Iran-linked cyber actors are increasingly working with the broader cybercrime ecosystem, using criminal tools, infrastructure, and business models to support state-backed operations and hide their involvement.
For years, Iranian intelligence services have relied on criminal intermediaries in the physical world to conduct surveillance, kidnappings, and assassination plots, gaining reach and plausible deniability.
The U.S. Treasury, for example, has sanctioned the narcotics network led by Naji Ibrahim Sharifi-Zindashti, describing it as operating at the behest of MOIS to target dissidents abroad.
A similar pattern is now visible online, as MOIS-linked cyber actors increasingly pursue state objectives by tapping into cyber criminal marketplaces, access brokers, and shared infrastructure rather than acting purely through bespoke, state-owned tooling.
This shift is clearest among Ministry of Intelligence and Security (MOIS)-linked groups such as Void Manticore and MuddyWater, whose recent campaigns show repeated overlaps with commercial malware, malware-as-a-service platforms, and affiliate-style ransomware activity.
Historically, Iranian threat actors often tried to disguise state operations as ordinary cyber crime, particularly by posing as ransomware operators or hacktivist collectives.
Today, this behavior goes beyond imitation: some actors appear to be directly consuming criminal tooling and participating in the same ecosystems as financially motivated groups.
According to CISA, MuddyWater is a subordinate element within MOIS and has carried out broad campaigns in support of Iranian intelligence objectives, targeting government and private-sector organizations across sectors including telecommunications, defense, and energy.
This evolution matters because it improves both deniability and capability, enabling them to scale operations faster while making attribution significantly harder for defenders and governments.
Void Manticore, Handala, and Rhadamanthys
Void Manticore, a MOIS-linked threat actor behind multiple hack-and-leak personas, has used “hacktivist” brands such as Homeland Justice against Albania and Handala in campaigns targeting Israel.
While traditionally associated with wiper attacks and data leaks, recent research shows the Handala persona deploying the commercial Rhadamanthys infostealer, a malware strain sold on darknet forums and used by a wide range of criminal and state actors.
Rhadamanthys has gained traction due to its complex architecture, active development, and service-based sales model, which make it attractive across the cyber crime ecosystem.
In several Handala campaigns, Void Manticore operators paired Rhadamanthys with custom wipers in phishing emails that impersonated Israeli entities and F5 product updates, blending high-end espionage and sabotage with off-the-shelf criminal tooling.
MuddyWater, which U.S. authorities publicly attribute to Iran’s MOIS, has long conducted espionage and disruptive activity across government and critical sectors in the Middle East and beyond.
This illustrates how a state-aligned group can quickly enhance collection and disruption capabilities simply by buying into mature criminal malware-as-a-service offerings.
Recent investigations have tied MuddyWater to the Tsundere botnet, a Node.js- and JavaScript-based platform capable of executing code on compromised systems and dynamically switching to the Deno runtime when needed.
Researchers have labeled this Deno-based variant “DinDoor,” and multiple independent data points, including VPS usage and vendor telemetry, link Tsundere/DinDoor activity back to known MuddyWater infrastructure.
Additional overlaps point to a downloader known as FakeSet, used in infection chains that deliver CastleLoader, a malware-as-a-service framework rented by multiple affiliates.
The connection between MuddyWater and CastleLoader appears to center on shared code-signing certificates, with the same certificate common names seen across MuddyWater malware (“StageComp”), DinDoor samples, and CastleLoader-related FakeSet binaries.
This likely indicates a shared criminal supplier or marketplace rather than formal affiliate status, but it nonetheless demonstrates how MOIS-linked actors and purely criminal clusters can operate from a common tool and certificate pool, complicating cluster separation and attribution.
Iranian Qilin Affiliates
The October 2025 attack on Israel’s Shamir Medical Center further highlights this convergence of state and criminal ecosystems.
Initially framed as a Qilin ransomware incident, the intrusion involved data theft, extortion demands, and subsequent leaks of limited email and medical information, although hospital operations reportedly remained largely unaffected.
Israeli assessments later pointed toward Iranian-linked operators as the real drivers behind the attack, indicating that Qilin’s ransomware-as-a-service infrastructure may have been used by Iran-aligned affiliates to advance strategic objectives under a criminal brand.
Qilin operates on a classic RaaS model, providing tooling and infrastructure to partners who execute intrusions, and this case appears to form part of a broader MOIS and Hezbollah campaign against Israeli hospitals dating back to late 2023.
By working through an established ransomware franchise, Iranian actors gain more than just plausible deniability: they benefit from hardened infrastructure, tested extortion playbooks, and an ecosystem already optimized to pressure victims, even as security around Israeli healthcare has tightened.
Across these cases, the pattern is clear: for MOIS-linked actors such as Void Manticore and MuddyWater, cyber crime has evolved from a cosmetic cover into a practical operational resource.
Direct engagement with the criminal ecosystem via commercial infostealers, shared botnets, MaaS platforms, and RaaS affiliate programs expands their reach, accelerates capability development, and injects noise into attribution efforts.
For defenders, this convergence means that traditional distinctions between “state” and “criminal” threats are increasingly blurred, and overlaps in infrastructure or tooling can no longer be treated as straightforward attribution signals.
Analysts must scrutinize tradecraft, intent, and longer-term patterns rather than relying solely on shared malware families or certificates, even as states like Iran continue to exploit the gray space where espionage and cyber crime meet.
Indicators of Compromise
| SHA256 | Certificate Common Name | Certificate Thumbprint | Certificate Serial Number | Malware Family |
|---|---|---|---|---|
| 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de | Amy Cherne | 0902d7915a19975817ec1ccb0f2f6714aed19638 | 330007f1068f41bf0f662a03b500000007f106 | FakeSet / CastleLoader |
| ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 | Amy Cherne | 0902d7915a19975817ec1ccb0f2f6714aed19638 | 330007f1068f41bf0f662a03b500000007f106 | FakeSet / CastleLoader |
| 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 | Amy Cherne | 2087bb914327e937ea6e77fe6c832576338c2af8 | 330006df515a14fe3748416fe200000006df51 | FakeSet / CastleLoader |
| 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 | Amy Cherne | 21a435ecaa7b86efbec7f6fb61fcda3da686125c | 330006e75231f49437ae56778a00000006e752 | FakeSet / CastleLoader |
| 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d | Amy Cherne | 389b12da259a23fa4559eb1d97198120f2a722fe | 330007d5443a7d25208ec5feb100000007d544 | FakeSet / CastleLoader |
| 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 | Amy Cherne | 389b12da259a23fa4559eb1d97198120f2a722fe | 330007d5443a7d25208ec5feb100000007d544 | FakeSet / CastleLoader |
| 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be | Amy Cherne | 579a4584a6eef0a2453841453221d0fb25c08c89 | 33000700e919066fd9db11bac70000000700e9 | FakeSet / CastleLoader |
| a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 | Amy Cherne | d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 | 330007ebfbe75a64b52aaf4cb700000007ebfb | FakeSet / CastleLoader |
| 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb | Donald Gay | f8444dfc740b94227ab9b2e757b8f8f1fa49362a | 3300072b29c3bf8403a6c15be2000000072b29 | FakeSet / CastleLoader |
| a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b | Donald Gay | 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d | 33000725fea86dd19e8571b26c0000000725fe | FakeSet / CastleLoader |
| 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 | Donald Gay | b674578d4bdb24cd58bf2dc884eaa658b7aa250c | 3300079a51c7063e66053d229b000000079a51 | StageComp |
| a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 | Donald Gay | b674578d4bdb24cd58bf2dc884eaa658b7aa250c | 3300079a51c7063e66053d229b000000079a51 | StageComp |
| 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 | Amy Cherne | 551bdf646df8e9abe04483882650a8ffae43cb55 | 330006e15e43401dbd9416e20e00000006e15e | DinDoor / Tsundere Deno |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
