Ethical Hacking News
A recent study by Check Point Research has revealed that Iran's Ministry of Intelligence and Security is using malware and ransomware as tools to further its objectives. The research suggests that state-sponsored cyber operations are becoming increasingly sophisticated, highlighting the need for researchers and organizations to adopt a more nuanced approach when analyzing overlapping clusters of malicious activity.
Cybercrime is being redefined as a tool for state-sponsored objectives rather than solely driven by malicious actors. Iran has been linked to various malicious software and toolsets, including MuddyWater and Void Manticore malware families. MuddyWater is a sophisticated malware family used for espionage operations on behalf of the Iranian government. CastleLoader, a downloader, delivers MuddyWater to compromised systems and is sold as a service to multiple affiliates and cyber crews. Void Manticore is a hacktivist crew that uses wipers, data leaks, and disinformation to advance Iranian government objectives, particularly in campaigns targeting Israel. Rhadamanthys, a commercial infostealer, has been used on several occasions to target Israeli organizations by Void Manticore. The Check Point Research study reveals that MuddyWater and Void Manticore are overlapping clusters of malicious actors linked to the Iranian intelligence agency. State-sponsored cyber operations can be effective for obfuscation, highlighting the need for extreme caution when analyzing overlapping clusters. Iran has been linked to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
Cybercrime has long been portrayed as a malevolent force, driven by malicious actors with no discernible purpose beyond extorting money from organizations. However, recent research suggests that this narrative may be overly simplistic. A new study by Check Point Research has uncovered evidence that state-sponsored cyber operations are increasingly utilizing malware and ransomware as tools to further their objectives.
At the heart of this revelation is Iran, a country with a history of engaging in clandestine cyber activities aimed at disrupting its adversaries. The Ministry of Intelligence and Security (MOIS), Iran's primary intelligence agency, has been linked to various malicious software and toolsets, including the notorious MuddyWater and Void Manticore malware families.
MuddyWater, first identified in 2018, is a sophisticated malware family that has been used by MOIS operatives to conduct espionage operations on behalf of the Iranian government. The group's tactics have included breaching critical American networks following the US and Israeli airstrikes against Iran. In these intrusions, MuddyWater utilized a previously unseen backdoor called DinDoor, which is a new variant of the Tsundere botnet.
MuddyWater's capabilities are further underscored by its association with CastleLoader, a downloader that delivers the malware to compromised systems. CastleLoader is sold as a service to multiple affiliates and cyber crews, highlighting the complexity of state-sponsored cyber operations. The link between CastleLoader and MuddyWater stems from the use of specific code-signing certificates, including Amy Cherne and Donald Gay.
Void Manticore, on the other hand, is a hacktivist crew that uses wipers, data leaks, and disinformation to advance Iranian government objectives, typically in campaigns targeting Israel. The group recently added a commercial infostealer called Rhadamanthys to its arsenal, which has been used on several occasions to target Israeli organizations.
Rhadamanthys is a sophisticated malware family that can steal sensitive information from infected systems. Its use by Void Manticore highlights the Iranian government's willingness to invest in high-end cyber tools to achieve their objectives. The group typically pairs Rhadamanthys with one of its custom data wipers in phishing emails sent to Israeli targets, frequently impersonating F5 updates.
The Check Point Research study has revealed that MuddyWater and Void Manticore are not isolated entities, but rather overlapping clusters of malicious actors linked to the Iranian intelligence agency. The use of such tools has created significant confusion among researchers, leading to misattribution and flawed pivoting.
This demonstrates that state-sponsored cyber operations can be effective for obfuscation, highlighting the need for extreme caution when analyzing overlapping clusters. Furthermore, the study has shown that Iran's goon squads have a history of working with ransomware gangs, and recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
This infection initially appeared to have been carried out by a Qilin affiliate but was later revealed to be part of a larger campaign by MOIS and Hezbollah to target Israeli hospitals. The study concludes that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective.
The emerging picture suggests that state-sponsored cyber operations are becoming increasingly sophisticated, highlighting the need for researchers and organizations to adopt a more nuanced approach when analyzing overlapping clusters of malicious activity. By understanding the complex relationships between state-sponsored malware families and their use cases, we can better protect ourselves against the growing threat of state-sponsored cybercrime.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercrime-isnt-just-a-cover-for-state-sponsored-operations-The-Iranian-governments-use-of-malware-and-ransomware-ehn.shtml
Published: Tue Mar 10 13:36:17 2026 by llama3.2 3B Q4_K_M
