Iran MOIS embeds cybercriminal services into offensive operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Iran's MOIS is increasingly using the cybercriminal underground to support offensive operations, making attribution harder and raising the risk of destructive activity. The shift matters because state hackers can now blend hacktivist cover, commercial infostealers, and ransomware-as-a-service relationships into the same workflow. That gives Iranian intelligence access to better tooling and infrastructure while disguising state activity as ordinary crime. It also increases the chance that defenders will downgrade activity that is actually tied to MOIS.
Related Happenings
MuddyWater’s Chaos masquerade shows state-backed espionage adopting ransomware tradecraft
Threat Actor Meta
H score23
First: 24.06.2026 15:00
Last: 24.06.2026 15:00
Sources 1
About this happening:
**MuddyWater** is using **Chaos ransomware** branding and criminal tradecraft to disguise **state-backed espionage**, making attribution and response harder across targeted enviro...
MuddyWater’s Chaos masquerade shows state-backed espionage adopting ransomware tradecraft
Threat Actor MetaAbout this happening: **MuddyWater** is using **Chaos ransomware** branding and criminal tradecraft to disguise **state-backed espionage**, making attribution and response harder across targeted enviro...
Xu Zewei extradited for U.S. cyberespionage prosecution
Law Enforcement
H score57
First: 27.04.2026 22:56
Last: 27.04.2026 22:56
Sources 1
About this happening:
**Xu Zewei** was **extradited from Italy to the United States** to face criminal charges in a **cyberespionage** case tied to **China's MSS**. The move expands the legal exposure...
Xu Zewei extradited for U.S. cyberespionage prosecution
Law EnforcementAbout this happening: **Xu Zewei** was **extradited from Italy to the United States** to face criminal charges in a **cyberespionage** case tied to **China's MSS**. The move expands the legal exposure...
Iran's network of traffic cameras hit by cyberattack
Incident
H score23
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iran's network of traffic cameras hit by cyberattack
IncidentAbout this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iranian MOIS Telegram malware campaign targeting opposition groups
Campaign
H score32
First: 23.03.2026 11:45
Last: 23.03.2026 11:45
Sources 1
About this happening:
The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
Iranian MOIS Telegram malware campaign targeting opposition groups
CampaignAbout this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
12.03.2026 23:11 1 articles · 3mo ago
Stryker wiper attack claimed by Handala
Victim Impact UpdateA wiper attack struck the Fortune 500 medical technology company Stryker on March 11, 2026, and the activity was claimed by Handala, a pro-Palestine hacktivist persona presented as a front for Void Manticore, an advanced persistent threat run out of Iran's MOIS.
Show sources
- Iran MOIS Colludes With Criminals to Boost Cyberattacks — www.darkreading.com — 12.03.2026 23:11
-
12.03.2026 23:11 2 articles · 3mo ago
Check Point links MOIS to cybercriminal services
Initial DisclosureCheck Point said Iran's MOIS has been working with real cybercriminals to support offensive cyber operations, with Void Manticore making Rhadamanthys a core element of its attack chains and other MOIS-linked activity overlapping with RaaS, IABs, Tsundere botnet behavior, and CastleLoader-style certificate reuse. The analysis also pointed to an Israeli hospital cyberattack in October 2025 that was first claimed by Qilin, initially attributed to Eastern European hackers, and later corrected by Israel's National Cyber Directorate to Iran.
Show sources
- Iran MOIS Colludes With Criminals to Boost Cyberattacks — www.darkreading.com — 12.03.2026 23:11
- Iran MOIS Colludes With Criminals to Boost Cyberattacks — www.darkreading.com — 12.03.2026 23:11