{ "id": "62e2b971-7287-4c4c-91a2-9da517d7c01c", "created_at": "2026-04-29T02:21:01.687305Z", "updated_at": "2026-04-29T08:22:41.745366Z", "deleted_at": null, "sha1_hash": "9509e3db32b775fc571fb1634f5e6321397adc7a", "title": "Iranian MOIS Actors \u0026 the Cyber Crime Connection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59061, "plain_text": "Iranian MOIS Actors \u0026 the Cyber Crime Connection\r\nBy stcpresearch\r\nPublished: 2026-03-10 · Archived: 2026-04-29 02:10:12 UTC\r\nKey Points\r\nIran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing\r\nreliance on criminal tools, services, and operational models in support of state objectives.\r\nIranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now\r\nsuggests direct engagement with the criminal ecosystem.\r\nThis dynamic appears most prominently among Ministry of Intelligence and Security (MOIS)-linked actors,\r\nparticularly Void Manticore (a.k.a “Handala Hack”) and MuddyWater, where repeated overlaps with criminal\r\ntools, services, or clusters have been observed.\r\nSuch engagement offers a dual advantage: it enhances operational capabilities through access to mature criminal\r\ntooling and resilient infrastructure, while complicating attribution and contributing to recurring confusion around\r\nIranian threat activity.\r\nIntroduction\r\nFor years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A\r\nsimilar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal\r\ntools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with\r\nactors linked to the Ministry of Intelligence and Security (MOIS).\r\nFor a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by\r\nposing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal\r\nand hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal\r\necosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms. This shift matters because it does\r\nmore than improve deniability; it can also expand operational reach and enhance technical capability.\r\nIn this blog, we examine several cases that reflect this evolution, including Iranian-linked use of ransomware branding,\r\ncommercial infostealers, and overlaps with criminal malware clusters. Taken together, these examples suggest that for some\r\nMOIS-associated actors, cyber crime is no longer just a cover story, but an operational resource.\r\nBackground – MOIS and Criminal Activity\r\nLong before concern shifted to the digital arena, some of the clearest signs of cooperation between Iran’s intelligence\r\nservices and criminal actors appeared in plots involving surveillance, kidnappings, shootings, and assassination attempts. In\r\nthose cases, the value of criminal networks was straightforward: they gave Tehran reach, deniability, and access to people\r\nwilling to carry out violence at arm’s length.\r\nAccording to the U.S. Treasury, one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim\r\nSharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists. The\r\nFBI has similarly said that an MOIS directorate operated the Zindashti criminal network and its associates against Iranian\r\ndissidents in the United States.\r\nSweden has described a similar pattern. According to Sweden’s Security Service, the Iranian regime has used criminal\r\nnetworks in Sweden to carry out violent acts against states, groups, and individuals it sees as threats; Swedish officials later\r\nlinked that concern to attacks aimed at Israeli and Jewish targets, including incidents near Israel’s embassy in Stockholm.\r\nRecent activity we have analyzed and associate with MOIS-affiliated cyber actors suggests that the same logic is now\r\nbeing applied in the cyber domain. The emphasis is not only on imitating cyber criminal behavior, but on associating with\r\nthe cyber criminal ecosystem itself: drawing on its infrastructure, access brokers, marketplaces, and affiliate-style\r\nrelationships.\r\nVoid Manticore (Handala) and Rhadamanthys\r\nVoid Manticore, an Iranian threat actor linked to several hack-and-leak personas, is one of the most active groups pursuing\r\nstrategic objectives through cyber operations. It has leveraged “hacktivistic” personas such as Homeland Justice in attacks\r\nagainst Albania and Handala in operations targeting Israel. While the group is most commonly associated with “hack and\r\nleak” operations and disruptive attacks, particularly wiper operations, the emergence of its Handala persona also revealed\r\nthe use of a commercial infostealer sold on darknet forums: Rhadamanthys.\r\nhttps://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/\r\nPage 1 of 4\n\nFigure 1 - A Handala email impersonating the Israeli National Cyber Directorate (INCD) delivering\r\nRhadmanthys.\r\nFigure 1 – A Handala email impersonating the Israeli National Cyber Directorate (INCD) delivering\r\nRhadmanthys.\r\nRhadamanthys is a widely used infostealer employed by a range of threat actors, including both financially motivated groups\r\nand state-sponsored operators. It has built a strong reputation due to its complex architecture, active development, and\r\nfrequent updates. Handala used Rhadamanthys on several occasions, pairing it with one of its custom wipers in phishing\r\nlures aimed at Israeli targets, most dominantly impersonating F5 updates.\r\nMuddyWater – Tsundere Botnet and the Castle Loader Connection\r\nMuddyWater, a threat actor that U.S. authorities have linked to Iran’s MOIS, has conducted cyber espionage and other\r\nmalicious operations focused on the Middle East for years. According to CISA, MuddyWater is a subordinate element within\r\nMOIS and has carried out broad campaigns in support of Iranian intelligence objectives, targeting government and private-sector organizations across sectors including telecommunications, defense, and energy.\r\nRecent reports detailing the activity of MuddyWater link its operations to several cyber crime clusters of activity. This\r\nappears to work in the actors’ favor: the use of such tools has created significant confusion, leading to misattribution and\r\nflawed pivoting, and clustering together activities that are not necessarily related. This demonstrates that the use of criminal\r\nsoftware can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.\r\nFigure 2 - Summary of MuddyWater connections to criminal activity.\r\nFigure 2 – Summary of MuddyWater connections to criminal activity.\r\nTo address this, we attempted to bring structure to the available evidence, to the best of our ability, and identify which\r\nactivity is truly associated with MuddyWater.\r\nTsundere Botnet (a.k.a DinDoor)\r\nThe Tsundere Botnet was first uncovered in late 2025 and was later linked to MuddyWater. Large parts of its activity rely on\r\nNode.js and JavaScript scripts to execute code on compromised machines. In several instances observed in the wild, when\r\nthe Node.js engine is detected, the botnet shifts to an alternative execution method using Deno, a runtime for JavaScript and\r\nTypeScript. Since Deno-based execution had not previously been associated with Tsundere, researchers linking this activity\r\nto MuddyWater designated this variant as DinDoor.\r\nGiven that two separate sources linked Tsundere to MuddyWater, one via a VPS and the other through vendor telemetry, it is\r\nlikely that MuddyWater uses the botnet as part of its operations. Another overlap between DinDoor-related activity and\r\nknown MuddyWater tradecraft is the use of rclone to access a Wasabi server, which traces back to an IP address previously\r\nassociated with MuddyWater (18.223.24[.]218, linked to eb5e96e05129e5691f9677be4e396c88).\r\nCastle Loader Connection (a.k.a FakeSet)\r\nAnother malware family recently linked to MuddyWater is FakeSet, which, according to our analysis, is a downloader used\r\nin recent infection chains delivering CastleLoader. CastleLoader operates as a Malware-as-a-Service offering used by\r\nmultiple affiliates. Based on our understanding, the reported link between CastleLoader and MuddyWater stems from the use\r\nof a set of code-signing certificates, specifically under the Common Names “Amy Cherne” and “Donald Gay”. Certificates\r\nwith these common names were also used to sign MuddyWater malware (“StageComp”), Tsundere Deno malware\r\n(“DinDoor”), and CastleLoader (“FakeSet”) variants.\r\nIn our assessment, this does not necessarily indicate that MuddyWater is a CastleLoader affiliate; rather, it suggests that both\r\nmay have obtained certificates from the same source.\r\nIranian Qilin Affiliates\r\nIn October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware\r\nincident. The attackers claimed to have stolen a large amount of data and demanded a ransom in exchange for not publishing\r\nit. Israeli officials said the attack did not affect hospital operations and patient care was not significantly disrupted. Still,\r\nsome information appears to have been leaked, including limited email correspondence and certain medical data.\r\nFigure 3 - Shamir Medical Center on Qilin Leak Site\r\nFigure 3 – Shamir Medical Center on Qilin Leak Site\r\nAt first, the attack was presented as a ransomware incident linked to the Qilin group, but later Israeli assessments pointed\r\nmuch more directly to Iranian actors as the real force behind it. Qilin is known as a ransomware-as-a-service (RaaS)\r\noperation, meaning it provides ransomware infrastructure and tooling to outside partners or “affiliates” who actually carry\r\nout intrusions. In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working\r\nhttps://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/\r\nPage 2 of 4\n\nthrough the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader\r\nextortion market, while serving a strategic Iranian objective.\r\nThis attack did not occur in isolation. It appears to be part of a broader, sustained campaign by MOIS and Hezbollah to\r\ntarget Israeli hospitals, a pattern that has been evident since late 2023. The use of Qilin, and participation in its affiliate\r\nprogram, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler,\r\nespecially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.\r\nConclusion\r\nThe cases examined in this blog show that, for some Iranian actors, cyber crime is no longer just a cover for state-directed\r\nactivity. Across these examples, the pattern is not limited to the appearance of criminal behavior, but includes the use of\r\ncriminal malware, ransomware branding, and affiliate-style ecosystems in support of strategic objectives. This reflects a\r\nclear shift from simply imitating cyber criminals to actively leveraging the cyber crime ecosystem.\r\nThis shift matters because it delivers clear operational benefits. For MOIS-linked actors in particular, engagement with\r\ncriminal tools and services enhances capabilities while complicating attribution and fueling confusion around Iranian\r\nactivity. Taken together, the cases discussed here show that cyber crime has become not just camouflage, but a practical\r\noperational resource.\r\nIndicators of Compromise\r\nHandala Rhadmanthys Variants\r\naae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f\r\nMalware samples signed with suspicious certificates\r\nsha256\r\nCertificate\r\nCommon\r\nName\r\nCertificate Thumbprint\r\n077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de\r\nAmy\r\nCherne\r\n0902d7915a19975817ec1ccb0f2f6714aed19638\r\nddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888\r\nAmy\r\nCherne\r\n0902d7915a19975817ec1ccb0f2f6714aed19638\r\n2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6\r\nAmy\r\nCherne\r\n2087bb914327e937ea6e77fe6c832576338c2af8\r\n64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1\r\nAmy\r\nCherne\r\n21a435ecaa7b86efbec7f6fb61fcda3da686125c\r\n74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d\r\nAmy\r\nCherne\r\n389b12da259a23fa4559eb1d97198120f2a722fe\r\n94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444\r\nAmy\r\nCherne\r\n389b12da259a23fa4559eb1d97198120f2a722fe\r\n4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be\r\nAmy\r\nCherne\r\n579a4584a6eef0a2453841453221d0fb25c08c89\r\na4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377\r\nAmy\r\nCherne\r\nd920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847\r\n64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb\r\nDonald\r\nGay\r\nf8444dfc740b94227ab9b2e757b8f8f1fa49362a\r\na8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b\r\nDonald\r\nGay\r\n9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d\r\n24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14\r\nDonald\r\nGay\r\nb674578d4bdb24cd58bf2dc884eaa658b7aa250c\r\na92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0\r\nDonald\r\nGay\r\nb674578d4bdb24cd58bf2dc884eaa658b7aa250c\r\n2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5\r\nAmy\r\nCherne\r\n551bdf646df8e9abe04483882650a8ffae43cb55\r\nhttps://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/\r\nPage 3 of 4\n\nSource: https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/\r\nhttps://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/" ], "report_names": [ "iranian-mois-actors-the-cyber-crime-connection" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-29T06:58:56.874742Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-29T06:58:57.509467Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-29T06:58:56.933227Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4", "created_at": "2026-04-29T02:00:04.621965Z", "updated_at": "2026-04-29T06:58:57.779286Z", "deleted_at": null, "main_name": "VOID MANTICORE", "aliases": [ "VOID MANTICORE", "COBALT MYSTIQUE", "Handala Hack", "Homeland Justice", "Karma", "Karmabelow80", "BANISHED KITTEN", "Red Sandstorm" ], "source_name": "MITRE:VOID MANTICORE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-29T06:58:56.744414Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-29T06:58:57.946937Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-29T06:58:57.629299Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777429261, "ts_updated_at": 1777450961, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9509e3db32b775fc571fb1634f5e6321397adc7a.pdf", "text": "https://archive.orkl.eu/9509e3db32b775fc571fb1634f5e6321397adc7a.txt", "img": "https://archive.orkl.eu/9509e3db32b775fc571fb1634f5e6321397adc7a.jpg" } }