Iran's MOIS Cyber Apparatus: MuddyWater, Void Manticore, and the Convergence with Cybercrime
Published March 15, 2026 | RedSheep Reports
Iran's Ministry of Intelligence and Security (MOIS) is running hot. In the weeks following U.S. and Israeli military strikes on Iran, two of its subordinate cyber groups have launched new campaigns against American critical infrastructure. MuddyWater hit a U.S. bank, a software company, an airport, and a Canadian non-profit starting in early February 2026 [4]. Void Manticore, operating under the Handala Hack persona, targeted U.S. organizations including medical technology giant Stryker [6]. Both groups are deploying previously unknown malware, burning operational infrastructure at a pace that signals urgency. And both are borrowing tools and techniques from the cybercriminal underground, making attribution harder and defense more complex [3].
This isn't improvisation. It's a mature intelligence apparatus accelerating an already aggressive posture.
MOIS: Structure, History, and Mandate
MOIS was founded in 1983, built on the bones of SAVAK, the Shah's feared intelligence service [1]. The agency reports directly to Supreme Leader Khamenei with no parliamentary oversight, giving it exceptional operational latitude [1]. Current minister Esmail Khatib has held the position since 2021 [1]. The agency's mandate covers domestic counterintelligence, foreign intelligence collection, and covert action abroad. What distinguishes MOIS from peer services is its track record: involvement in over 450 terrorist attacks abroad since its founding [1].
The U.S. Treasury designated MOIS and its minister in September 2022 for cyber-enabled activities against multiple countries [5]. That designation cited malicious cyber operations dating back to at least 2007, targeting government and private-sector organizations across telecommunications, defense, and energy sectors globally [5]. APT39, a cyber espionage group, was designated as owned or controlled by MOIS in September 2020 [5]. The 2022 sanctions were triggered in part by a July 2022 cyberattack that disrupted Albanian government computer systems, which the U.S. attributed to MOIS-sponsored actors retaliating against Albania for sheltering Iranian dissidents [5] [1].
MOIS also maintains traditional human intelligence (HUMINT) operations that complement its cyber capabilities. Reporting from DropSite News revealed that MOIS handlers recruited individuals living in Israel to carry out influence operations, spanning the period from the 2023 judicial reform protests through the Gaza war [2]. Iranian intelligence briefing materials described these activities as a "reciprocal measure" to Israeli operations inside Iran [2].
MuddyWater's February 2026 Campaign
MuddyWater (also tracked as Seedworm) is a subordinate element within MOIS, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [3]. The group has been active since at least 2007 and conducts operations against government and private-sector targets in telecommunications, defense, local government, and energy [3] [5].
The latest campaign began in early February 2026, shortly after military strikes on Iran [4]. Targets included a U.S. bank, a U.S. software company, a U.S. airport, and a Canadian non-profit organization [4]. The group deployed two previously unknown backdoors: Dindoor and Fakeset [4].
Dindoor Backdoor
Dindoor is a backdoor built on the Deno JavaScript runtime, which supports both JavaScript and TypeScript execution [8]. This is a notable tooling choice. Deno is a legitimate development runtime created by Node.js's original author, and its use in malware is uncommon. The backdoor was signed with a code-signing certificate issued to "Amy Cherne" [8].
Fakeset Backdoor
Fakeset is a Python-based backdoor that the attackers downloaded from Backblaze cloud storage servers [4]. It was signed with certificates attributed to both "Amy Cherne" and "Donald Gay" [8]. The "Donald Gay" certificate is significant: it was previously associated with Stagecomp and Darkcomp, two malware families linked to MuddyWater's earlier operations [8]. This certificate reuse provides a strong attribution thread connecting the February 2026 campaign to MuddyWater's historical toolset.
Data Exfiltration via Cloud Services
Once inside target networks, the attackers attempted data exfiltration using Rclone, a command-line utility designed for managing files on cloud storage, specifically targeting Wasabi cloud storage [8]. The use of legitimate cloud infrastructure for both payload delivery (Backblaze) and exfiltration (Wasabi) is consistent with a broader MOIS trend of abusing commercial services to blend in with normal traffic.
Void Manticore and the Handala Hack Persona
Void Manticore operates under the public-facing persona "Handala Hack" and is the most prominent Iranian hacktivist persona currently active [7]. Check Point Research reported that the group overlaps with MOIS's Internal Security Deputy, particularly its Counter-Terrorism Division [6]. The group reportedly operated under the supervision of Seyed Yahya Hosseini Panjaki, who was reportedly killed in March 2026 [6].
Void Manticore is known for destructive wiping attacks, not just espionage [6]. The group consistently targets IT and service providers, gaining initial access through compromised VPN accounts to harvest credentials [6]. Recent operations targeted U.S. organizations, including Stryker, the medical technology company [6].
Palo Alto Networks' Unit 42 identified a surge in Iranian hacktivist activity starting February 28, 2026, when multiple state-aligned personas associated with an "Electronic Operations Room" formed simultaneously [7]. On the same date, Iran's internet connectivity dropped to between 1% and 4%, meaning state-aligned threat actors were likely operating in isolation from their domestic infrastructure [7]. By March 2, 2026, an estimated 60 individual hacktivist groups were active [7].
The Cybercrime Convergence
Check Point Research's reporting identified a significant operational shift: MOIS-linked actors are increasingly adopting cybercriminal malware, ransomware infrastructure, and techniques [3]. Both Void Manticore and MuddyWater show repeated overlaps with criminal tooling [3].
This convergence serves multiple purposes. Criminal tools are widely available, well-documented, and regularly updated by profit-motivated developers. Using them reduces the development burden on state-sponsored teams. More critically, it complicates attribution. When a target gets hit with commodity ransomware or a widely available RAT, defenders and intelligence analysts can't immediately distinguish a state operation from a criminal one. This deliberate blurring of lines gives MOIS plausible deniability and buys time before attribution hardens.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Malware | Dindoor |
New backdoor using Deno JavaScript runtime | [4] |
| Malware | Fakeset |
Python backdoor delivered via Backblaze | [4] |
| Malware | Stagecomp |
Previously linked to MuddyWater operations | [8] |
| Malware | Darkcomp |
Previously linked to MuddyWater operations | [8] |
| Filename/Certificate | Amy Cherne |
Code-signing certificate used for Dindoor and Fakeset | [8] |
| Filename/Certificate | Donald Gay |
Code-signing certificate linking Fakeset to prior MuddyWater malware | [8] |
MITRE ATT&CK Techniques
| Technique ID | Name | Context |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Data exfiltration via Rclone to Wasabi cloud storage [8] |
| T1078 | Valid Accounts | Void Manticore's use of compromised VPN accounts for initial access [6] |
| T1553.002 | Subvert Trust Controls: Code Signing | Use of signed binaries with "Amy Cherne" and "Donald Gay" certificates [8] |
| T1059.007 | Command and Scripting Interpreter: JavaScript | Dindoor backdoor built on Deno JavaScript/TypeScript runtime [8] |
| T1059.006 | Command and Scripting Interpreter: Python | Fakeset Python backdoor [4] |
| T1588.002 | Obtain Capabilities: Tool | Adoption of cybercriminal malware and ransomware tools [3] |
Detection and Hunting
Deno Runtime Processes: Deno is uncommon in enterprise environments. Any instance of deno or deno.exe running on endpoints should be investigated immediately. Build detection rules in your EDR for Deno process execution, particularly when spawned by unusual parent processes.
Code-Signing Certificate Monitoring: The "Amy Cherne" and "Donald Gay" certificates are known-bad signers. Add these names to allowlist/blocklist configurations in your endpoint protection platform. Hunt across certificate logs for any binaries signed by these entities.
Cloud Storage Exfiltration: Monitor for Rclone executions (rclone.exe, rclone) and network connections to Wasabi storage endpoints (s3.wasabisys.com and regional variants). Similarly, watch for unexpected connections to Backblaze B2 endpoints (f000.backblazeb2.com and similar), particularly from servers or workstations that don't have a legitimate business reason to reach those services.
VPN Account Abuse: Void Manticore's preferred initial access vector is compromised VPN credentials [6]. Audit VPN authentication logs for impossible travel, off-hours access from unusual geolocations (particularly Iranian IP ranges), and concurrent sessions from the same account.
Hacktivist Persona Tracking: The formation of the Electronic Operations Room and approximately 60 associated groups [7] means claim channels on Telegram and other platforms contain early warning indicators. Threat intelligence teams should be monitoring Handala Hack's public channels for target lists and operational claims.
Analysis
The February-March 2026 MOIS cyber escalation fits a well-established pattern: Iranian state cyber operations spike in direct response to kinetic military action. The 2022 Albania attack followed diplomatic tensions over dissident groups [5]. The current wave follows U.S. and Israeli strikes on Iran [4]. The response timeline, weeks rather than months, indicates pre-positioned capabilities and standing operational authority to strike when political conditions warrant.
MOIS is running at least two distinct operational tracks simultaneously. MuddyWater focuses on espionage, deploying backdoors for persistent access and data theft from critical infrastructure targets [4]. Void Manticore focuses on destruction, conducting wiper attacks designed to cause maximum visible damage [6]. These tracks complement each other: espionage operations collect intelligence that can inform targeting for destructive attacks, while destructive operations create noise and chaos that can mask ongoing espionage collection.
The collapse of Iranian internet connectivity to 1-4% on February 28, 2026, is a wrinkle worth examining [7]. State-aligned operators may have lost connectivity to their command infrastructure, or they may have pre-staged operations to run autonomously. Either scenario presents challenges for defenders: autonomous operations are harder to disrupt through infrastructure takedowns, and reconnection after an outage could trigger dormant implants.
The cybercrime convergence represents a deliberate strategic choice, not a resource constraint [3]. MOIS has demonstrated sophisticated custom tooling (Dindoor is proof). The adoption of criminal infrastructure is about operational security and deniability, not capability gaps.
Red Sheep Assessment
Confidence: Moderate-High
The sources collectively point to something none of them state explicitly: MOIS is building a cyber force structure that mirrors conventional military doctrine. MuddyWater functions as the intelligence collection arm. Void Manticore functions as the strike arm. The cybercrime convergence functions as logistics and supply, providing tools, infrastructure, and cover. The Electronic Operations Room, formed February 28, 2026 [7], appears to be a coordination layer sitting above individual groups, suggesting MOIS is moving toward centralized command and control of what were previously semi-autonomous operations.
The reported killing of Void Manticore's supervisor Seyed Yahya Hosseini Panjaki in March 2026 [6] could have two effects. In the short term, it likely disrupts Void Manticore's operational tempo. In the medium term, it probably accelerates retaliatory operations as MOIS seeks to demonstrate that decapitation strikes don't degrade capability. Defenders should expect a surge in Void Manticore activity in the coming weeks, possibly with less operational security discipline as the group operates under emotional and institutional pressure to respond.
There's an alternative reading worth considering: the internet connectivity collapse [7] may have been self-imposed by Iranian authorities to prevent Western intelligence services from accessing domestic infrastructure during a period of military vulnerability. That would mean the "isolation" of cyber operators was an accepted cost, and MOIS likely had contingency plans already in place. The 60 hacktivist groups that spun up almost immediately [7] support this interpretation. You don't coordinate 60 groups overnight without pre-planning.
Defender's Checklist
- ▢[ ] Hunt for Deno runtime (
deno,deno.exe) process execution across all endpoints. Baseline legitimate use (likely zero in most enterprises) and alert on any instance. - ▢[ ] Block and hunt for Rclone executions and network connections to Wasabi (
s3.wasabisys.com) and Backblaze B2 (*.backblazeb2.com) storage endpoints at the proxy and firewall level. - ▢[ ] Audit VPN authentication logs for the past 90 days. Flag accounts with logins from multiple geographic regions within short time windows, and enforce MFA on all VPN access points.
- ▢[ ] Add code-signing certificate names "Amy Cherne" and "Donald Gay" to threat intelligence watchlists and scan existing binary inventories for files signed by these entities.
- ▢[ ] Review IT and managed service provider access to your environment. Void Manticore specifically targets service providers for credential harvesting [6]. Validate all third-party VPN and remote access accounts, disable unused ones, and enforce least-privilege.
References
- Grey Dynamics. "Iranian Ministry of Intelligence." https://greydynamics.com/iranian-ministry-of-intelligence/
- DropSite News. "Behind the Bombs, New Details Emerge on Iran's Infiltration of Israel." https://www.dropsitenews.com/p/iran-ministry-of-intelligence-israel-infiltration-spies
- Check Point Research. "Iranian MOIS Actors & the Cyber Crime Connection." https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/
- The Hacker News. "Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor." https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
- U.S. Department of the Treasury. "Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities." https://home.treasury.gov/news/press-releases/jy0941
- Check Point Research. "Handala Hack - Unveiling Group's Modus Operandi." https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
- Palo Alto Networks Unit 42. "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran." https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
- Help Net Security. "Iran-linked APT targets US critical sectors with new backdoors." https://www.helpnetsecurity.com/2026/03/06/seedworm-muddywater-backdoors-victims/