Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Iran MOIS embeds cybercriminal services into offensive operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Iran's MOIS is increasingly using the cybercriminal underground to support offensive operations, making attribution harder and raising the risk of destructive activity. The shift matters because state hackers can now blend hacktivist cover, commercial infostealers, and ransomware-as-a-service relationships into the same workflow. That gives Iranian intelligence access to better tooling and infrastructure while disguising state activity as ordinary crime. It also increases the chance that defenders will downgrade activity that is actually tied to MOIS.

Related Happenings

Xu Zewei extradited for U.S. cyberespionage prosecution

Law Enforcement
First: 27.04.2026 22:56 Last: 27.04.2026 22:56 Sources 1

About this happening: **Xu Zewei** was **extradited from Italy to the United States** to face criminal charges in a **cyberespionage** case tied to **China's MSS**. The move expands the legal exposure...

Open Happening

Iran's network of traffic cameras hit by cyberattack

Incident
First: 27.03.2026 16:42 Last: 27.03.2026 16:42 Sources 1

About this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...

Open Happening

Iranian MOIS Telegram malware campaign targeting opposition groups

Campaign
First: 23.03.2026 11:45 Last: 23.03.2026 11:45 Sources 1

About this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...

Open Happening

The Gentlemen RaaS split exposed by hastalamuerte

Threat Actor Meta
First: 19.03.2026 18:00 Last: 19.03.2026 18:00 Sources 1

About this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...

Open Happening

MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm

Campaign
First: 06.03.2026 12:23 Last: 06.03.2026 12:23 Sources 1

About this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...

Open Happening

Timeline

  1. 12.03.2026 23:11 1 articles · 2mo ago

    Stryker wiper attack claimed by Handala

    Victim Impact Update

    A wiper attack struck the Fortune 500 medical technology company Stryker on March 11, 2026, and the activity was claimed by Handala, a pro-Palestine hacktivist persona presented as a front for Void Manticore, an advanced persistent threat run out of Iran's MOIS.

    Show sources
    Open in new tab
  2. 12.03.2026 23:11 2 articles · 2mo ago

    Check Point links MOIS to cybercriminal services

    Initial Disclosure

    Check Point said Iran's MOIS has been working with real cybercriminals to support offensive cyber operations, with Void Manticore making Rhadamanthys a core element of its attack chains and other MOIS-linked activity overlapping with RaaS, IABs, Tsundere botnet behavior, and CastleLoader-style certificate reuse. The analysis also pointed to an Israeli hospital cyberattack in October 2025 that was first claimed by Qilin, initially attributed to Eastern European hackers, and later corrected by Israel's National Cyber Directorate to Iran.

    Show sources
    Open in new tab