Threats Feed

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Void Manticore, an Iranian threat actor, executed destructive cyberattacks in Israel and Albania, targeting government sectors. They collaborated with Scarred Manticore, using CVE-2019-0604 for initial access, followed by custom tools like Foxshell and Liontail for command execution. The attacks involved data exfiltration and the deployment of wipers, including the custom BiBi wiper. The group employed Remote Desktop Protocol (RDP) for lateral movement and leveraged Domain Admin credentials for network control. Information leaks were disseminated through personas "Karma" and "Homeland Justice".

Void Manticore, an Iranian threat actor, executed destructive cyberattacks in Israel and Albania, targeting government sectors. They collaborated with Scarred Manticore, using CVE-2019-0604 for initial access, followed by custom tools like Foxshell and Liontail for command execution. The attacks involved data exfiltration and the deployment of wipers, including the custom BiBi wiper. The group employed Remote Desktop Protocol (RDP) for lateral movement and leveraged Domain Admin credentials for network control. Information leaks were disseminated through personas "Karma" and "Homeland Justice".

Void Manticore, an Iranian threat actor, executed destructive cyberattacks in Israel and Albania, targeting government sectors. They collaborated with Scarred Manticore, using CVE-2019-0604 for initial access, followed by custom tools like Foxshell and Liontail for command execution. The attacks involved data exfiltration and the deployment of wipers, including the custom BiBi wiper. The group employed Remote Desktop Protocol (RDP) for lateral movement and leveraged Domain Admin credentials for network control. Information leaks were disseminated through personas "Karma" and "Homeland Justice".