWater activity overlaps with FakeSet and CastleLoader chains
Check Point identified MuddyWater-related activity connected to FakeSet and the malware-as-a-service loader CastleLoader, including certificate reuse that complicated analysis and attribution.
MuddyWater deploys DinDoor linked to the Tsundere botnet
Researchers observed MuddyWater using a new backdoor called DinDoor, assessed as a Deno-based variant of the Tsundere botnet. The activity showed overlap between an MOIS-linked espionage actor and criminal botnet tooling.
Void Manticore uses Rhadamanthys in phishing against Israeli targets
Void Manticore, operating under the Handala persona, incorporated the commercial Rhadamanthys infostealer into phishing campaigns targeting Israel. The campaigns also used lures such as fake F5 updates and messages impersonating the Israeli National Cyber Directorate, sometimes paired with custom wipers.
MuddyWater begins MOIS-linked espionage operations
Check Point says MuddyWater, also known as Seedworm or Static Kitten, has been conducting espionage activity on behalf of Iran's Ministry of Intelligence and Security since around 2018.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
MuddyWater pays for Russian CastleRAT malware | brief | SC Media
scworld.com
Open sourceIranian MOIS Actors & the Cyber Crime Connection - Check Point Research
research.checkpoint.com
Open sourceCybercrime isn't just a cover for Iran's government goons • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
May 14, 2026
MuddyWater Linked to Iranian MOIS Uses Russian MaaS in ChainShell Campaign
Iran-linked threat group **MuddyWater** has been tied to a **ChainShell** campaign that reportedly uses Russian malware-as-a-service infrastructure, underscoring growing overlap between state-backed espionage and criminal tooling. Reporting on the activity said the operation relied on **blockchain-based command-and-control** and reflected operational links between the Iran-aligned actor and Russian cybercrime services, extending a long-running pattern of MuddyWater adapting external tools and tradecraft for intrusion operations. U.S. and allied agencies have previously attributed MuddyWater to Iran’s **Ministry of Intelligence and Security (MOIS)** and described the group as targeting government and commercial organizations across Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and oil and gas. Public reporting and government advisories say the group has used spearphishing, exploitation of known flaws such as `CVE-2020-0688` and `CVE-2020-1472`, **DLL side-loading**, obfuscated PowerShell, and malware including **PowGoop**, **Mori**, **Small Sieve**, **Canopy/Starwhale**, and **POWERSTATS** to establish access, maintain persistence, exfiltrate data, and in some cases deploy ransomware.
May 25, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026