Iranian Cyber Operations Intensify: Persistent U.S. Network Infiltrations and Regional Surveillance Exploits
In early 2026, Iranian state-sponsored cyber activities have escalated, with threat actors embedding themselves within U.S. networks and exploiting surveillance systems across the Middle East. The advanced persistent threat (APT) group MuddyWater, linked to Iran’s Ministry of Intelligence and Security (MOIS), has maintained unauthorized access to multiple American organizations since February 2026. Targeted sectors include banking, aviation, defense supply chains, and non-profit organizations.
Investigations by cybersecurity firms Symantec and Carbon Black have revealed that MuddyWater deployed undocumented malware to establish persistent footholds within victim environments. This campaign appears focused on long-term intelligence collection rather than immediate disruption, a hallmark of state-sponsored espionage.
Analysts have identified multiple malware families associated with MuddyWater’s targeting of U.S. entities, including Dindoor, Fakeset, Stagecomp, and Darkcomp. The Dindoor backdoor was deployed within a U.S. software company’s network serving defense and aerospace clients, utilizing the Deno runtime for JavaScript and TypeScript to execute commands and maintain access. Fakeset, a Python-based backdoor, was found on the networks of a U.S. airport and a non-profit organization. Both tools were designed to remain hidden while preserving long-term footholds.
Beyond network infiltration, Iran-linked infrastructure launched a wave of scanning activity against internet-connected surveillance cameras starting February 28, 2026. Check Point Research observed this surge in exploit attempts, targeting Hikvision and Dahua cameras deployed across commercial, government, and municipal environments in the region. The scanning activity affected countries including Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Lebanon, and Cyprus. The timing coincided with the start of major regional hostilities, making these camera intrusions a key part of Iran’s battlefield intelligence strategy.
The exploitation of internet-connected surveillance cameras is a calculated tactic that turns everyday security infrastructure into a real-time battlefield observation platform. By compromising Hikvision and Dahua devices through known vulnerabilities, Iranian operators can monitor locations, track emergency response movements, and assess damage after missile or drone strikes. CVE-2017-7921, an improper authentication flaw in Hikvision firmware, and CVE-2021-33044, an authentication bypass in Dahua devices, were key vulnerabilities exploited in this campaign.
This same tactic was observed during the June 2025 Iran-Israel conflict, when compromised cameras were reportedly used to observe the aftermath of strikes against Israeli targets. Repeating this playbook in early 2026 indicates that Iranian actors treat IP camera exploitation as a reliable, low-cost intelligence tool. These devices often run outdated firmware and fall outside standard enterprise security monitoring, making them attractive targets for cyber espionage.
Iran-aligned hacktivist group Handala also claimed a destructive cyberattack against Stryker, a Fortune 500 medical technology firm. Attackers reportedly exfiltrated around 50 terabytes of data before deploying wiper malware across the company’s global network. Corporate laptops and mobile devices enrolled in enterprise management systems were remotely wiped, forcing some locations to revert to manual processes. This attack underscores the expanding role of Iran-aligned proxy groups across different sectors of its broader cyber operations.
The persistent presence of Iranian cyber operatives within U.S. networks and their strategic exploitation of regional surveillance systems highlight the evolving nature of cyber threats. Organizations must remain vigilant, regularly update and patch systems, and implement robust security measures to detect and mitigate such sophisticated intrusions.
