The strategic logic is elegant, if troubling: if a nation-state cyber operation looks like ordinary cybercrime, it becomes harder to attribute, harder to condemn, and harder to hold accountable. Iranian intelligence operatives have discovered this principle works even better when you stop pretending and actually integrate criminal malware into your operational arsenal.
According to security researchers, Iranian government-backed cyber units are increasingly using cybercrime malware and ransomware infrastructure in their operations, not just hiding behind criminal masks as a cover for destructive cyber activity. The Ministry of Intelligence and Security (MOIS)-linked operatives appear to be the biggest offenders, according to Check Point Research, citing repeated overlaps between MuddyWater and Void Manticore, and various criminal organisations and their tools and services.
This integration reveals a subtle but significant shift in statecraft. Where intelligence services once mimicked cybercriminals to obscure their hand, Iranian groups have now added commercial infostealers like Rhadamanthys, sold on cybercrime forums, to their arsenal. Handala Hack, one of Void Manticore's personas, has used Rhadamanthys on several occasions, typically pairing the commercial infostealer with custom data wipers in phishing emails sent to Israeli targets, frequently impersonating F5 updates.
The sophistication of these operations extends beyond Israel. MuddyWater has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran. In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet. The affected organisations include non-governmental organisations in both the US and Canada.
What emerges from the technical evidence is a picture of deliberate strategic choice. The institutional implications of this approach warrant scrutiny. By integrating commercial-grade malware with custom intelligence tools, Iranian cyber units have created a functional advantage that extends beyond simple obfuscation. Check Point Research noted that the use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related, highlighting the need for extreme caution when analysing overlapping clusters.
The convergence strategy has real-world consequences for cyber operations targeting critical infrastructure. More recent reports linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center, with the attackers likely being Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective as part of a larger campaign by MOIS and Hezbollah to target Israeli hospitals.
One need only consider the precedent set by operations targeting surveillance infrastructure to recognise the stakes. In the current Middle East conflict, intensified targeting of cameras began in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras across Israel and Gulf countries including the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. Findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment.
The institutional problem is not whether Iran should be condemned for this tactic; it plainly should. Rather, the problem is how attribution becomes murkier, how proportional responses become harder to justify, and how international law struggles to apply traditional frameworks to operations that blur the distinction between state action and criminal enterprise. That ambiguity is precisely the point.