Iranian MOIS Actors & the Cyber Crime Connection

This report outlines a shift in Iranian (MOIS-linked) cyber operations toward direct engagement with the cybercrime ecosystem — using commercial infostealers (Rhadamanthys), botnets/loaders (Tsundere/DinDoor, CastleLoader/FakeSet), and ransomware-as-a-service (Qilin) branding — to enhance operational capability and complicate attribution; it provides case examples, analysis of overlaps, and indicators of compromise including file hashes and suspicious code-signing certificates.