Iran MOIS Colludes With Criminals to Boost Cyberattacks

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS CYBER RISK NEWS Iran MOIS Colludes With Criminals to Boost Cyberattacks Iranian APTs have long pretended to be cybercriminal groups. Now they're working with actual cybercriminal groups. Nate Nelson,Contributing Writer March 12, 2026 4 Min Read SOURCE: ZUMA PRESS, INC. VIA ALAMY STOCK PHOTO Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity. Iran's Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by "Handala," a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS. This isn't a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they're pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, "because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities." Cybercrime Aids State Objectives Iran is not the first country to use cybercriminal personnel, malware, and infrastructure in service of state objectives. Russian intelligence has employed civilian hackers to carry out major cyberattacks. Chinese APTs source malware and infrastructure from the country's criminal sector. North Korea's government runs the world's most profitable cybercriminal outfits. Loading... We also know that Iran's intelligence services have worked with criminals to achieve state objectives out in the world. According to US authorities, the MOIS hired a prominent drug trafficking network to target dissidents and activists in Iran and the US. It has done the same thing in European countries, too, like Sweden. For roughly a year now, in Shykevich's estimation, Iran has been adopting the same approach in cyberspace. Void Manticore has deeply integrated an infostealer-as-a-service product into its operations. Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool. Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025. The attack was initially claimed by Qilin and attributed to Eastern European hackers. Three weeks later, Israel's National Cyber Directorate (INCD) corrected the record, blaming Iran, suggesting that state-affiliated hackers might have been acting as RaaS affiliates. "The takeaway, from our perspective, is how deeply they embed cybercriminal services in their operations," Shykevich says. "Just purchasing access from initial access brokers (IABs), or something like that, we assume also happens. It's more that [Iranian APTs] are a part of ransomware-as-a-service and infostealer-as-a-service operations, making it part of their operations. We have already seen several cases that show this, and more than one group." How Criminals Can Help Their Countries The advantages of this model are clear. Mixing with criminal elements makes the job of attributing malicious activity more difficult for investigators. Cybercriminals also have some good tooling and robust infrastructure to offer, even to well-resourced (if not elite) nation-state actors. Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported For example, Shykevich says, "MuddyWater is not extremely sophisticated on a technical level. Most of what they do in their regular operations is sending phishing mail and then using remote monitoring and management (RMM) tools. They do have some malware, but none of their malware is state-of-the-art. So in this case, it's not surprising that it's easier for them, [instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever." Buying instead of building will be extra attractive to Iranian APTs during wartime, as resources are strained and the imperative to cause more and more destruction has never been greater. "Some of the Iranian actors are now desperate to some degree, and we see in some cases that their operational security is much lower," Shykevich observes. "So I think it is more likely they will at least try to use different underground services." In particular, the MOIS might start making greater use of criminal IABs because it can be an easy win. "Instead of building a long-term operation to infiltrate an American or Israeli or Gulf company, or a government entity, they can just find some Dark Web forum or a Telegram channel where someone's selling access to entities that align with the profile of what they're looking to purchase, and then execute the operation. I think it's definitely a possible scenario." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE