A new Check Point Research report reveals that Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors are increasingly engaging with the cybercrime ecosystem, moving beyond mere imitation to directly leveraging criminal tools, services, and affiliate-style relationships in support of state objectives.
Key Findings
The research highlights a significant evolution in Iranian cyber operations, where state-sponsored actors are now actively participating in criminal ecosystems rather than simply mimicking their tactics. This shift provides dual advantages: enhanced operational capabilities through mature criminal tooling, and complicated attribution that fuels confusion around Iranian threat activity.
Void Manticore (Handala) Deploys Rhadamanthys Infostealer
Void Manticore, operating under the “Handala Hack” persona, has been caught using Rhadamanthys, a commercial infostealer sold on darknet forums. This marks a departure from custom malware to off-the-shelf criminal tools. The group deployed Rhadamanthys alongside custom wipers in phishing campaigns targeting Israeli organizations, often impersonating F5 security updates.
MuddyWater’s Criminal Connections
CISA-attributed MuddyWater, a subordinate MOIS element, shows extensive overlap with criminal malware clusters:
- Tsundere Botnet (DinDoor): A Node.js/Deno-based botnet linked to MuddyWater operations through shared infrastructure
- CastleLoader Connection: Shared code-signing certificates (“Amy Cherne” and “Donald Gay”) between MuddyWater’s StageComp malware, Tsundere variants, and CastleLoader, a Malware-as-a-Service offering
Check Point notes this overlap has created significant confusion in threat attribution, with researchers incorrectly clustering unrelated activities together.
Iranian Actors as Qilin Ransomware Affiliates
Perhaps most significantly, the report details evidence that Iranian-affiliated operators participated as Qilin ransomware affiliates in the October 2025 attack on Israel’s Shamir Medical Center. While initially presented as a standard ransomware incident, Israeli assessments later identified Iranian actors as the real force behind the attack. This suggests MOIS actors are leveraging ransomware-as-a-service (RaaS) programs for both plausible deniability and operational capability—part of a broader campaign targeting Israeli hospitals since late 2023.
Why This Matters
This convergence of state-sponsored and criminal operations represents a dangerous evolution in Iranian cyber capabilities:
- Enhanced Deniability: Criminal tools and RaaS affiliations provide layers of cover for state-directed operations
- Expanded Capabilities: Access to mature criminal tooling, resilient infrastructure, and affiliate networks
- Attribution Challenges: Overlapping indicators of compromise complicate incident response and threat intelligence
- Hospital Targeting: The use of ransomware affiliates against healthcare infrastructure suggests willingness to leverage criminal ecosystems for strategic objectives
Indicators of Compromise
Check Point released IOCs including Rhadamanthys variants and multiple CastleLoader/FakeSet samples signed with suspicious certificates. Security teams should hunt for these indicators and monitor for the “Amy Cherne” and “Donald Gay” certificate common names in their environments.
Source: Check Point Research
