Links between Iranian APTs and conventional cybercrime are becoming increasingly visible

Check Point Research specialists analyzed the activity of groups tied to Iran's Ministry of Intelligence and Security (MOIS) and identified an interesting trend: the line between state-sponsored APTs and "ordinary" cybercrime is steadily fading.

Previously, state operations only used cyber crime and hacktivism as a cover to complicate attribution, but now some government-backed APTs have begun to actively leverage the cybercriminal ecosystem, using access brokers, black‑market offerings, and affiliate programs. Here are a few examples:

⭕️ Void Manticore (Handala) — used the Rhadamanthys commercial infostealer, which is sold on the black market. ⭕️ MuddyWater — employed tools such as Tsundere Botnet and Castle Loader, previously linked to other cybercriminal clusters, making attribution harder. ⭕️ Unnamed MOIS group — deployed malware supplied by the RaaS group Qilin under an affiliate program, which initially led analysts to attribute the attack to Qilin itself.

These cases illustrate a shift from imitation to active exploitation of cybercriminal infrastructure. For MOIS-linked actors, this approach offers clear operational benefits: it broadens attack capabilities, complicates attribution, and blurs the picture of Iranian activity. Collectively, these examples show that cybercrime has evolved from mere cover to a practical tool in APT operations.

💬 Discuss