Iranian MOIS Actors & the Cyber Crime Connection

Iranian Ministry of Intelligence and Security (MOIS)-linked actors are increasingly integrating directly with the cybercriminal ecosystem, moving beyond using crime as cover to actively leveraging criminal tools, infrastructure, and affiliate-style relationships. Check Point Research identifies Void Manticore (operating Handala and Homeland Justice personas) and MuddyWater as key MOIS-affiliated groups exhibiting this trend. Void Manticore has been observed deploying the commercial infostealer Rhadamanthys alongside custom wiper malware in phishing campaigns targeting Israeli entities. This convergence provides Iranian actors enhanced operational capabilities, improved attribution ambiguity, and access to mature criminal infrastructure. Organizations should monitor for hybrid state-criminal threat activity, particularly phishing campaigns impersonating government entities and combined infostealer-wiper attack chains.

Key Points Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. […] The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research .

Iranian Ministry of Intelligence and Security (MOIS)-linked actors are increasingly integrating directly with the cybercriminal ecosystem, moving beyond using crime as cover to actively leveraging criminal tools, infrastructure, and affiliate-style relationships. Check Point Research identifies Void Manticore (operating Handala and Homeland Justice personas) and MuddyWater as key MOIS-affiliated groups exhibiting this trend. Void Manticore has been observed deploying the commercial infostealer Rhadamanthys alongside custom wiper malware in phishing campaigns targeting Israeli entities. This convergence provides Iranian actors enhanced operational capabilities, improved attribution ambiguity, and access to mature criminal infrastructure. Organizations should monitor for hybrid state-criminal threat activity, particularly phishing campaigns impersonating government entities and combined infostealer-wiper attack chains. Key Points Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. […] The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research . Key Points Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. This dynamic appears most prominently among Ministry of Intelligence and Security (MOIS)-linked actors , particularly Void Manticore (a.k.a “Handala Hack”) and MuddyWater , where repeated overlaps with criminal tools, services, or clusters have been observed. Such engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal tooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around Iranian threat activity. Introduction For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS) . For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms. This shift matters because it does more than improve deniability; it can also expand operational reach and enhance technical capability. In this blog, we examine several cases that reflect this evolution, including Iranian-linked use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. Taken together, these examples suggest that for some MOIS-associated actors , cyber crime is no longer just a cover story, but an operational resource. Background – MOIS and Criminal Activity Long before concern shifted to the digital arena, some of the clearest signs of cooperation between Iran’s intelligence services and criminal actors appeared in plots involving surveillance, kidnappings, shootings, and assassination attempts. In those cases, the value of criminal networks was straightforward: they gave Tehran reach, deniability, and access to people willing to carry out violence at arm’s length. According to the U.S. Treasury , one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists. The FBI has similarly said that an MOIS directorate operated the Zindashti criminal network and its associates against Iranian dissidents in the United States. Sweden has described a similar pattern. According to Sweden’s Security Service, the Iranian regime has used criminal networks in Sweden to carry out violent acts against states, groups, and individuals it sees as threats; Swedish officials later linked that concern to attacks aimed at Israeli and Jewish targets, including incidents near Israel’s embassy in Stockholm. Recent activity we have analyzed and associate with MOIS-affiliated cyber actors...