Iranian state-sponsored hackers are becoming more involved in the criminal world, making their connections with underground cybercrime groups even stronger. This change is most clear among people who work for the Ministry of Intelligence and Security (MOIS), like Void Manticore (also called "Handala Hack") and MuddyWater. Iranian hackers are getting better at what they do and making it harder to figure out who is behind their activities by using criminal tools, services, and infrastructure in their work.
Changing State-Sponsored Cyber Operations Iranian intelligence agencies have been using cybercrime and hacktivism as a cover for their secret operations for years. In the past, Iranian cyber actors hid state-sponsored attacks by pretending to be criminals or using common cybercrime methods, like using ransomware to hide their true goals.
But recent events show that some Iranian groups are now more directly involved in the criminal ecosystem, which means that cybercrime is no longer just a cover story for them; it has become a key part of their operations. A fake email from Handala pretending to be the Israeli National Cyber Directorate (INCD) sending Rhadmanthys (Source: checkpoint) In the past, the Iranian government's cyber actors mostly used criminal methods to hide their true intentions while they attacked opponents or carried out politically motivated attacks. These people are now using tools and methods from the criminal underground to get more done and reach more people.
This strategy improves their technical skills and gives them new ways to hide where the attacks came from, making it harder for defenders to connect the dots back to the Iranian government.
Important Examples of the Connection Between Iran and Crime The Void Manticore group is a clear example of this new way of doing things. They have used "hacktivist" personas like Handala in cyberattacks before. A list of MuddyWater's ties to crime (Source: checkpoint) It is now known that this group uses commercial infostealers, such as Rhadamanthys, which is easy to find on the dark web.
The infostealer is used to steal private information before other harmful actions, like wipers, are used to destroy the targeted systems. For instance, Handala has used Rhadamanthys in phishing campaigns against Israeli companies, pretending to be official updates to get people to download the malware. MuddyWater, another well-known actor with ties to MOIS, has grown its cyber operations by teaming up with groups of cybercriminals.
Shamir Medical Center is on the Qilin Leak Site (Source: checkpoint) The Tsundere Botnet, also known as DinDoor, is a good example of this overlap. It uses both Node.js and Deno technologies that are often used in cybercrime botnets. The growing cooperation between Iranian government officials and cybercriminal networks is a big change in how nation-state threat groups work.
By using criminal malware, ransomware tactics, and MaaS platforms, Iran is making its cyber capabilities better while making it harder to figure out who is behind bad actions. Type Indicator Associated Entity Context / Use SHA256 Hash aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f Void Manticore (Handala) Rhadamanthys infostealer variant used in fake software updates . Certificate Thumbprint 0902d7915a19975817ec1ccb0f2f6714aed19638 "Amy Cherne" (Fake Name) A fake certificate was used to sign the FakeSet and CastleLoader malware.
Certificate Thumbprint f8444dfc740b94227ab9b2e757b8f8f1fa49362a "Donald Gay" (Fake Name) As this trend continues, organizations must stay vigilant, recognize the shifting nature of cyber threats, and adapt to the increasingly complex web of actors involved in modern cyberattacks.
