Iranian government-backed snoops are increasingly using cybercrime malware and ransomware infrastructure in their operations – not just hiding behind criminal masks as a cover for destructive cyber activity, according to security researchers.
Ministry of Intelligence and Security (MOIS)-linked operatives appear to be the biggest offenders, according to Check Point Research, citing “repeated overlaps” between MuddyWater (aka Seedworm, Static Kitten) and Void Manticore (aka Storm-842, Handala Hack), and various criminal organizations and their tools and services. Both MuddyWater and Void Manticore are affiliated with the Iranian intelligence agency.
Void Manticore is a hacktivist crew that uses wipers, data leaks, and disinformation to advance Iranian government objectives, usually in campaigns targeting Israel. It also recently added a commercial infostealer – Rhadamanthys – sold on cybercrime forums to its arsenal, according to Check Point.
As The Reg readers likely remember, international cops disrupted Rhadamanthys operators’ infrastructure in November, seizing 1,025 servers tied to the malware during a series of raids. But as is usually the case with malware operators and movie monsters, this was more of a setback than an outright kill.
Handala Hack, one of Void Manticore’s hacktivist personas, has used Rhadamanthys “on several occasions,” according to the Tel Aviv-based security researchers. The Iranian cyberspies typically pair the commercial infostealer with one of their custom data wipers in phishing emails sent to Israeli targets, frequently impersonating F5 updates, we’re told. In the Tuesday research, Check Point shows one of these phishes that impersonated the Israeli National Cyber Directorate (INCD).
MuddyWater dips into malware-as-a-service
MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran. In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet, according to Check Point.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader. CastleLoader is sold as a service to multiple affiliates and cyber crews. According to Check Point, the link between CastleLoader and MuddyWater stems from the use of a set of code-signing certificates, specifically under the Common Names Amy Cherne and Donald Gay – also spotted in the DinDoor campaign.
These reports linking MuddyWater’s operations to several different crime clusters benefit the government-backed group, the Tel Aviv security shop said.
“The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related,” Check Point Research wrote. “This demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters.”
Finally, while Iran’s goon squads have a history of working with ransomware gangs, and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center. This infection initially appeared to have been carried out by a Qilin affiliate.
“The emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective,” Check Point said, adding that this ransomware infection is part of a larger campaign by MOIS and Hezbollah to target Israeli hospitals. ®