IRANIAN MOIS is increasingly mixing with the cybercriminal underground to bolster its offensive activity, a shift described as a new tactic by Check Point researchers. On 11 March, a wiper attack hit the Fortune 500 medical technology company Stryker and was claimed by Handala, a group that presents itself as pro-Palestine but is a front for Void Manticore, an Iran-based APT.
According to Check Point, MOIS hackers have been collaborating with real cybercriminals, with Void Manticore embedding the Rhadamanthys infostealer into its attack chains and other MOIS entities linked to cybercrime clusters, including ransomware-as-a-service operations. The analysis notes that some MuddyWater activity, such as its Tsundere botnet, has resembled cybercrime, even being signed with certificates used by other tools.
The article also cites an Israeli hospital cyberattack in October 2025 initially claimed by Qilin and later blamed on Iran by Israel’s National Cyber Directorate, illustrating how state-affiliated actors may operate as RaaS affiliates.