A new investigation by Broadcom’s Symantec and Carbon Black Threat Hunters team has uncovered evidence of an Iranian hacker group infiltrating the networks of multiple U.S. companies, including banks, airports, nonprofit organizations and the Israeli arm of a software company.
This activity is believed to be the work of a state-sponsored hacking group called MuddyWater (also known as Seedworm). It is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The operation is assessed to have begun in early February, with recent activity detected following military attacks on Iran by the United States and Israel.
“The software company is a supplier to the defense and aerospace industries, and is also based in Israel, and its Israeli operations appear to be the target of this activity,” the security vendor said in a report shared with Hacker News.
The attack, which targeted a software company, a US bank, and a Canadian non-profit organization, turned out to pave the way for a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution. Broadcom said it also identified attempts to use the Rclone utility to exfiltrate data from software companies into Wasabi cloud storage buckets. However, it is currently unclear whether the efforts have paid off.
Another Python backdoor called Fakeset was also discovered in a network of U.S. airports and nonprofit organizations. It was downloaded from a server belonging to Backblaze, an American cloud storage and data backup company. The digital certificate used to sign Fakeset was also used to sign the Stagecomp and Darkcomp malware, both of which were previously linked to MuddyWater.
“Although this malware was not seen on the targeted network, the same certificates were used, suggesting that the same attacker, Seedworm, was behind the activity on the US company’s network,” Symantec and Carbonblack said.
“Iranian threat actors have become increasingly proficient in recent years. Not only have their tools and malware improved, but they have also demonstrated strong social engineering capabilities, including spear-phishing campaigns and ‘honey trap’ operations used to build relationships with targets of interest in order to access accounts and sensitive information.”
The findings were announced against the backdrop of the escalating military conflict in Iran, which has triggered a barrage of cyberattacks in the digital sphere. A recent investigation by Check Point revealed that a pro-Palestinian hacktivist group known as Handala Hack (also known as Void Manticore) routes its activity through Starlink IP ranges and probes externally connected applications for misconfigurations and weak credentials.
In recent months, we have also observed multiple Iranian-linked adversaries, including Agrius (also known as Agonizing Serpens, Marshtreader, and Pink Sandstorm), scanning vulnerable Hikvision cameras and video intercom solutions using known security flaws such as CVE-2017-7921 and CVE-2023-6895.
According to Check Point, this targeting has intensified in the wake of the current conflict in the Middle East. Exploitation attempts against IP cameras have proliferated in Lebanon and Cyprus, as well as Israel and Gulf states including the UAE, Qatar, Bahrain, and Kuwait. This activity identified Dahua and Hikvision cameras and weaponized the two aforementioned vulnerabilities: CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.
“Taken together, these findings are consistent with the assessment that Iran uses camera compromise as part of its doctrine, and in some cases prior to missile launches, for operational support and continuous battle damage assessment (BDA) for missile operations,” the company said.
“As a result, tracking camera-targeted activity from infrastructure with specific attributes could serve as an early indicator of potential subsequent motor activity.”
The US-Israel war on Iran has also led to the Canadian Center for Cyber Security (CCCS) issuing an advisory warning that Iran is likely to use cyber devices to launch retaliatory attacks against critical infrastructure and information operations to further the regime’s interests.
Below is a list of other important developments that have come to light in recent days.
Last week’s Financial Times reported that Israeli intelligence had been hacking Tehran’s extensive network of traffic cameras for years to monitor the movements of Khamenei’s bodyguards and other senior Iranian officials ahead of the supreme leader’s assassination. State media Fars news agency reported on Telegram that Iran’s Islamic Revolutionary Guards Corps (IRGC) targeted Amazon’s data center in Bahrain, accusing Amazon of supporting “enemy military and intelligence activities.” An active wiper campaign is said to be underway against Israel’s energy, financial, government and utility sectors. “Iran’s wiper arsenal includes more than 15 families (ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher, etc.),” Anomali said. Iranian state-backed APT groups such as MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten “have shown clear signs of activation and rapid regime change, poised for retaliatory operations amidst the escalation of the conflict,” Level Blue said, adding that “cyber is one of Iran’s most accessible asymmetric tools for retaliating against Gulf states that blamed Iranian attacks and supported U.S. operations.” According to Flashpoint, a large-scale #OpIsrael cyber campaign involving pro-Russian and pro-Iranian factions is targeting Israeli industrial control systems (ICS) and government portals across Kuwait, Jordan, and Bahrain. This campaign is promoted by NoName057(16), Handala Hack, Fatemiyoun Electronic Team, and Cyber Islamic Resistance (aka 313 Team). From February 28, 2026 to March 2, 2026, the pro-Russian hacktivist group Z-Pentest claimed responsibility for compromising several US-based organizations, including ICS and SCADA systems, and multiple CCTV networks. “The timing of these unconfirmed claims coincides with Operation Epic Fury, suggesting that Z-Pentest may have begun prioritizing U.S. organizations as targets,” Adam Myers, head of counter-adversarial operations at CrowdStrike, told Hacker News.
UltraViolet Cyber stated that “Iran’s offensive cyber capabilities have matured into a durable instrument of state power used to support intelligence gathering, regional influence, and strategic signaling during times of geopolitical tension.” “Iran’s current cyber doctrine is characterized by an emphasis on identity and the cloud control plane as the primary attack surface.”
“Rather than prioritizing large-scale zero-day exploits or highly novel malware, Iranian carriers tend to focus on repeatable access techniques such as credential theft, password spraying, and social engineering, followed by persistence through widely deployed enterprise services.”
Organizations are encouraged to strengthen their cybersecurity posture, strengthen monitoring capabilities, limit Internet exposure, disable remote access to operational technology (OT) systems, enforce phishing-resistant multi-factor authentication (MFA), implement network segmentation, create offline backups, and keep all Internet-facing applications, VPN gateways, and edge devices up to date.
“As conflict continues and activity may move beyond hacktivism to subversion, Western organizations must remain on high alert for potential cyber responses,” Meyers said.
Source link
