Executive Summary
The latest threat analysis conducted by CheckPoint reveals a strategic shift among Iranian Ministry of Intelligence and Security (MOIS) linked actors. Instead of merely masquerading as cyber criminals, these groups are actively integrating criminal tools, services, and marketplaces into their operations. This integration enhances operational capability, provides hardened infrastructure, and adds a layer of deniability that complicates attribution.
Key Findings
- MOIS‑linked groups such as Void Manticore (Handala) and MuddyWater repeatedly leverage well‑known criminal malware families—Rhadamanthys, Tsundere, and CastleLoader.
- The adoption of commercial infostealers and ransomware‑as‑a‑service (RaaS) platforms indicates a pivot from cover to capability.
- Shared code‑signing certificates and overlapping infrastructure point to a coordinated supply chain within the criminal ecosystem.
- These tactics have been employed in high‑impact campaigns against Israeli government, critical infrastructure, and private sector targets.
Background – From Physical to Digital Crime
Historically, MOIS has relied on external criminal networks for covert operations in the physical world. This approach provided reach, deniability, and access to actors willing to act on Tehran’s behalf. The same logic is now being applied to cyberspace, where state objectives are pursued through criminal tools, services, and operational models.
Primary Actors
Void Manticore (Handala)
Void Manticore is a prolific Iranian threat actor that has executed a range of hack‑and‑leak operations. The group’s Handala persona has targeted Israeli entities and used Rhadamanthys, a commercial infostealer sold on darknet forums, in phishing campaigns that impersonated Israeli National Cyber Directorate updates.
MuddyWater
MuddyWater is a subordinate element within MOIS that has conducted cyber‑espionage and sabotage against Middle Eastern targets for years. Recent investigations link MuddyWater to several cyber‑crime clusters, including the Tsundere botnet (DinDoor) and the CastleLoader downloader. Shared code‑signing certificates and common infrastructure, such as a Wasabi server accessed via rclone, demonstrate MuddyWater’s deep entanglement with the criminal ecosystem.
Operational Model
The integration of criminal tools serves multiple purposes for MOIS‑linked actors:
- Enhanced Capability – Access to mature, constantly updated malware reduces development effort and increases payload effectiveness.
- Deniability – Operating through third‑party services obscures the origin of attacks, making attribution more difficult.
- Rapid Deployment – Ready‑to‑use RaaS and infostealer packages allow actors to pivot quickly between objectives.
Indicators of Compromise (IoCs)
Security analysts should monitor for the following signatures and artifacts:
- Phishing emails impersonating national cyber authorities and delivering Rhadamanthys or related payloads.
- Execution of Node.js or Deno scripts linked to the Tsundere/DinDoor botnet.
- Downloads from known RaaS domains (e.g., Qilin) or use of CastleLoader downloader.
- Suspicious code‑signing certificates with common names such as “Amy Cherne” or “Donald Gay” and matching thumbprints listed in the threat report.
Recommendations for Mitigation
- Implement Advanced Email Filtering – Deploy solutions that detect impersonation attempts and block attachments associated with known infostealers.
- Network Segmentation and Egress Monitoring – Isolate critical infrastructure and monitor outbound traffic for connections to known malicious domains, especially those used by RaaS providers.
- Endpoint Detection and Response (EDR) – Ensure EDR solutions are tuned to detect Node.js/Deno execution and the specific file hashes identified for Rhadamanthys, Tsundere, and CastleLoader.
- Threat Intelligence Sharing – Participate in industry information sharing groups to stay updated on evolving criminal supply chains and certificate misuse.
- Certificate Validation – Enforce strict validation of code‑signing certificates, including revocation checks and anomaly detection for certificates with common names linked to criminal activity.
Conclusion
The evidence demonstrates that Iranian MOIS‑linked actors are moving beyond the illusion of criminal cover to actively employing the cyber‑crime ecosystem as a strategic asset. By leveraging commercial malware, RaaS platforms, and shared infrastructure, these actors gain operational flexibility while complicating attribution. Security teams must adopt a layered defense approach that includes threat intelligence, robust email filtering, network segmentation, and vigilant monitoring of code‑signing certificates to mitigate the evolving threat landscape.