Iranian state intelligence services are increasingly integrating tools and infrastructure from the financially motivated criminal underground to obscure and expand their offensive cyber operations.
The Ministry of Intelligence and Security (MOIS) has historically operated behind the facade of ideological digital activism. For example, on March 11, a destructive wiper incident disrupted operations at Stryker, a Fortune 500 medical technology company. While a group named "Handala" claimed responsibility under a pro-Palestine banner, security research links the operation to Void Manticore, an advanced persistent threat (APT) directed by the MOIS.
Recent analysis by Check Point reveals a strategic shift: MOIS-affiliated threat actors are now actively participating in the criminal ecosystems they previously only mimicked. Void Manticore has incorporated the commercial infostealer Rhadamanthys into its operational sequences. Other MOIS clusters have collaborated directly with ransomware-as-a-service (RaaS) networks.
Sergey Shykevich, threat intelligence group manager at Check Point, notes the protective implication for organizations: "because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities."
State objectives supported by criminal networks
The integration of financially motivated threat actors, malicious software, and infrastructure into state operations is an established pattern globally. Russian intelligence has directed civilian threat actors to execute major security incidents. Chinese APTs frequently source tools from the regional criminal sector, while the North Korean government directly manages highly profitable digital criminal syndicates.
This operational blending mirrors Iran's physical-world intelligence tactics. According to US authorities, the MOIS previously contracted a prominent narcotics trafficking network to target dissidents in Iran and the United States. Similar activity has been documented by security services in European nations, including Sweden.
Over the past year, researchers have observed Iran applying this methodology to its digital operations. Void Manticore relies heavily on infostealer-as-a-service platforms. Activity attributed to MuddyWater—such as the deployment of the Tsundere botnet—closely resembles commodity criminal behavior, complicating threat analysis. Additionally, some MuddyWater malware has been signed using the same digital certificates associated with the CastleLoader malware-as-a-service tool.
A notable intersection of state operations and criminal services occurred in October 2025, when an Israeli hospital experienced a major security incident. Initially claimed by the Qilin RaaS network and attributed to Eastern European threat actors, the Israeli National Cyber Directorate (INCD) later updated the attribution to Iran, indicating that state-affiliated groups may have been operating as RaaS affiliates.
"The takeaway, from our perspective, is how deeply they embed cybercriminal services in their operations," Shykevich states. "Just purchasing access from initial access brokers (IABs), or something like that, we assume also happens. It's more that [Iranian APTs] are a part of ransomware-as-a-service and infostealer-as-a-service operations, making it part of their operations. We have already seen several cases that show this, and more than one group."
Strategic advantages and operational efficiency
Blending state operations with criminal infrastructure complicates attribution efforts for incident responders. It also provides state actors with immediate access to reliable tooling and resilient infrastructure without the overhead of custom development.
As Shykevich points out, groups like MuddyWater do not rely on highly sophisticated, proprietary tools. "Most of what they do in their regular operations is sending phishing mail and then using remote monitoring and management (RMM) tools," he explains. "They do have some malware, but none of their malware is state-of-the-art. So in this case, it's not surprising that it's easier for them, [instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever."
Procuring existing accesses and capabilities is highly efficient for Iranian APTs, particularly when operating under strained resources and pressure to achieve immediate disruptive impacts.
"Some of the Iranian actors are now desperate to some degree, and we see in some cases that their operational security is much lower," Shykevich observes. "So I think it is more likely they will at least try to use different underground services."
Moving forward, the MOIS is likely to expand its reliance on Initial Access Brokers (IABs) operating on dark web forums and Telegram channels. Shykevich notes that this provides an easy operational win: "Instead of building a long-term operation to infiltrate an American or Israeli or Gulf company, or a government entity, they can just find some Dark Web forum or a Telegram channel where someone's selling access to entities that align with the profile of what they're looking to purchase, and then execute the operation. I think it's definitely a possible scenario."
About the author
Nate Nelson is a journalist and scriptwriter. He writes for the cybersecurity podcast "Darknet Diaries" and co-created the tech podcast "Malicious Life." Prior to joining Dark Reading, he reported for Threatpost.