Cybercrime isn’t just a cover for Iran’s government goons – it’s a key part of their operations
Summary
Security researchers (Check Point Research) report that Iranian government-linked operators — notably groups tied to the Ministry of Intelligence and Security (MOIS) such as MuddyWater and Void Manticore — are increasingly using commercial cybercrime tools and services as part of state operations rather than merely hiding behind criminal proxies.
The piece outlines examples where infostealers (Rhadamanthys), malware-as-a-service loaders (CastleLoader), downloaders (FakeSet) and bespoke backdoors (DinDoor/Tsundere variants) have been used in campaigns linked to espionage, data theft and disruptive attacks targeting Israel, the US and critical infrastructure. Check Point warns this blending of criminal and state tooling causes misattribution and complicates defenders’ analysis.
Key Points
- MOIS-affiliated groups (MuddyWater, Void Manticore) are adopting commercial cybercrime tooling as part of their operations, not just as a cover.
- Void Manticore has incorporated the Rhadamanthys infostealer in phishing campaigns alongside destructive wipers and disinformation efforts.
- MuddyWater used a new backdoor (DinDoor) and reused code-signing certificates tied to CastleLoader campaigns, showing operational overlap with criminal services.
- The use of commodity ransomware and extortion methods has been observed in attacks that serve strategic Iranian objectives, including against Israeli hospitals.
- Blending state and criminal tools creates attribution challenges and risks flawed defensive pivoting, says Check Point Research.
Context and Relevance
This reporting matters because it changes how defenders and policymakers should view the cyber threat landscape: state actors are increasingly embedded within the criminal ecosystem, using off-the-shelf malware and services to pursue strategic goals. That means incident responders must be cautious about attribution; indicators of criminal activity may also signal state-directed campaigns. It also raises questions about deterrence, legal response and how international takedowns of criminal infrastructure affect state capabilities.
Why should I read this?
Short version: if you look after security, this explains why some attacks feel like organised crime and others feel state-sponsored — because often they’re both. It’s a neat explainer of how Iran-linked operatives mix criminal tools with state aims, which messes with attribution and response. Read it to save yourself head-scratching when an attack looks like a crime gang but smells like geopolitics.
Source
Source: https://go.theregister.com/feed/www.theregister.com/2026/03/10/cybercrime_iran_mois/
Author style: Punchy — the story is relevant and worth digging into for anyone handling threat intelligence or incident response.