Iranian MOIS Actors & the Cyber Crime Connection
Summary:
The landscape of Iranian state-sponsored cyber operations is undergoing a fundamental transformation, shifting from the mere imitation of cybercrime to direct, active integration within the criminal ecosystem. Operatives linked to the Ministry of Intelligence and Security (MOIS), specifically clusters like MuddyWater (APT33) and Void Manticore (operating as the Handala persona), are no longer just using criminal "fronts" for deniability. Instead, they are functioning as active consumers and participants in the darknet economy. This includes the purchase and deployment of sophisticated commercial malware like the Rhadamanthys infostealer, which has been observed in campaigns where Handala impersonated F5 software updates or the Israeli National Cyber Directorate (INCD).
Furthermore, these state actors are adopting "Malware-as-a-Service" (MaaS) and "Ransomware-as-a-Service" (RaaS) models to scale their operations. For instance, MuddyWater has been linked to the Tsundere Botnet (using the DinDoor backdoor) and Castle Loader, both of which utilize a variety of execution environments like Deno and Node.js to evade traditional monitoring. There is also evidence of these groups operating as affiliates for established ransomware brands like Qilin, using their infrastructure to launch disruptive wiper attacks under the guise of financial extortion. This convergence allows MOIS to outsource the technical burden of tool development and infrastructure maintenance while gaining a layer of sophisticated obfuscation that complicates forensic attribution.
Security Officer Comments:
This evolution creates a critical "attribution gap." When a state actor utilizes the same tools, code-signing certificates, and command-and-control (C2) infrastructure as a common cybercriminal, the initial triage of an incident may be fatally flawed. For our members in the financial, aviation, and healthcare sectors, a detection of a "commodity" infostealer like Rhadamanthys might be viewed as a low-priority cleanup task. However, in the context of this MOIS activity, that same infostealer is often the precursor to a high-impact "hack-and-leak" or wiper operation intended to cause operational paralysis and public panic.
Recent alleged strikes against major entities, such as the med-tech firm Stryker and payment provider Verifone, demonstrate that these actors are increasingly targeting Western-based global enterprises. The objective is rarely financial; it is "information shock." By stealing massive quantities of data (as seen in the claimed 50 TB theft from Stryker) and immediately publicizing the breach through Telegram and X, they exert asymmetric pressure on the target. For organizations, the risk is not just the breach itself, but the rapid, weaponized dissemination of internal data that can damage brand integrity and trigger regulatory scrutiny before the incident response team has even fully contained the threat.
Suggested Corrections:
Given the use of criminal-adjacent tactics and "Living off the Land" (LotL) techniques, members should adopt the following defensive posture:
https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/
The landscape of Iranian state-sponsored cyber operations is undergoing a fundamental transformation, shifting from the mere imitation of cybercrime to direct, active integration within the criminal ecosystem. Operatives linked to the Ministry of Intelligence and Security (MOIS), specifically clusters like MuddyWater (APT33) and Void Manticore (operating as the Handala persona), are no longer just using criminal "fronts" for deniability. Instead, they are functioning as active consumers and participants in the darknet economy. This includes the purchase and deployment of sophisticated commercial malware like the Rhadamanthys infostealer, which has been observed in campaigns where Handala impersonated F5 software updates or the Israeli National Cyber Directorate (INCD).
Furthermore, these state actors are adopting "Malware-as-a-Service" (MaaS) and "Ransomware-as-a-Service" (RaaS) models to scale their operations. For instance, MuddyWater has been linked to the Tsundere Botnet (using the DinDoor backdoor) and Castle Loader, both of which utilize a variety of execution environments like Deno and Node.js to evade traditional monitoring. There is also evidence of these groups operating as affiliates for established ransomware brands like Qilin, using their infrastructure to launch disruptive wiper attacks under the guise of financial extortion. This convergence allows MOIS to outsource the technical burden of tool development and infrastructure maintenance while gaining a layer of sophisticated obfuscation that complicates forensic attribution.
Security Officer Comments:
This evolution creates a critical "attribution gap." When a state actor utilizes the same tools, code-signing certificates, and command-and-control (C2) infrastructure as a common cybercriminal, the initial triage of an incident may be fatally flawed. For our members in the financial, aviation, and healthcare sectors, a detection of a "commodity" infostealer like Rhadamanthys might be viewed as a low-priority cleanup task. However, in the context of this MOIS activity, that same infostealer is often the precursor to a high-impact "hack-and-leak" or wiper operation intended to cause operational paralysis and public panic.
Recent alleged strikes against major entities, such as the med-tech firm Stryker and payment provider Verifone, demonstrate that these actors are increasingly targeting Western-based global enterprises. The objective is rarely financial; it is "information shock." By stealing massive quantities of data (as seen in the claimed 50 TB theft from Stryker) and immediately publicizing the breach through Telegram and X, they exert asymmetric pressure on the target. For organizations, the risk is not just the breach itself, but the rapid, weaponized dissemination of internal data that can damage brand integrity and trigger regulatory scrutiny before the incident response team has even fully contained the threat.
Suggested Corrections:
Given the use of criminal-adjacent tactics and "Living off the Land" (LotL) techniques, members should adopt the following defensive posture:
- Elevate Infostealer Alerts: Treat the detection of Rhadamanthys, RedLine, or Vidar not as common malware, but as a potential high-level compromise. Implement automated playbooks to revoke active sessions, reset all user credentials, and trigger a forensic review of lateral movement for any identity associated with an infostealer hit.
- Monitor Non-Standard Runtimes: MOIS-linked groups are using Deno and Node.js to execute backdoors (e.g., DinDoor) because these are less commonly monitored than PowerShell. EDR policies should be updated to alert on unusual parent-child process relationships involving deno.exe or node.exe, especially when they initiate external network connections.
- RMM and Cloud Storage Hardening: These actors frequently utilize legitimate Remote Monitoring and Management (RMM) tools (AnyDesk, ScreenConnect) and cloud services (Mega, Wasabi) for C2 and exfiltration. Organizations should restrict RMM usage to a sanctioned "Allow-only" list and monitor for high-volume data transfers to unauthorized cloud storage providers.
- Identity-Centric Defense: Since access is often purchased from Initial Access Brokers (IABs) or stolen via phishing, phishing-resistant MFA (FIDO2/WebAuthn) is mandatory. Additionally, use behavioral analytics to flag "impossible travel" or logins from unexpected IP ranges, such as Starlink IPs, which Handala has been known to use to bypass domestic internet restrictions.
- Wiper and Leak Preparedness: Maintain immutable, air-gapped backups to counter destructive wiper payloads. Develop a specialized "Crisis Communications" plan that accounts for a "hack-and-leak" scenario, where the attacker may attempt to control the narrative by leaking data publicly within hours of the initial intrusion.
https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/