Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity.
Iran’s Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by “Handala,” a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it’s a front for Void Manticore, an advanced persistent threat (APT) run out of Iran’s MOIS.
This isn’t a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they’re pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations.
Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, “because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities.”
Cybercrime Aids State Objectives
Iran is not the first country to use cybercriminal personnel, malware, and infrastructure in service of state objectives. Russian intelligence has employed civilian hackers to carry out major cyberattacks. Chinese APTs source malware and infrastructure from the country’s criminal sector. North Korea’s government runs the world’s most profitable cybercriminal outfits.
We also know that Iran’s intelligence services have worked with criminals to achieve state objectives out in the world. According to US authorities, the MOIS hired a prominent drug trafficking network to target dissidents and activists in Iran and the US. It has done the same thing in European countries, too, like Sweden.
For roughly a year now, in Shykevich’s estimation, Iran has been adopting the same approach in cyberspace. Void Manticore has deeply integrated an infostealer-as-a-service product into its operations. Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool.
The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025. The attack was initially claimed by Qilin and attributed to Eastern European hackers. Three weeks later, Israel’s National Cyber Directorate (INCD) corrected the record, blaming Iran, suggesting that state-affiliated hackers might have been acting as RaaS affiliates.
“The takeaway, from our perspective, is how deeply they embed cybercriminal services in their operations,” Shykevich says. “Just purchasing access from initial access brokers (IABs), or something like that, we assume also happens. It’s more that [Iranian APTs] are a part of ransomware-as-a-service and infostealer-as-a-service operations, making it part of their operations. We have already seen several cases that show this, and more than one group.”
How Criminals Can Help Their Countries
The advantages of this model are clear. Mixing with criminal elements makes the job of attributing malicious activity more difficult for investigators. Cybercriminals also have some good tooling and robust infrastructure to offer, even to well-resourced (if not elite) nation-state actors.
For example, Shykevich says, “MuddyWater is not extremely sophisticated on a technical level. Most of what they do in their regular operations is sending phishing mail and then using remote monitoring and management (RMM) tools. They do have some malware, but none of their malware is state-of-the-art. So in this case, it’s not surprising that it’s easier for them, [instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever.”
Buying instead of building will be extra attractive to Iranian APTs during wartime, as resources are strained and the imperative to cause more and more destruction has never been greater.
“Some of the Iranian actors are now desperate to some degree, and we see in some cases that their operational security is much lower,” Shykevich observes. “So I think it is more likely they will at least try to use different underground services.”
In particular, the MOIS might start making greater use of criminal IABs because it can be an easy win. “Instead of building a long-term operation to infiltrate an American or Israeli or Gulf company, or a government entity, they can just find some Dark Web forum or a Telegram channel where someone’s selling access to entities that align with the profile of what they’re looking to purchase, and then execute the operation. I think it’s definitely a possible scenario.”
