Iranian MOIS-Linked Threat Actors Increasingly Leverage Cybercrime Tools and Infrastructure
Check Point Research reported that Iranian Ministry of Intelligence and Security (MOIS)-linked actors are increasingly moving beyond simply posing as cybercriminals and are instead directly engaging with the cybercrime ecosystem—using criminal tooling, services, and operational models to support state objectives while complicating attribution. The activity is highlighted in operations tied to Void Manticore (including the Handala Hack persona) and MuddyWater, where researchers observed repeated overlaps with criminal tools and infrastructure, suggesting an affiliate-style or service-consumption model that improves resilience and capability.
Reporting on the research noted that Void Manticore has incorporated the commercially sold infostealer Rhadamanthys (marketed on cybercrime forums) into campaigns, including phishing activity targeting Israeli entities; the infostealer has been paired with custom wipers and lure themes such as impersonated F5 updates and even messages spoofing the Israeli National Cyber Directorate (INCD). The same coverage reiterated that MuddyWater continues MOIS-aligned espionage activity and is also associated with cybercrime-style tooling and services, reinforcing the assessment that Iranian state operators are increasingly blending state tradecraft with criminal malware, infrastructure, and monetized services rather than relying solely on false-flag “ransomware” or hacktivist branding.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
Today
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
5 days ago
Iranian State-Linked Threat Activity and Related Supply-Chain/Developer Targeting Research
Multiple reports detail **Iranian-linked espionage activity** and tooling updates. SafeBreach described follow-on findings on the Iranian state-sponsored actor **“Prince of Persia,”** including at least three active variants of **Foudre** and **Tonnerre** malware, newly identified C2 infrastructure, and a **Telegram-based data exfiltration** channel; after publication, the actor rapidly rotated C2 servers and Telegram accounts, attempted to obscure victim-tracking artifacts, and appeared to attempt a retaliatory action against researchers that resembled prior attacks against open-source Python libraries. Separately, Plone (a Python-based CMS) reported it **prevented a supply-chain compromise** after an attacker used a stolen developer **GitHub personal access token** to force-push whitespace-obfuscated malicious JavaScript into multiple repositories; the changes were detected before any official release, and GitHub assessed the payload was intended to compromise **other developers** (persistence via shell startup scripts, RCE, and theft of credentials/API keys/browser profiles/crypto wallet files). Additional Iranian activity was reported in an espionage campaign attributed to **APT42** (IRGC-linked) using **TAMECAT**, a modular, largely in-memory **PowerShell backdoor** delivered after prolonged social engineering (e.g., WhatsApp rapport-building), with modules for browser data theft, screenshots, and file discovery; however, separate research on the **Lazarus** “Contagious Interview” campaign (fake job interviews and AnyDesk RAT backdoors) is unrelated to the Iranian-focused activity described elsewhere.
1 months ago