For many years, Iranian intelligence services have worked with criminal groups to carry out operations while keeping distance from them. This allowed them to deny involvement. Now, a similar pattern is appearing in cyberspace. Instead of operating only as state actors, some Iranian groups are using tools, services, and methods that are common in the cyber-criminal world. This pattern is becoming more visible in activity linked to Iran’s Ministry of Intelligence and Security (MOIS).
In the past, Iranian cyber actors often tried to hide their operations by pretending to be ordinary cybercriminals, especially ransomware groups. The goal was to make it harder to trace attacks back to the state. What we are seeing now goes further than that. Some Iranian actors are not just pretending to be criminals—they appear to be working within the cyber-criminal ecosystem itself. They are using criminal malware, infrastructure, and affiliate-style partnerships. This shift is important because it not only helps them avoid attribution but also improves their technical capabilities and expands their reach.
In this blog, we look at several examples that show this trend. These include Iranian-linked use of ransomware brands, commercial information-stealing malware, and overlaps with criminal malware groups. Together, these cases suggest that for some actors connected to MOIS, cybercrime is no longer just a disguise—it has become a useful operational tool.
Background – MOIS and Criminal Activity
Long before cyber operations became common, Iran’s intelligence services had already been linked to criminal networks in the physical world. These networks were used in plots involving surveillance, kidnappings, shootings, and assassination attempts. Criminal groups offered three clear advantages: they gave Iran wider reach, plausible deniability, and access to people willing to carry out violent acts indirectly.
One example identified by the U.S. Treasury involved a criminal network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti. According to Treasury officials, this network acted on behalf of MOIS and targeted dissidents and opposition activists. The FBI has also stated that an MOIS directorate used the Zindashti network and its associates to target Iranian dissidents in the United States.
Authorities in Sweden have described a similar pattern. Sweden’s Security Service reported that Iran has used criminal networks inside the country to carry out violent acts against states, groups, and individuals it considers threats. Swedish officials later linked this concern to attacks targeting Israeli and Jewish interests, including incidents near Israel’s embassy in Stockholm.
Recent cyber activity that we associate with MOIS-affiliated actors suggests that the same approach is now being used in cyberspace. These actors are not only copying cybercriminal behavior but are also interacting with the cyber-crime ecosystem itself. This includes using criminal infrastructure, access brokers, underground marketplaces, and affiliate-style relationships.
Void Manticore (Handala) and Rhadamanthys
Void Manticore is an Iranian threat actor connected to several hack-and-leak personas. It is one of the most active groups using cyber operations to support strategic goals. The group has used hacktivist identities such as Homeland Justice in attacks against Albania and Handala in operations targeting Israel.
Most of the group’s activity has focused on disruptive attacks and “hack-and-leak” campaigns, including the use of data-wiping malware. However, activity linked to the Handala persona also showed the use of a commercial information-stealing malware called Rhadamanthys, which is sold on darknet forums.
Rhadamanthys is widely used by many threat actors, including both cybercriminal groups and state-sponsored operators. It is popular because of its complex design, active development, and frequent updates. In several cases, Handala used Rhadamanthys in phishing campaigns targeting Israeli organizations. In some attacks, the malware was combined with one of the group’s custom wipers. The phishing messages often pretended to be software updates, particularly fake updates for F5 products.
MuddyWater – Tsundere Botnet and the Castle Loader Connection
MuddyWater is another threat actor linked by U.S. authorities to Iran’s MOIS. For years, the group has carried out cyber-espionage and other operations mainly targeting the Middle East. According to CISA, MuddyWater operates as part of MOIS and has conducted campaigns against government and private organizations in sectors such as telecommunications, defense, and energy.
Recent reports suggest that MuddyWater’s operations overlap with several cybercrime clusters. This overlap creates confusion and sometimes leads to incorrect attribution, because similar tools and infrastructure are used by different actors. It shows how the use of criminal software can make investigations more difficult and highlights the importance of careful analysis when identifying threat actors.
To better understand this activity, we reviewed available evidence to determine which operations are most likely linked to MuddyWater.
Tsundere Botnet (DinDoor)
The Tsundere botnet was discovered in late 2025 and later connected to MuddyWater. Much of its activity relies on Node.js and JavaScript scripts to run commands on compromised systems. In some cases, when the Node.js engine is detected, the malware switches to another execution method using Deno, a runtime environment for JavaScript and TypeScript. Because Deno-based execution had not previously been linked to Tsundere, researchers named this variant DinDoor.
Two separate sources connected Tsundere to MuddyWater—one through a virtual private server (VPS) and another through security-vendor telemetry. This suggests that MuddyWater likely uses the botnet as part of its operations. Another link between DinDoor activity and MuddyWater’s known techniques is the use of rclone to access a Wasabi cloud server connected to an IP address previously associated with the group.
Castle Loader Connection (FakeSet)
Another malware family recently connected to MuddyWater is FakeSet. Our analysis indicates that FakeSet acts as a downloader used in infection chains that eventually deliver CastleLoader.
CastleLoader is offered as a Malware-as-a-Service platform used by multiple affiliates. The reported link between CastleLoader and MuddyWater appears to come from shared code-signing certificates. These certificates used the names “Amy Cherne” and “Donald Gay.” The same certificates were also used to sign MuddyWater malware (StageComp), the Tsundere Deno variant (DinDoor), and CastleLoader variants.
However, this does not necessarily mean MuddyWater is a CastleLoader affiliate. A more likely explanation is that both actors obtained the certificates from the same source.
Iranian Qilin Affiliates
In October 2025, Israel’s Shamir Medical Center was targeted in a major cyberattack that was first reported as a ransomware incident. The attackers claimed they had stolen large amounts of data and demanded payment to prevent it from being released. Israeli officials said hospital operations were not seriously affected and patient care continued without major disruption. However, some data was leaked, including limited email communication and certain medical records.
At first, the attack was attributed to the ransomware group Qilin. Later assessments by Israeli authorities suggested that Iranian actors were likely behind the operation.
Qilin operates as a ransomware-as-a-service platform. It provides ransomware tools and infrastructure to affiliates who carry out the actual attacks. In this case, the attackers appear to have been Iranian-linked operators using the Qilin ecosystem. They used a criminal ransomware brand and common extortion tactics while pursuing a strategic objective aligned with Iranian interests.
The attack on Shamir Medical Center was not an isolated event. It appears to be part of a larger campaign by MOIS and Hezbollah targeting Israeli hospitals since late 2023. Using Qilin’s affiliate program likely helped the attackers hide their identity while also giving them access to tools and infrastructure commonly used in cybercrime.
Conclusion
The examples discussed in this blog show that for some Iranian actors, cybercrime is no longer just a way to hide state-sponsored operations. Instead, they are actively using the cyber-criminal ecosystem to support their activities. This includes using criminal malware, ransomware brands, and affiliate networks.
This shift provides clear benefits. By working with tools and services already used in cybercrime, MOIS-linked actors can improve their capabilities while also making it harder to identify who is responsible for attacks. Overall, these cases show that cybercrime has become more than just a disguise—it is now an important operational resource for some Iranian cyber actors.
