Full Report
Ransomware, malware-as-a-service, infostealers benefit MOIS, too Iranian government-backed snoops are increasingly using cybercrime malware and ransomware infrastructure in their operations - not just hiding behind criminal masks as a cover for destructive cyber activity, according to security researchers.…
Analysis Summary
# Threat Actor: MuddyWater & Void Manticore (MOIS-Linked Groups)
## Attribution & Identity
The article highlights several Iranian state-sponsored actors attributed to the **Ministry of Intelligence and Security (MOIS)**.
* **MuddyWater:** Also known as **Seedworm** or **Static Kitten**. It has functioned as an espionage arm of the MOIS since roughly 2018.
* **Void Manticore:** Also known as **Storm-842** or **Handala Hack**. This group is characterized as a "hacktivist crew" using destructive methods to advance government objectives.
* **Affiliated Persons/Nests:** "Handala Hack" is identified specifically as a persona used by Void Manticore.
## Activity Summary
Recent operations involve a heavy reliance on the cybercrime ecosystem (Malware-as-a-Service) to conduct espionage and destructive attacks:
* **Espionage (Post-Summer 2025):** MuddyWater conducted intrusions following regional conflict, deploying new backdoors.
* **Destructive & Ransomware (Late 2025):** Campaigns targeting Israeli critical infrastructure, specifically a ransomware attack against the Shamir Medical Center in October 2025, initially disguised as a Qilin ransomware affiliate operation.
* **Information Operations:** Continuous use of data leaks and wipers disguised as "hacktivism."
## Tactics, Techniques & Procedures
* **Criminal Tool Integration:** Using commercial infostealers and ransomware-as-a-service to obfuscate state origin and complicate attribution.
* **Phishing & Impersonation:** Sending emails impersonating official bodies like the Israeli National Cyber Directorate (INCD) or F5 software updates.
* **Code Signing Abuse:** Use of specific code-signing certificates (Common Names: Amy Cherne and Donald Gay) to validate malicious payloads.
* **Web Shells & Backdoors:** Use of custom Python-based servers and botnet variants.
* **False Flag/Persona Operations:** Operating under "hacktivist" brands or criminal ransomware brands (e.g., Qilin) to provide plausible deniability.
## Targeting
* **Sectors:** Healthcare (specifically hospitals), Government, and Critical Infrastructure.
* **Geography:** Primarily **Israel** and the **United States**.
* **Victims:**
* Shamir Medical Center (Israel).
* Israeli National Cyber Directorate (impersonated).
* F5 Users.
## Tools & Infrastructure
* **Malware Families:**
* **Rhadamanthys:** A commercial infostealer.
* **DinDoor:** A new variant of the **Tsundere** botnet.
* **FakeSet:** A downloader used to deliver further payloads.
* **CastleLoader:** A malware-as-a-service downloader used for initial access.
* **Qilin:** A criminal ransomware brand used as cover.
* **Infrastructure:**
* Specific code-signing certificates linked to names "Amy Cherne" and "Donald Gay."
* Python-based C2 servers linked to the Tsundere botnet.
## Implications
The strategic shift toward using "off-the-shelf" criminal malware (Rhadamanthys, CastleLoader) and ransomware brands (Qilin) represents a significant evolution in Iranian tradecraft. By blurring the lines between state-sponsored espionage and financial cybercrime, the MOIS achieves:
1. **Enhanced Obfuscation:** Traditional attribution methods based on custom code become less effective.
2. **Operational Efficiency:** Utilizing existing criminal infrastructure allows for faster campaign deployment.
3. **Plausible Deniability:** Destructive attacks can be framed as "extortion gone wrong" or independent hacktivism rather than state-directed warfare.
## Mitigations
* **Certificate Auditing:** Monitor and blacklist certificates issued to known suspicious entities (e.g., the referenced "Amy Cherne" and "Donald Gay" CNs).
* **Email Authentication:** Implement robust DMARC/SPF/DKIM policies to prevent the impersonation of government agencies (like INCD).
* **Hospital Cybersecurity:** Enhance protection for medical telemetry and patient databases, as healthcare has become a strategic target for MOIS/Hezbollah.
* **Threat Hunting:** Focus on detecting "identity-based" pivots rather than just file-based hashes, as these actors frequently cycle through different commercial malware variants.