An Iran-linked hacking group has been active inside the networks of several US organizations since early February, raising concerns that the activity could precede broader cyber operations connected to escalating geopolitical tensions in the Middle East.
New backdoors used by Seedworm
Symantec and Carbon Black researchers have attributed the activity to Seedworm (aka MuddyWater), an Iranian advanced persistent threat (APT) group that has been linked to Iran’s Ministry of Intelligence and Security (MOIS), and is known for espionage campaigns targeting government agencies, telecommunications companies, and critical infrastructure.
According to researchers, suspicious activity linked to Seedworm has been identified on the networks of:
- A US bank
- A US airport
- Non-profit organizations, and
- The Israeli operations of a US software company that supplies the defense and aerospace industries.
The activity began in early February 2026 and has continued into recent days, and the group has been spotted leveraging previously unknown malware.
- The Dindoor backdoor, named thus due to its use of Deno, a runtime environment for JavaScript and TypeScript, for executing commands on infected machines
- A Python-based backdoor called Fakeset.
According to the researchers, Dindoor was digitally signed with a certificate issued to an individual named “Amy Cherne”. Fakeset was also signed, using using certificates attributed to both “Amy Cherne” and “Donald Gay,” the latter of which has previously been associated with the Stagecomp and Darkcomp malware used by the Seedworm APT.
The goal seems to be espionage: the attackers have been observed trying to exfiltrate data from the targeted software company to a cloud storage bucket hosted by Wasabi using the open-source tool Rclone.
“While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on US and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks,” the researchers noted.
It is unknown what tricks or exploits the APT used to gain initial access to these organizations’ networks.
Exposed VPS reveals Seedworm tooling
In related news, independent threat-intel research collective Ctrl-Alt-Intel recently claimed to have accessed infrastructure used by Seedworm / Muddy Water, which allowed them to harvest “C2 tooling, scripts, logs, victim data, and other operational artefacts from a VPS hosted in the Netherlands.”
After analyzing the collected data, they pinpointed other organizations targeted by the group: Israeli organizations (healthcare, hosting, immigration, intelligence), EgyptAir, Jordanian government, various UAE companies, US entities, and Jewish/Israeli-linked nn-governmental organizations..
“The exposed infrastructure (…) provides a broad view into a MuddyWater operation – from initial reconnaissance through to data exfiltration. What stands out is not the sophistication of any single tool or malware, but the breadth of the operation: countless organisations targeted, multiple custom-developed C2 frameworks, exploitation of over a dozen CVEs including novel SQL injection vulnerabilities, password spraying campaigns, Ethereum-based C2 resolution, and multiple exfiltration channels spanning cloud storage & EC2 instances,” the group concluded.
“MuddyWater continues to demonstrate a willingness to rapidly adopt public exploit code, modify it for operational use, and deploy it at scale – all while developing custom tooling in parallel.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
