State-sponsored cyber threat groups linked to Iran have changed how they conduct operations. Instead of just pretending to be ordinary cybercriminals to hide their tracks, these groups are now actively purchasing and using the real tools, networks, and services of the cyber criminal underground.

Who was behind the attack?

The attacks are primarily attributed to threat actors working on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Specific groups mentioned in the report include Void Manticore (also known by the persona "Handala") and MuddyWater, both of which have a history of targeting government and private-sector organizations to support Iranian intelligence objectives.

The nature and goals of the attack?

The primary goal is to carry out state-sponsored espionage, data theft, and disruptive operations while masking the activity as everyday cybercrime. By utilizing the criminal ecosystem, these actors gain access to highly effective, ready-made malicious software while making it incredibly difficult for investigators to trace the attacks back to the Iranian government.

The scope or scale of the targeting?

The targeting is international but demonstrates a heavy, sustained focus on the Middle East. The operations span across multiple high-value sectors, showing a broad operational scale aimed at critical infrastructure and strategic targets.

Were specific industries or people targeted?

Yes. Recent campaigns have specifically targeted the healthcare sector, including major medical centers and hospitals. Historically, these groups have also targeted the telecommunications, defense, and energy sectors, as well as dissidents and opposition activists.

How the attack was carried out from a high-level perspective?

The attackers generally start by sending deceptive emails disguised as routine software updates to trick employees into downloading malicious files. Once inside a network, they deploy commercially available data-stealing software, botnets, and rented ransomware platforms to steal sensitive data, lock computers, or completely wipe systems.

Why the targeted entities may be attractive to attackers?

Organizations like hospitals, defense contractors, and telecommunication providers hold highly sensitive data and are vital to a nation's infrastructure. Disrupting these services or stealing their information directly serves the strategic, political, and intelligence goals of the Iranian state.

What actions organizations or individuals should take to protect themselves?

Organizations need to heighten their security monitoring, especially against phishing attempts that mimic standard software updates. Security teams should also be aware that an attack appearing to be standard ransomware might actually be a state-sponsored threat, requiring a more comprehensive incident response strategy.

Is this a widespread issue or a targeted one?

While the criminal tools and ransomware platforms these attackers use are widespread, the actual campaigns orchestrated by these MOIS-linked groups are highly targeted. They carefully select specific regions, industries, and organizations that align with their government's strategic interests.

Threats Feed|Void Manticore|Last Updated 16/03/2026|AuthorCertfa Radar|Publish Date10/03/2026

Iranian MOIS Actors Weaponize Cybercrime Ecosystems for State Operations

Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain,Sabotage
Attack Vectors: Botnet,Downloader,Malware,Ransomware,Wiper,Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Reference and Credit: Check Point - March 2026

Iranian MOIS Actors & the Cyber Crime Connection

Detected Targets

Type	Description	Confidence
Case	Shamir Medical Center Shamir Medical Center, formerly Assaf Harofeh Medical Center, is a teaching hospital in Be'er Ya'akov, 15 kilometres (9.3 mi) southeast of Tel Aviv, Israel Shamir Medical Center has been targeted by Void Manticore as the main target.	Verified
Sector	Defense	Verified
Sector	Government Agencies and Services	Verified
Sector	Energy	Verified
Sector	Healthcare	Verified
Sector	Telecommunication	Verified
Region	Albania	Verified
Region	Israel	Verified

Extracted IOCs

eb5e96e05129e5691f9677be4e396c88
077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
18[.]223.24.218

download

Tip: 16 related IOCs (1 IP, 0 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.

Overlaps

SeedwormIranian APT Seedworm Targets U.S., Israel, and Canada with Novel Backdoors

Source: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company - March 2026

Detection (12 cases): 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de, 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14, 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5, 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6, 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be, 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb, 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1, 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d, 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444, a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377, a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0, ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the Shift in Iranian Cyber Threat Tactics

: State-sponsored cyber threat groups linked to Iran have changed how they conduct operations. Instead of just pretending to be ordinary cybercriminals to hide their tracks, these groups are now actively purchasing and using the real tools, networks, and services of the cyber criminal underground.
: The attacks are primarily attributed to threat actors working on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Specific groups mentioned in the report include Void Manticore (also known by the persona "Handala") and MuddyWater, both of which have a history of targeting government and private-sector organizations to support Iranian intelligence objectives.
: The primary goal is to carry out state-sponsored espionage, data theft, and disruptive operations while masking the activity as everyday cybercrime. By utilizing the criminal ecosystem, these actors gain access to highly effective, ready-made malicious software while making it incredibly difficult for investigators to trace the attacks back to the Iranian government.
: The targeting is international but demonstrates a heavy, sustained focus on the Middle East. The operations span across multiple high-value sectors, showing a broad operational scale aimed at critical infrastructure and strategic targets.
: Yes. Recent campaigns have specifically targeted the healthcare sector, including major medical centers and hospitals. Historically, these groups have also targeted the telecommunications, defense, and energy sectors, as well as dissidents and opposition activists.
: The attackers generally start by sending deceptive emails disguised as routine software updates to trick employees into downloading malicious files. Once inside a network, they deploy commercially available data-stealing software, botnets, and rented ransomware platforms to steal sensitive data, lock computers, or completely wipe systems.
: Organizations like hospitals, defense contractors, and telecommunication providers hold highly sensitive data and are vital to a nation's infrastructure. Disrupting these services or stealing their information directly serves the strategic, political, and intelligence goals of the Iranian state.
: Organizations need to heighten their security monitoring, especially against phishing attempts that mimic standard software updates. Security teams should also be aware that an attack appearing to be standard ransomware might actually be a state-sponsored threat, requiring a more comprehensive incident response strategy.
: While the criminal tools and ransomware platforms these attackers use are widespread, the actual campaigns orchestrated by these MOIS-linked groups are highly targeted. They carefully select specific regions, industries, and organizations that align with their government's strategic interests.

About Affiliation

Void Manticore

Associate threats

Void Manticore and Scarred Manticore's Coordinated Cyber Assaults Unveiled