Iranian government-backed hackers are adopting commercial malware and ransomware services for espionage, blurring lines between criminal and state-sponsored operations.
Iranian government-backed hackers are increasingly adopting commercial malware and ransomware services for espionage operations, blurring the traditional boundaries between criminal and state-sponsored cyber activities, according to new research from Check Point.
The Ministry of Intelligence and Security (MOIS)-linked groups MuddyWater and Void Manticore are the primary offenders, researchers found, with both organizations showing "repeated overlaps" with various criminal organizations and their tools.
Criminal tools in state-sponsored operations
Void Manticore, also known as Storm-842 or Handala Hack, operates as a hacktivist crew that uses wipers, data leaks, and disinformation to advance Iranian government objectives. The group has recently incorporated Rhadamanthys, a commercial infostealer sold on cybercrime forums, into its arsenal.
International law enforcement disrupted Rhadamanthys infrastructure in November, seizing 1,025 servers during coordinated raids. However, as is typical with malware operations, this represented a setback rather than a complete shutdown. Handala Hack has used Rhadamanthys "on several occasions," according to Check Point researchers.
The Iranian cyberspies typically pair the commercial infostealer with custom data wipers in phishing emails sent to Israeli targets, frequently impersonating F5 updates. One phishing campaign impersonated the Israeli National Cyber Directorate (INCD), demonstrating sophisticated social engineering tactics.
MuddyWater's malware-as-a-service connections
MuddyWater, conducting espionage operations for MOIS since approximately 2018, has also embraced criminal infrastructure. Following US and Israeli airstrikes against Iran, the group infiltrated critical American networks using a previously unseen backdoor called DinDoor - a new variant of the MuddyWater-linked Tsundere botnet.
Another malware family linked to MuddyWater is FakeSet, a downloader used in recent infections to deliver CastleLoader. CastleLoader is sold as a service to multiple affiliates and cyber crews. The connection between CastleLoader and MuddyWater stems from shared code-signing certificates under the Common Names Amy Cherne and Donald Gay - also spotted in the DinDoor campaign.
Strategic implications of criminal tool adoption
This convergence of criminal and state-sponsored tools creates significant analytical challenges. "The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related," Check Point Research wrote.
The researchers emphasize that this demonstrates how criminal software can be effective for obfuscation, highlighting the need for extreme caution when analyzing overlapping clusters. This tactic makes it more difficult for defenders to distinguish between financially motivated criminals and state-sponsored actors pursuing strategic objectives.
Beyond financial motives
While Iran's cyber operations have historically worked with ransomware gangs, and state-sponsored ransomware attempts reemerged during the summer 2025 conflict with offers for infections against US and Israeli organizations, recent reports link Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
This infection initially appeared to have been carried out by a Qilin affiliate. "The emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective," Check Point said.
The Shamir Medical Center attack is part of a larger campaign by MOIS and Hezbollah to target Israeli hospitals, demonstrating how state actors are leveraging the criminal ecosystem for strategic intelligence and disruption operations rather than purely financial gain.
This trend represents a significant evolution in state-sponsored cyber operations, where the boundaries between criminal and government activities continue to blur, creating new challenges for attribution and defense.
Comments
Please log in or register to join the discussion