It turns out that even for a big game, someone else's cyber arsenal is enough.
Iranian organizations are increasingly using cybercriminal tools and infrastructure to conduct operations related to state objectives. This approach helps expand the technical capabilities of attacks while simultaneously complicating the identification of the true perpetrator. The new trend is most noticeable in the activities of groups affiliated with the Iranian Ministry of Intelligence and Security.
Check Point Research specialists have noted a change in tactics among Iranian operators. Previously, attacks were often disguised as regular cybercrime or hacktivist activities. Most often, attackers disguised their operations as ransomware attacks. Now the situation is changing. Some groups have begun directly exploiting the infrastructure of criminal services—malware, underground marketplaces, and affiliate schemes for distributing malware.
This model is reminiscent of the approach Iranian intelligence agencies have long used in offline operations. In various countries, intelligence agencies have collaborated with criminal networks to conduct surveillance, kidnappings, and attacks on political opponents. The US Treasury Department linked one such scheme to drug trafficker Naji Ibrahim Sharifi Zindashti. According to US authorities, his network acted on behalf of Iranian intelligence and targeted dissidents. Swedish intelligence agencies have reached similar conclusions, claiming that criminal groups were used to attack regime opponents.
A similar logic is gradually transferring to cyberspace. Among the most active groups, experts highlight Void Manticore, also known by the pseudonym Handala Hack. The operators used various hacktivist guises and carried out operations against Albania and Israel. In several campaigns, the attackers used the commercial data theft tool Rhadamanthys , which is sold on underground forums. The malware was distributed via phishing emails disguised as messages from Israel's National Cyber Directorate. Infected files were disguised as F5 software updates.
Another participant in such operations is the MuddyWater group, which US authorities link to the Iranian Ministry of Intelligence. The operators have been conducting cyberespionage campaigns in the Middle East for many years, attacking government agencies and companies in the telecommunications, defense, and energy sectors.
Recent analysis has revealed overlaps between MuddyWater's activities and cybercriminal infrastructure. One example is the Tsundere botnet, discovered in late 2025. The system uses Node.js and JavaScript scripts to execute commands on infected computers. When a Node.js environment is detected, the malicious code switches to an alternative mechanism via the Deno platform. In this configuration, the malware is dubbed DinDoor.
Traces of MuddyWater were also found in infection chains using the FakeSet downloader. The program distributed another malicious tool, CastleLoader, which is offered as a malware-as-a-service. Analysis revealed overlaps in digital signature certificates used by several malware families. Most likely, different actors obtained these certificates from a single source.
The connection between state operators and criminal infrastructure was also evident in the attack on the Shamir Medical Center in Israel in the fall of 2025. The incident was initially described as a Qilin ransomware attack . Israeli authorities later concluded that Iranian entities were behind the operation. Qilin operates on a partnership model, providing tools to external actors who conduct hacks.
Experts believe such operations are part of a broader campaign against Israeli medical institutions that has been ongoing since late 2023. Using cybercriminal infrastructure provides operators with several advantages: access to ready-made tools, a resilient infrastructure, and an additional layer of camouflage.
An analysis of recent attacks reveals a significant shift in strategy. For certain Iranian operators, the cybercriminal world is no longer just a cover. The criminal ecosystem is gradually transforming into a fully-fledged resource for state cyber operations.
Iranian organizations are increasingly using cybercriminal tools and infrastructure to conduct operations related to state objectives. This approach helps expand the technical capabilities of attacks while simultaneously complicating the identification of the true perpetrator. The new trend is most noticeable in the activities of groups affiliated with the Iranian Ministry of Intelligence and Security.
Check Point Research specialists have noted a change in tactics among Iranian operators. Previously, attacks were often disguised as regular cybercrime or hacktivist activities. Most often, attackers disguised their operations as ransomware attacks. Now the situation is changing. Some groups have begun directly exploiting the infrastructure of criminal services—malware, underground marketplaces, and affiliate schemes for distributing malware.
This model is reminiscent of the approach Iranian intelligence agencies have long used in offline operations. In various countries, intelligence agencies have collaborated with criminal networks to conduct surveillance, kidnappings, and attacks on political opponents. The US Treasury Department linked one such scheme to drug trafficker Naji Ibrahim Sharifi Zindashti. According to US authorities, his network acted on behalf of Iranian intelligence and targeted dissidents. Swedish intelligence agencies have reached similar conclusions, claiming that criminal groups were used to attack regime opponents.
A similar logic is gradually transferring to cyberspace. Among the most active groups, experts highlight Void Manticore, also known by the pseudonym Handala Hack. The operators used various hacktivist guises and carried out operations against Albania and Israel. In several campaigns, the attackers used the commercial data theft tool Rhadamanthys , which is sold on underground forums. The malware was distributed via phishing emails disguised as messages from Israel's National Cyber Directorate. Infected files were disguised as F5 software updates.
Another participant in such operations is the MuddyWater group, which US authorities link to the Iranian Ministry of Intelligence. The operators have been conducting cyberespionage campaigns in the Middle East for many years, attacking government agencies and companies in the telecommunications, defense, and energy sectors.
Recent analysis has revealed overlaps between MuddyWater's activities and cybercriminal infrastructure. One example is the Tsundere botnet, discovered in late 2025. The system uses Node.js and JavaScript scripts to execute commands on infected computers. When a Node.js environment is detected, the malicious code switches to an alternative mechanism via the Deno platform. In this configuration, the malware is dubbed DinDoor.
Traces of MuddyWater were also found in infection chains using the FakeSet downloader. The program distributed another malicious tool, CastleLoader, which is offered as a malware-as-a-service. Analysis revealed overlaps in digital signature certificates used by several malware families. Most likely, different actors obtained these certificates from a single source.
The connection between state operators and criminal infrastructure was also evident in the attack on the Shamir Medical Center in Israel in the fall of 2025. The incident was initially described as a Qilin ransomware attack . Israeli authorities later concluded that Iranian entities were behind the operation. Qilin operates on a partnership model, providing tools to external actors who conduct hacks.
Experts believe such operations are part of a broader campaign against Israeli medical institutions that has been ongoing since late 2023. Using cybercriminal infrastructure provides operators with several advantages: access to ready-made tools, a resilient infrastructure, and an additional layer of camouflage.
An analysis of recent attacks reveals a significant shift in strategy. For certain Iranian operators, the cybercriminal world is no longer just a cover. The criminal ecosystem is gradually transforming into a fully-fledged resource for state cyber operations.
