Iranian MOIS Actors & the Cyber Crime Connection
Essential information
- Published
- 10/03/2026 21:10
- Modified
- 11/03/2026 10:36
- Tags
- 2026-03-10 castleloader dindoor fakeset infostealers mois muddywater qilin rhadamanthys stagecomp tsundere botnet void manticore
- Related entities
- 14 observables, 1 intrusion sets (apt), 16 techniques (mitre), 7 malware, 8 others
Description
Iranian intelligence services are increasingly engaging with the cyber crime ecosystem, leveraging criminal tools, services, and operational models to support state objectives. This trend is particularly evident among actors linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore and MuddyWater. These actors are not merely imitating criminal behavior but actively associating with the cyber criminal ecosystem, using its infrastructure, malware, and affiliate-style relationships. This approach enhances their operational capabilities, complicates attribution, and contributes to confusion around Iranian threat activity. Examples include the use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. This shift from imitation to active engagement with cyber crime offers both improved deniability and expanded technical capabilities for Iranian actors.