Skip to content
Tech News
← Back to articles

Iran MOIS Colludes With Criminals to Boost Cyberattacks

2026-03-12 | original
read original get Cybersecurity Defense Kit → more articles
Why This Matters

The collaboration between Iran's MOIS and cybercriminal groups signifies a strategic shift, enabling Iran to conduct sophisticated cyberattacks while obscuring state involvement. This blurring of lines between criminal activity and state-sponsored operations poses increased risks for organizations worldwide, complicating attribution and defense efforts. Recognizing these tactics is crucial for cybersecurity professionals to accurately assess threats and respond effectively.

Key Takeaways

Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity.

Iran's Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by "Handala," a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS.

This isn't a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they're pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations.

Related:Commercial Spyware Opponents Fear US Policy Shifting

Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, "because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities."

Cybercrime Aids State Objectives

Iran is not the first country to use cybercriminal personnel, malware, and infrastructure in service of state objectives. Russian intelligence has employed civilian hackers to carry out major cyberattacks. Chinese APTs source malware and infrastructure from the country's criminal sector. North Korea's government runs the world's most profitable cybercriminal outfits.

We also know that Iran's intelligence services have worked with criminals to achieve state objectives out in the world. According to US authorities, the MOIS hired a prominent drug trafficking network to target dissidents and activists in Iran and the US. It has done the same thing in European countries, too, like Sweden.

For roughly a year now, in Shykevich's estimation, Iran has been adopting the same approach in cyberspace. Void Manticore has deeply integrated an infostealer-as-a-service product into its operations. Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool.

Related:INC Ransomware Group Holds Healthcare Hostage in Oceania

... continue reading

Explore topics: mois void manticore rhadamanthys cybercriminals ransomware
Related:
Fake CAPTCHA attacks spiked by 563% last year: How to spot them before it's too late
England Hockey investigating ransomware data breach
US charges another ransomware negotiator linked to BlackCat attacks
INC Ransomware Group Holds Healthcare Hostage in Oceania
AI Agent Goes Rogue, Starts Mining Crypto to Amass Funds

© 2026 GoKawiil

About | Editorial Policy | Contact