TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Check Point Research

Iranian MOIS Actors & the Cyber Crime Connection

stcpresearch · 2026-03-10 · Read original ↗

ATT&CK techniques detected

4 predictions
T1486Data Encrypted for Impact
87%
“” ), tsundere deno malware ( “ dindoor ” ), and castleloader ( “ fakeset ” ) variants. in our assessment, this does not necessarily indicate that muddywater is a castleloader affiliate ; rather, it suggests that both may have obtained certificates from the same source. iranian qi…”
T1204.002Malicious File
61%
“related. this demonstrates that the use of criminal software can be effective for obfuscation, and highlights the need for extreme caution when analyzing overlapping clusters. to address this, we attempted to bring structure to the available evidence, to the best of our ability, …”
T1588.001Malware
60%
“” ), tsundere deno malware ( “ dindoor ” ), and castleloader ( “ fakeset ” ) variants. in our assessment, this does not necessarily indicate that muddywater is a castleloader affiliate ; rather, it suggests that both may have obtained certificates from the same source. iranian qi…”
T1553.002Code Signing
34%
“##water uses the botnet as part of its operations. another overlap between dindoor - related activity and known muddywater tradecraft is the use of rclone to access a wasabi server, which traces back to an ip address previously associated with muddywater ( 18. 223. 24 [. ] 218, l…”

Summary

Key Points Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. […]

The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research.