Iran MOIS Colludes With Criminals to Boost Cyberattacks

State‑backed cyber operations have increasingly borrowed from the underground economy, a trend that predates Iran but is now more visible. Russia’s GRU, China’s PLA, and North Korea’s Lazarus have all leveraged civilian hackers, malware marketplaces, and ransomware platforms to extend reach without the overhead of in‑house development. Iran’s MOIS follows this playbook, tapping existing criminal services to sidestep the lengthy engineering cycles typical of nation‑state APTs, thereby achieving rapid deployment of destructive payloads against strategic targets.

Check Point’s analysis reveals that Iranian groups such as Void Manticore have made the commercial infostealer Rhadamanthys a staple of their intrusion chains, while MuddyWater relies on low‑cost phishing kits and remote‑monitoring tools purchased on dark‑web forums. By purchasing loaders, certificates, and ransomware‑as‑a‑service access for as little as a few hundred dollars, these actors can focus on operational tempo rather than tool creation. This cost‑effective model is especially attractive amid heightened geopolitical tensions, where resource constraints push MOIS to prioritize immediate impact over long‑term sophistication.

For defenders, the convergence of criminal and state tactics erodes traditional attribution models, forcing security teams to treat seemingly low‑risk cyber‑crime alerts as potential nation‑state incursions. Continuous threat‑intel integration, deeper inspection of infostealer traffic, and proactive monitoring of underground marketplaces become essential. Organizations must also reassess risk postures, assuming that any compromise involving common criminal malware could be a conduit for more destructive, state‑sponsored actions, and adjust incident‑response playbooks accordingly.