Iran MOIS Colludes With Criminals to Boost Cyberattacks

Steven

Iran MOIS Colludes With Criminals to Boost Cyberattacks

Summary

Research from Check Point, reported by Dark Reading, shows Iran’s Ministry of Intelligence and Security (MOIS) increasingly using real cybercriminal groups, tools and services to scale and obfuscate state cyber operations. Iranian APTs such as Void Manticore are operating under hacktivist fronts (for example ‘Handala’) while integrating commercial infostealers like Rhadamanthys and even participating with ransomware-as-a-service ecosystems. Analysts warn this blending of state and criminal activity complicates attribution and can lead defenders to under-estimate destructive threats.

Key Points

  • MOIS-linked APTs are masquerading as hacktivists while collaborating with genuine cybercriminals.
  • Void Manticore has embedded the commercial infostealer Rhadamanthys into its attack chains.
  • Iranian groups are linked to ransomware-as-a-service and to buying access from initial access brokers (IABs).
  • Incidents (eg. a March 11 wiper attack on Stryker; an October 2025 Israeli hospital incident) show state actors using criminal cover or affiliates.
  • The tactic makes attribution harder and may cause SOCs/CISOs to mislabel high-risk activity as low-risk cybercrime.
  • Using commercial tooling and infrastructure lets less-sophisticated state actors scale destructive operations quickly and cheaply.

Content Summary

Dark Reading summarises Check Point’s research that documents a clear shift: Iran’s MOIS is not only impersonating cybercriminal groups and hacktivists but actively working with them. Void Manticore operates under fronts such as ‘Handala’ and has integrated the Rhadamanthys infostealer. Other MOIS-linked clusters have been observed using commercial malware-as-a-service kits, shared certificates (eg. overlaps with CastleLoader), and infrastructure common to cybercrime.

Analysts, including Sergey Shykevich at Check Point, warn defenders: activity that looks like routine cybercrime (phishing, commodity loaders, RMM tooling) could be part of state-directed destructive missions. Examples cited include a wiper attack on Stryker and a previously misattributed Israeli hospital outage in October 2025 that later was linked to Iran. The research notes Iranian actors prefer buying capabilities from underground markets β€” it’s cheaper and faster than bespoke development, especially during wartime.

Context and Relevance

This story matters because it reflects a broader global trend: nation-states leveraging criminal ecosystems to scale operations and complicate detection and attribution. Russia, China and North Korea have used similar models; Iran’s deeper integration with cybercrime now raises the bar for defenders. For SOC teams and CISOs, the practical risk is clear β€” familiar indicators of commodity crime may mask state-level intent and destructive follow-up.

Why should I read this?

Because if you think ‘it’s just another cybercrime alert’ you might be asleep at the wheel. This piece shows why those apparently low-level intrusions can be the warm-up to destructive, state-backed attacks β€” and why you should rethink how you triage and investigate ‘commodity’ threats.

Source

Source: https://www.darkreading.com/threat-intelligence/iran-mois-criminals-cyberattacks