Threats Feed

Iran Ministry of Intelligence and Security (MOIS) cyber actors are executing a global malware campaign targeting Iranian dissidents, journalists, and opposition groups. Using social engineering via messaging platforms, attackers deliver first-stage malware disguised as legitimate software, such as Telegram or KeePass. Upon execution, a persistent second-stage implant establishes a command-and-control channel via Telegram bots. This allows the attackers to harvest and exfiltrate sensitive data, including screen and audio captures from active Zoom sessions. Linked to proxy groups like "Handala Hack," these operations fuel hack-and-leak campaigns and deploy custom wiper malware. The attacks ultimately aim to conduct intelligence collection and inflict reputational damage on individuals threatening the Government of Iran's narratives.

Handala Hack, an Iranian MOIS-affiliated threat actor also tracked as Void Manticore, executes destructive wiping and hack-and-leak operations against targets in Israel, Albania, and the United States. They primarily target the government, telecommunications, and medical technology sectors. The group relies on compromised VPN accounts for initial access, subsequently moving laterally via RDP and the zero-trust mesh platform NetBird. Their hands-on attacks involve disabling Windows Defender and conducting extensive credential dumping via LSASS extraction and ADRecon. To maximize operational impact, Handala simultaneously deploys custom MBR and PowerShell wipers via Group Policy, leverages VeraCrypt for disk encryption, and manually deletes virtual machines, causing severe data destruction.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Iran-aligned threat actor linked to the MOIS group Homeland Justice conducted a large-scale spear-phishing campaign in August 2025, using a compromised mailbox of the Omani Ministry of Foreign Affairs to target embassies, consulates, and international organizations worldwide. The malicious Word attachments, disguised as official diplomatic notices, executed VBA macros that decoded and dropped the sysProcUpdate malware. Targets included diplomatic and government institutions across Europe, the Middle East, Africa, Asia, and the Americas, notably during sensitive ceasefire negotiations. The operation aimed at espionage and reconnaissance, leveraging obfuscation, sandbox evasion, and encrypted C2 communication with screenai.online.