Iran MOIS Colludes With Criminals to Boost Cyberattacks - Dark Reading

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS CYBER RISK NEWS Iran MOIS Colludes With Criminals to Boost Cyberattacks Iranian APTs have long pretended to be cybercriminal groups. Now they're working with actual cybercriminal groups. Nate Nelson,Contributing Writer March 12, 2026 4 Min Read SOURCE: ZUMA PRESS, INC. VIA ALAMY STOCK PHOTO Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity. Iran's Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by "Handala," a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS. This isn't a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they're pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations. Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, "because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities." Cybercrime Aids State Objectives Iran is not the first country to use cybercriminal personnel, malware, and infrastructure in service of state objectives. Russian intelligence has employed civilian hackers to carry out major cyberattacks. Chinese APTs source malware and infrastructure from the country's criminal sector. North Korea's government runs the world's most profitable cybercriminal outfits. We also know that Iran's intelligence services have worked with criminals to achieve state objectives out in the world. According to US authorities, the MOIS hired a prominent drug trafficking network to target dissidents and activists in Iran and the US. It has done the same thing in European countries, too, like Sweden. For roughly a year now, in Shykevich's estimation, Iran has been adopting the same approach in cyberspace. Void Manticore has deeply integrated an infostealer-as-a-service product into its operations. Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool. Related:Feuding Ransomware Groups Leak Each Other's Data The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025. The attack was initially claimed by Qilin and attributed to Eastern European hackers. Three weeks later, Israel's National Cyber Directorate (INCD) corrected the record, blaming Iran, suggesting that state-affiliated hackers might have been acting as RaaS affiliates. "The takeaway, from our perspective, is how deeply they embed cybercriminal services in their operations," Shykevich says. "Just purchasing access from initial access brokers (IABs), or something like that, we assume also happens. It's more that [Iranian APTs] are a part of ransomware-as-a-service and infostealer-as-a-service operations, making it part of their operations. We have already seen several cases that show this, and more than one group." How Criminals Can Help Their Countries The advantages of this model are clear. Mixing with criminal elements makes the job of attributing malicious activity more difficult for investigators. Cybercriminals also have some good tooling and robust infrastructure to offer, even to well-resourced (if not elite) nation-state actors. Related:North Korea's Lazarus Targets macOS Users via ClickFix For example, Shykevich says, "MuddyWater is not extremely sophisticated on a technical level. Most of what they do in their regular operations is sending phishing mail and then using remote monitoring and management (RMM) tools. They do have some malware, but none of their malware is state-of-the-art. So in this case, it's not surprising that it's easier for them, [instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever." Buying instead of building will be extra attractive to Iranian APTs during wartime, as resources are strained and the imperative to cause more and more destruction has never been greater. "Some of the Iranian actors are now desperate to some degree, and we see in some cases that their operational security is much lower," Shykevich observes. "So I think it is more likely they will at least try to use different underground services." In particular, the MOIS might start making greater use of criminal IABs because it can be an easy win. "Instead of building a long-term operation to infiltrate an American or Israeli or Gulf company, or a government entity, they can just find some Dark Web forum or a Telegram channel where someone's selling access to entities that align with the profile of what they're looking to purchase, and then execute the operation. I think it's definitely a possible scenario." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS