INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Iran MOIS Colludes with Criminals to Boost Cyberattacks

| 2026-03-12 21:11 CRITICAL HIGH
JSON
Executive Summary AI-generated
Iran's Ministry of Intelligence and Security has long used hacktivism as a cover when carrying out cyberattacks, with the MOIS employing civilians to carry out major cyberattacks. This tactic is not new, having been employed by other countries such as Russia and North Korea in service of state objectives. Recent incidents have highlighted Iran's capabilities, including its intelligence services working with criminals worldwide to achieve state objectives. The MOIS has also hired prominent drug trafficking networks to target dissidents and activists in Iran and the US. This approach is consistent with a broader trend of state-affiliated hackers acting as RaaS affiliates, shifting their focus from nation-state sponsored attacks to more targeted cybercrime operations.
Technical Mitigations AI-generated
* Implement a robust threat intelligence framework: Organizations should have a well-established threat intelligence program to identify and track Iranian state-sponsored threats, including those using cybercrime as a cover for their activities. * Conduct regular security awareness training: Employees should receive regular security awareness training to educate them on the risks of phishing, social engineering, and other types of cyber attacks that may be used by Iranian government-backed snoops or cybercriminals. * Use multi-factor authentication (MFA): Implement MFA to prevent unauthorized access to sensitive systems and data. This can help mitigate the risk of a MOIS hacker using their cybercrime infrastructure to gain access to an organization's network. * Monitor for suspicious activity: Regularly monitor network traffic, system logs, and other sources of information for signs of suspicious activity that may indicate Iranian government-backed snooping or cybercrime operations. * Use sandboxing and isolation techniques: Implement sandboxing and isolation techniques to test and analyze malware in a controlled environment before allowing it to run on production systems. This can help prevent the spread of ransomware and other types of malware used by MOIS hackers.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater QilinQilinINC RansomwareINC Ransomware
Target & Sectors
DPRK DPRK NORTH_AMERICA NORTH_AMERICA MIDDLE_EAST MIDDLE_EAST NORDICS NORDICS technologytechnology energyenergy defensedefense governmentgovernment telecommunicationstelecommunications healthcarehealthcare
Incident Timeline
about 2018
MuddyWater exploited vulnerabilities in software used by the Islamic Republic of Iran's Ministry of Intelligence and Security (MOIS) to target critical American networks.
target_region Iran, Islamic Republic of
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
source_region United States
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
target_region Israel
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
tactic Espionage
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
threat_actor MuddyWater
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
organisation MOIS
MuddyWater dips into malware-as-a-service MuddyWater, on the other hand, has conducted espionage operations on behalf of the MOIS since about 2018, most recently burrowing into critical American networks following the US and Israeli airstrikes against Iran.
late 2023
Threat actors used Iran's Ministry of Intelligence and Special Operations (MOIS) to collude with Hezbollah to target Israeli hospitals.
target_region Israel
It appears to be part of a broader, sustained campaign by MOIS and Hezbollah to target Israeli hospitals, a pattern that has been evident since late 2023.
organisation Hezbollah
It appears to be part of a broader, sustained campaign by MOIS and Hezbollah to target Israeli hospitals, a pattern that has been evident since late 2023.
late 2025
The Tsundere Botnet was linked to MuddyWater and targeted in late 2025.
tactic Botnet
The Tsundere Botnet was first uncovered in late 2025 and was later linked to MuddyWater.
threat_actor MuddyWater
The Tsundere Botnet was first uncovered in late 2025 and was later linked to MuddyWater.
tactic T1584.005 - Botnet
The Tsundere Botnet was first uncovered in late 2025 and was later linked to MuddyWater.
summer 2025
Threat actors from Iran, working with criminals, colluded to target the Israeli Shamir Medical Center in summer 2025.
source_region Iran, Islamic Republic of
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
target_region United States
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
target_region Israel
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
tactic Ransomware
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
attribution the Israeli Shamir Medical Center
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
October 2025
Iranian-affiliated ransomware groups, including Qilin, colluded with criminals to boost cyberattacks by buying malware and using remote monitoring and management tools.
target_region Iran, Islamic Republic of
Iranian Qilin Affiliates In October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware incident.
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
Related: INC Ransomware Group Holds Healthcare Hostage in Oceania The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025.
tactic Ransomware
Iranian Qilin Affiliates In October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware incident.
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
Related: INC Ransomware Group Holds Healthcare Hostage in Oceania The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025.
malware Qilin
Iranian Qilin Affiliates In October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware incident.
organisation Israeli Shamir Medical Center
Iranian Qilin Affiliates In October 2025, Israeli Shamir Medical Center was hit by a major cyber attack that was initially described as a ransomware incident.
target_region United States
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
target_region Israel
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
Related: INC Ransomware Group Holds Healthcare Hostage in Oceania The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025.
attribution the Israeli Shamir Medical Center
" Finally, while Iran's goon squads have a history of working with ransomware gangs , and we saw state-sponsored ransomware attempts reemerge during the summer 2025 conflict, offering big bucks for infections against US and Israeli orgs, more recent reports have linked Iranian operatives to an October 2025 ransomware attack against the Israeli Shamir Medical Center.
industry Healthcare
Related: INC Ransomware Group Holds Healthcare Hostage in Oceania The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025.
malware INC Ransomware
Related: INC Ransomware Group Holds Healthcare Hostage in Oceania The most interesting overlap between Iranian intelligence and cybercrime perhaps occurred when an Israeli hospital suffered a cyberattack in October 2025.
organisation National Cyber Directorate
Three weeks later, Israel's National Cyber Directorate (INCD) corrected the record, blaming Iran , suggesting that state-affiliated hackers might have been acting as RaaS affiliates.
threat_actor MuddyWater
For example, Shykevich says, " MuddyWater is not extremely sophisticated on a technical level.
organisation RMM
Most of what they do in their regular operations is sending phishing mail and then using remote monitoring and management (RMM) tools.
financial $500 malware
[instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever.
March 11
Threat actors from Iran's Ministry of Islamic Intelligence and Security (MOIS) collaborated with cybercriminals to launch a targeted attack on the Fortune 500 medical technology company Stryker.
tactic Wiper
On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker .
industry Technology
On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker .
general_metric 500 Fortune
On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker .
2026-03-12
Void Manticore (Handala Hack) is an Iranian threat actor linked to several hack-and-leak personas, including MOIS-linked actors.
organisation Sweden’s Security Service
According to Sweden’s Security Service, the Iranian regime has used criminal networks in Sweden to carry out violent acts against states, groups, and individuals it sees as threats; Swedish officials later linked that concern to attacks aimed at Israeli and Jewish targets, including incidents near Israel’s embassy in Stockholm.
organisation MOIS Actors &
Iranian MOIS Actors & the Cyber Crime Connection.
organisation the Cyber Crime Connection
Iranian MOIS Actors & the Cyber Crime Connection.
organisation Void Manticore
Void Manticore (Handala) and Rhadamanthys Void Manticore , an Iranian threat actor linked to several hack-and-leak personas, is one of the most active groups pursuing strategic objectives through cyber operations.
In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS.
organisation MOIS
In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS.
According to the U.S. Treasury , one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists.
organisation APT
In fact, it's a front for Void Manticore, an advanced persistent threat (APT) run out of Iran's MOIS.
threat_actor MuddyWater
MuddyWater – Tsundere Botnet and the Castle Loader Connection MuddyWater, a threat actor that U.S. authorities have linked to Iran’s MOIS, has conducted cyber espionage and other malicious operations focused on the Middle East for years.
According to CISA, MuddyWater is a subordinate element within MOIS and has carried out broad campaigns in support of Iranian intelligence objectives, targeting government and private-sector organizations across sectors including telecommunications, defense, and energy.
Both MuddyWater and Void Manticore are affiliated with the Iranian intelligence agency.
Given that two separate sources linked Tsundere to MuddyWater, one via a VPS and the other through vendor telemetry, it is likely that MuddyWater uses the botnet as part of its operations.
In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet , according to Check Point.
Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool.
Another overlap between DinDoor-related activity and known MuddyWater tradecraft is the use of rclone to access a Wasabi server, which traces back to an IP address previously associated with MuddyWater (18.223.24[.]218, linked to eb5e96e05129e5691f9677be4e396c88).
This dynamic appears most prominently among Ministry of Intelligence and Security (MOIS)-linked actors , particularly Void Manticore (a.k.a “Handala Hack”) and MuddyWater , where repeated overlaps with criminal tools, services, or clusters have been observed.
Recent reports detailing the activity of MuddyWater link its operations to several cyber crime clusters of activity.
Figure 2 – Summary of MuddyWater connections to criminal activity.
To address this, we attempted to bring structure to the available evidence, to the best of our ability, and identify which activity is truly associated with MuddyWater.
Since Deno-based execution had not previously been associated with Tsundere, researchers linking this activity to MuddyWater designated this variant as DinDoor .
Castle Loader Connection (a.k.a FakeSet) Another malware family recently linked to MuddyWater is FakeSet , which, according to our analysis, is a downloader used in recent infection chains delivering CastleLoader .
Based on our understanding, the reported link between CastleLoader and MuddyWater stems from the use of a set of code-signing certificates, specifically under the Common Names “Amy Cherne” and “Donald Gay”.
Certificates with these common names were also used to sign MuddyWater malware (“StageComp”), Tsundere Deno malware (“DinDoor”), and CastleLoader (“FakeSet”) variants.
In our assessment, this does not necessarily indicate that MuddyWater is a CastleLoader affiliate; rather, it suggests that both may have obtained certificates from the same source.
These reports linking MuddyWater's operations to several different crime clusters benefit the government-backed group, the Tel Aviv security shop said.
Ministry of Intelligence and Security (MOIS)-linked operatives appear to be the biggest offenders, according to Check Point Research, citing "repeated overlaps" between MuddyWater (aka Seedworm, Static Kitten) and Void Manticore (aka Storm-842, Handala Hack), and various criminal organizations and their tools and services.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader.
According to Check Point, the link between CastleLoader and MuddyWater stems from the use of a set of code-signing certificates, specifically under the Common Names Amy Cherne and Donald Gay - also spotted in the DinDoor campaign.
organisation Hezbollah
"The emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective," Check Point said, adding that this ransomware infection is part of a larger campaign by MOIS and Hezbollah to target Israeli hospitals.
organisation Boost Cyberattacks
Iran MOIS Colludes With Criminals to Boost Cyberattacks.
organisation Homeland Justice
It has leveraged “hacktivistic” personas such as Homeland Justice in attacks against Albania and Handala in operations targeting Israel.
organisation TypeScript
In several instances observed in the wild, when the Node.js engine is detected, the botnet shifts to an alternative execution method using Deno, a runtime for JavaScript and TypeScript.
organisation VPS
Given that two separate sources linked Tsundere to MuddyWater, one via a VPS and the other through vendor telemetry, it is likely that MuddyWater uses the botnet as part of its operations.
organisation DinDoor
In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet , according to Check Point.
Since Deno-based execution had not previously been associated with Tsundere, researchers linking this activity to MuddyWater designated this variant as DinDoor .
organisation CastleLoader
Some MuddyWater activity — like its Tsundere botnet — has looked enough like cybercrime behavior that it has confused analysts, and some of its malware has been signed with the same certificates used by the CastleLoader malware-as-a-service tool.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader.
CastleLoader operates as a Malware-as-a-Service offering used by multiple affiliates.
organisation IP
Another overlap between DinDoor-related activity and known MuddyWater tradecraft is the use of rclone to access a Wasabi server, which traces back to an IP address previously associated with MuddyWater (18.223.24[.]218, linked to eb5e96e05129e5691f9677be4e396c88).
organisation Castle Loader Connection
Castle Loader Connection (a.k.a FakeSet) Another malware family recently linked to MuddyWater is FakeSet , which, according to our analysis, is a downloader used in recent infection chains delivering CastleLoader .
organisation FakeSet
Certificates with these common names were also used to sign MuddyWater malware (“StageComp”), Tsundere Deno malware (“DinDoor”), and CastleLoader (“FakeSet”) variants.
Another malware family linked to MuddyWater is a downloader called FakeSet, which the security researchers say was used in recent infections to deliver CastleLoader.
organisation Handala
While the group is most commonly associated with “hack and leak” operations and disruptive attacks, particularly wiper operations, the emergence of its Handala persona also revealed the use of a commercial infostealer sold on darknet forums: Rhadamanthys .
organisation Node.js
Large parts of its activity rely on Node.js and JavaScript scripts to execute code on compromised machines.
organisation Certificate Thumbprint
Indicators of Compromise Handala Rhadmanthys Variants aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f Malware samples signed with suspicious certificates sha256 Certificate Common Name Certificate Thumbprint Certificate Serial Number Malware Family 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 Amy Cherne 2087bb914327e937ea6e77fe6c832576338c2af8 330006df515a14fe3748416fe200000006df51 FakeSet / CastleLoader 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 Amy Cherne 21a435ecaa7b86efbec7f6fb61fcda3da686125c 330006e75231f49437ae56778a00000006e752 FakeSet / CastleLoader 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be Amy Cherne 579a4584a6eef0a2453841453221d0fb25c08c89 33000700e919066fd9db11bac70000000700e9 FakeSet / CastleLoader a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 Amy Cherne d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 330007ebfbe75a64b52aaf4cb700000007ebfb FakeSet / CastleLoader 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb Donald Gay f8444dfc740b94227ab9b2e757b8f8f1fa49362a 3300072b29c3bf8403a6c15be2000000072b29 FakeSet / CastleLoader a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b Donald Gay 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d 33000725fea86dd19e8571b26c0000000725fe FakeSet / CastleLoader 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 Amy Cherne 551bdf646df8e9abe04483882650a8ffae43cb55 330006e15e43401dbd9416e20e00000006e15e DinDoor / Tsundere Deno
organisation FakeSet / CastleLoader
Indicators of Compromise Handala Rhadmanthys Variants aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f Malware samples signed with suspicious certificates sha256 Certificate Common Name Certificate Thumbprint Certificate Serial Number Malware Family 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 Amy Cherne 2087bb914327e937ea6e77fe6c832576338c2af8 330006df515a14fe3748416fe200000006df51 FakeSet / CastleLoader 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 Amy Cherne 21a435ecaa7b86efbec7f6fb61fcda3da686125c 330006e75231f49437ae56778a00000006e752 FakeSet / CastleLoader 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be Amy Cherne 579a4584a6eef0a2453841453221d0fb25c08c89 33000700e919066fd9db11bac70000000700e9 FakeSet / CastleLoader a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 Amy Cherne d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 330007ebfbe75a64b52aaf4cb700000007ebfb FakeSet / CastleLoader 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb Donald Gay f8444dfc740b94227ab9b2e757b8f8f1fa49362a 3300072b29c3bf8403a6c15be2000000072b29 FakeSet / CastleLoader a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b Donald Gay 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d 33000725fea86dd19e8571b26c0000000725fe FakeSet / CastleLoader 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 Amy Cherne 551bdf646df8e9abe04483882650a8ffae43cb55 330006e15e43401dbd9416e20e00000006e15e DinDoor / Tsundere Deno
organisation StageComp
Indicators of Compromise Handala Rhadmanthys Variants aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f Malware samples signed with suspicious certificates sha256 Certificate Common Name Certificate Thumbprint Certificate Serial Number Malware Family 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 Amy Cherne 0902d7915a19975817ec1ccb0f2f6714aed19638 330007f1068f41bf0f662a03b500000007f106 FakeSet / CastleLoader 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 Amy Cherne 2087bb914327e937ea6e77fe6c832576338c2af8 330006df515a14fe3748416fe200000006df51 FakeSet / CastleLoader 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 Amy Cherne 21a435ecaa7b86efbec7f6fb61fcda3da686125c 330006e75231f49437ae56778a00000006e752 FakeSet / CastleLoader 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 Amy Cherne 389b12da259a23fa4559eb1d97198120f2a722fe 330007d5443a7d25208ec5feb100000007d544 FakeSet / CastleLoader 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be Amy Cherne 579a4584a6eef0a2453841453221d0fb25c08c89 33000700e919066fd9db11bac70000000700e9 FakeSet / CastleLoader a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 Amy Cherne d920ae0f8ea8b5bd42de49e01c6bbd4c2c6d0847 330007ebfbe75a64b52aaf4cb700000007ebfb FakeSet / CastleLoader 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb Donald Gay f8444dfc740b94227ab9b2e757b8f8f1fa49362a 3300072b29c3bf8403a6c15be2000000072b29 FakeSet / CastleLoader a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b Donald Gay 9dcb994ea2b8e6169b76a524fae7b2d2dcd1807d 33000725fea86dd19e8571b26c0000000725fe FakeSet / CastleLoader 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 Donald Gay b674578d4bdb24cd58bf2dc884eaa658b7aa250c 3300079a51c7063e66053d229b000000079a51 StageComp 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 Amy Cherne 551bdf646df8e9abe04483882650a8ffae43cb55 330006e15e43401dbd9416e20e00000006e15e DinDoor / Tsundere Deno
organisation U.S. Treasury
According to the U.S. Treasury , one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists.
organisation Treasury
According to the U.S. Treasury , one of the clearest examples involved the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, which Treasury said operated at the behest of MOIS and targeted dissidents and opposition activists.
organisation the Israeli National Cyber Directorate
Figure 1 – A Handala email impersonating the Israeli National Cyber Directorate (INCD) delivering Rhadmanthys.
In the Tuesday research, Check Point shows one of these phishes that impersonated the Israeli National Cyber Directorate (INCD).
organisation Check Point
In the Tuesday research, Check Point shows one of these phishes that impersonated the Israeli National Cyber Directorate (INCD).
What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they're pretending to be.
organisation Void Manticore's
Handala Hack, one of Void Manticore's hacktivist personas, has used Rhadamanthys "on several occasions," according to the Tel Aviv-based security researchers.
organisation Check Point Research
"The use of such tools has created significant confusion, leading to misattribution and flawed pivoting, and clustering together activities that are not necessarily related," Check Point Research wrote.
infrastructure 1,025 servers
As The Reg readers likely remember, international cops disrupted Rhadamanthys operators' infrastructure in November, seizing 1,025 servers tied to the malware during a series of raids.
Tactical Metrics
Metrics
infrastructure
1,025
Servers
As The Reg readers likely remember, international cops disrupted Rhadamanthys operators' infrastructure in November, seizing 1,025 servers tied to the malware during a series of raids.
Metrics
financial
500
Malware
[instead] of one year of investment in developing some malware, to pay $500 and buy a specific loader or certificates or whatever.
Intelligence Sources
Zero Day Fans 2026-03-10
The Register - Cybercrime 2026-03-10
Dark Reading 2026-03-12