Blurring the Lines: How Iranian State Hackers are Weaponizing RaaS and the Cybercriminal Underground

A striking evolution is occurring in the world of state-sponsored cyber warfare. According to a recent deep-dive report by Check Point Research, Iranian intelligence services are no longer just mimicking cybercriminals for cover—they are actively moving into the criminal neighborhood.

For years, groups linked to Iran’s Ministry of Intelligence and Security (MOIS) operated with a layer of “plausible deniability” by posing as hacktivists or independent ransomware gangs. However, researchers now warn that for these actors, “cyber crime is no longer just a cover story, but an operational resource”.

The report highlights a significant shift in tradecraft. Rather than building every tool from scratch, Iranian groups are now purchasing professional-grade malware and services directly from darknet forums.

“The trend we are seeing now goes beyond imitation… some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms,” the report explains.

By utilizing the same tools as financially motivated hackers, state actors gain a dual advantage: they instantly upgrade their technical capabilities while making it incredibly difficult for investigators to pin the blame on a specific government.

One of the most prominent examples involves the group known as Void Manticore (also known by its persona “Handala”). Traditionally known for disruptive “hack-and-leak” operations, the group recently started using Rhadamanthys, a commercial information stealer sold on criminal marketplaces.

In attacks targeting Israeli organizations, Handala paired this criminal malware with custom-built wipers, effectively “pairing [it] with one of its custom wipers in phishing lures… most dominantly impersonating F5 updates“.

Perhaps the most alarming development is Iran’s participation in Ransomware-as-a-Service (RaaS) affiliate programs. In October 2025, the Israeli Shamir Medical Center fell victim to a massive 8-terabyte data breach initially blamed on the Qilin ransomware group.

However, subsequent assessments revealed a different reality. Analysts believe Iranian-affiliated operators likely acted as “affiliates” for Qilin, using the criminal brand as a “layer of cover and plausible deniability” while pursuing strategic state goals.

The integration of state objectives with criminal methods creates a “recurring confusion around Iranian threat activity”. When a hospital or government agency is hit, the presence of criminal tools often leads to flawed pivots and misattribution, allowing the true state actors to remain in the shadows longer.

As Check Point concludes: “This reflects a clear shift from simply imitating cyber criminals to actively leveraging the cyber crime ecosystem”.