Iranian MOIS-Linked Hackers Increasingly Tap Cyber Crime Ecosystem for Tools, Infrastructure
Check Point Research reveals that Iranian MOIS-affiliated groups like Void Manticore and MuddyWater are moving beyond imitation to directly engage with the cyber crime ecosystem, using commercial infostealers, ransomware branding, and affiliate models to advance state objectives.
Iranian state-sponsored hackers linked to the Ministry of Intelligence and Security (MOIS) are increasingly embedding themselves within the cyber crime ecosystem, leveraging criminal tools, infrastructure, and operational models to advance Tehran's strategic objectives, according to a new report from Check Point Research.
The shift goes far beyond the longstanding practice of posing as ransomware gangs for deniability. Instead, groups such as Void Manticore (also known as Handala) and MuddyWater are now directly associating with the criminal underground — using commercial malware, off-the-shelf malware, renting criminal infrastructure, and adopting affiliate-style mechanisms that mirror the operations of financially motivated cyber crime groups.
Check Point researchers documented multiple cases illustrating this evolution. Void Manticore, which operates under hacktivist personas like Homeland Justice and Handala, has been observed deploying the commercial infostealer Rhadamanthys in phishing campaigns targeting Israeli organizations. The group paired the infostealer with custom wipers in lures impersonating F5 updates and the Israeli National Cyber Directorate, demonstrating a hybrid approach that blends state-level destructive intent with readily available criminal tooling.
MuddyWater, a subordinate element within MOIS according to CISA, has similarly shown repeated overlaps with criminal malware clusters. Researchers noted that the group's use of tools such as the Tsundere botnet and connections to the Castle Loader malware family has created significant confusion in the security community, leading to misattribution and flawed threat intelligence pivoting. This confusion benefits the actors by obscuring their state sponsorship behind a criminal veneer of ordinary cyber crime.
The trend mirrors a long-established pattern in the physical world, where Iranian intelligence services have used criminal networks for surveillance, kidnappings, and assassinations. The U.S. Treasury has previously designated the narcotics trafficker Naji Ibrahim Sharifi-Zindashti's network as operating at the behest of MOIS, and Sweden's Security Service has described similar use of criminal intermediaries for violent acts. Check Point argues the same logic now applies in cyberspace.
For the threat actors, the advantages are twofold. Access to mature criminal tooling and resilient infrastructure enhances operational capabilities, while the criminal cover complicates attribution and forces defenders to waste resources chasing false leads. The report warns that this convergence is likely to accelerate, as state-sponsored groups find increasing value in the efficiency and deniability that the cyber crime ecosystem provides.
The findings underscore a broader trend of state-criminal collaboration in cyberspace, where the lines between espionage, sabotage, and financially motivated crime continue to blur. As Iranian MOIS actors deepen their ties to the criminal underground, defenders will need to adapt their threat models to account for a threat landscape where state actors can draw on the full arsenal of the cyber crime economy.