New research from Broadcom’s Symantec and Carbon Black Threat Hunter Team reveals that an Iranian state-sponsored hacking group has infiltrated multiple U.S. organizations, including banks, airports, a non-profit, and the Israeli division of a software company.
The group, known as MuddyWater (also Seedworm), operates under the Iranian Ministry of Intelligence and Security (MOIS). Analysts believe the campaign began in early February, with heightened activity following recent U.S. and Israeli military operations in Iran.
“The targeted software company supports the defense and aerospace sectors and has operations in Israel. Its Israeli division appears to be the primary focus of these attacks,” noted the security firm.
The attackers used a previously unknown backdoor called Dindoor, executed via the Deno JavaScript runtime. Broadcom also detected an attempt to exfiltrate data using the Rclone utility to a Wasabi cloud storage bucket, though the outcome remains uncertain.
In addition, networks at a U.S. airport and a non-profit were found infected with a Python-based backdoor called Fakeset, downloaded from Backblaze servers. The digital certificates signing Fakeset were previously used for Stagecomp and Darkcomp, both linked to MuddyWater, suggesting the same actor behind the attacks.
“Iranian threat actors have advanced their capabilities significantly, improving both malware sophistication and social engineering tactics, including spear-phishing and honeytrap operations to access sensitive accounts,” Symantec and Carbon Black stated.
This surge in cyber activity coincides with ongoing military tensions in the region. Check Point researchers reported that pro-Palestinian hacktivist group Handala Hack (Void Manticore) used Starlink IPs to probe applications for misconfigurations and weak credentials. Other Iranian-linked actors like Agrius have exploited vulnerabilities in Hikvision cameras and video intercoms (CVE-2017-7921, CVE-2023-6895) across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus.
“Compromised cameras may provide operational intelligence for missile activities, serving as early indicators of potential kinetic operations,” Check Point noted.
The conflict has prompted advisories from global cybersecurity bodies. The Canadian Centre for Cyber Security (CCCS) warned of possible retaliatory cyber attacks on critical infrastructure. Additional recent developments include:
- Israeli intelligence reportedly infiltrated Tehran’s traffic camera network to monitor movements of top Iranian officials.
- Iran’s IRGC targeted Amazon’s Bahrain data center over alleged support for enemy military operations.
- Active wiper malware campaigns are ongoing against Israeli sectors, including energy, finance, and utilities, with Iran deploying over 15 wiper families (ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher, among others).
- State-sponsored Iranian APTs like MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten are preparing for retaliatory cyber operations.
- Pro-Russian and pro-Iranian hacktivist campaigns (#OpIsrael) have targeted ICS and government portals across Kuwait, Jordan, and Bahrain.
- Between February 28 and March 2, 2026, Z-Pentest claimed compromises of U.S. ICS, SCADA, and CCTV networks, coinciding with Operation Epic Fury.
UltraViolet Cyber emphasized that Iran’s cyber doctrine focuses on identity and cloud systems, preferring repeatable access methods like credential theft, password spraying, and social engineering, rather than zero-day exploitation.
Organizations are advised to enhance cybersecurity measures by strengthening monitoring, limiting internet exposure, disabling remote OT access, enforcing phishing-resistant MFA, segmenting networks, maintaining offline backups, and keeping internet-facing applications, VPNs, and edge devices updated.
“Western organizations should remain vigilant as cyber activity may escalate beyond hacktivism into destructive operations,” said Adam Meyers, CrowdStrike.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
