MuddyWater (Seedworm) Espionage Campaign Using Dindoor Backdoor Against U.S. Organizations
Security researchers reported a cyber-espionage campaign attributed to Iran-linked MuddyWater (aka Seedworm), assessed as operating under Iran’s Ministry of Intelligence and Security (MOIS), targeting multiple U.S.-based organizations and related operations. Victims cited across reporting include a U.S. airport, a U.S. bank, non-governmental/non-profit organizations in North America, and the Israeli operations of a U.S. software supplier connected to the defense and aerospace sector—indicating interest in both critical infrastructure-adjacent environments and the defense supply chain.
The intrusions were described as beginning in early 2026 (with Symantec/Carbon Black tracking activity starting in early February) and focused on establishing and maintaining access consistent with long-term intelligence collection. One report highlighted deployment of a newly observed backdoor, Dindoor, alongside additional tooling to sustain persistence in victim networks, while broader analysis framed the activity as potentially aligned with heightened regional tensions and warned that Iranian-aligned actors may continue reconnaissance and access operations; organizations were advised to increase monitoring and defensive readiness, particularly where exposed services could enable initial access.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Symantec discloses Seedworm intrusions and new malware findings
Symantec researchers publicly reported the campaign, describing the affected sectors, the newly identified Dindoor malware, the Fakeset backdoor, and the suspected exfiltration activity. The disclosure warned that the intrusions coincided with heightened U.S.-Iran-Israel tensions and could support future espionage or disruptive operations.
Rclone exfiltration attempt to Wasabi observed
Investigators observed an attempted data exfiltration using Rclone to a Wasabi cloud storage bucket during the intrusions, although successful theft was not confirmed. The activity reflected the group's use of living-off-the-land techniques and persistence in some environments for weeks before discovery.
Attackers deploy Dindoor and Fakeset backdoors in victim networks
During the campaign, the attackers used a newly observed Deno-based backdoor called Dindoor and a separate Python backdoor named Fakeset across multiple compromised environments. Researchers linked the tooling to Seedworm through code-signing certificate overlaps and historical infrastructure and malware connections.
Seedworm campaign begins targeting U.S. and Canadian organizations
Intrusions attributed to the Iranian state-linked group Seedworm/MuddyWater began in early February 2026, affecting a U.S. bank, a U.S. airport, U.S. and Canadian non-profits, and the Israeli operations of a U.S. defense and aerospace software supplier. Investigators assessed the activity as part of a broader espionage effort focused on strategically relevant networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Threat Intelligence Report: MANGO SANDSTORM Dindoor / Fakeset Campaign | Krypt3ia
krypt3ia.wordpress.com
Open sourceU.S. Critical Infrastructure Faces Growing Threat From Iran-Linked Hackers
cyberpress.org
Open sourceIranian APT MuddyWater Uses Dindoor Malware to Target U.S. Networks
socradar.io
Open sourceIranian APT group MuddyWater targets multiple US companies | news | SC Media
scworld.com
Open sourceSymantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply chain networks - Industrial Cyber
industrialcyber.co
Open sourceSeedworm APT group activity following U.S. and Israeli military strikes on Iran
broadcom.com
Open sourceMANGO SANDSTORM Dindoor / Fakeset Campaign - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a **heightened risk of Iranian retaliatory cyber activity** against U.S. and allied organizations, with expected operations spanning **ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering** (e.g., fake job offers and malicious attachments). Likely target sets highlighted include **critical infrastructure**, **banking**, and environments involving **industrial control systems/PLCs**, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation. Separately, **MuddyWater** (*Seedworm*), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a **U.S. bank**, an **airport**, a **non-profit**, and the **Israel operation of a U.S. software company** supplying the defense/aerospace sector, and identified a previously unknown backdoor, **Dindoor**, observed in several victims; **Dindoor executes via `Deno`** (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential **pre-positioning** in high-value targets and recommended proactive hunting for signs of persistent access before activation.
Mar 21, 2026
MuddyWater Used DLL Side-Loading and PowerShell Tooling in Multi-Country Espionage Campaign
Iran-linked **MuddyWater** (also tracked as **Seedworm**) was tied to an espionage campaign that compromised at least nine organizations across nine countries and four continents, hitting sectors including manufacturing, education, government, financial services, professional services, telecommunications, and an international airport. Researchers said the group used **DLL side-loading** with legitimate signed binaries such as `fmapp.exe` from Fortemedia and `sentinelmemoryscanner.exe` from SentinelOne to launch malicious DLLs, including the open-source **ChromElevator** tool for browser-data theft. One confirmed victim was a major South Korean electronics manufacturer, where the attackers reportedly maintained access for about a week, while earlier activity also targeted telecom providers in Egypt, Sudan, and Tanzania. The operators combined stealthy execution with a broad post-compromise toolkit, using **Node.js** to launch PowerShell payloads for reconnaissance, screenshot capture, privilege escalation, credential theft, and SOCKS5 reverse-proxy tunneling. Symantec also linked MuddyWater to the **MuddyC2Go** PowerShell framework, use of legitimate remote-management software **SimpleHelp**, and the publicly available **Venom Proxy** to maintain access and move through victim networks. Persistence was established through registry modifications, credentials were harvested through fake login prompts and registry hive dumping, and stolen data was exfiltrated via the public file-transfer service `sendit[.]sh`, indicating a sustained intelligence-collection effort aligned with Iranian state interests.
May 27, 2026
MuddyWater Phishing Campaign Targets Middle East and North Africa Government Networks
Iranian state-sponsored threat actor MuddyWater has conducted a large-scale cyberespionage campaign breaching over 100 government entities and international organizations across the Middle East and North Africa. The attackers leveraged a compromised enterprise mailbox, accessed via NordVPN, to send convincing phishing emails from legitimate addresses to embassies, ministries, and telecom providers. These emails contained weaponized Microsoft Word attachments that, when opened and macros enabled, deployed the updated "Phoenix" backdoor, granting persistent remote access, credential theft, and file exfiltration capabilities. The campaign also utilized off-the-shelf remote management tools such as PDQ and Action1 to blend in with legitimate administrative traffic and pilfered browser passwords from Chrome, Edge, Opera, and Brave. Researchers at Group-IB highlighted that MuddyWater, also known as Seedworm, APT34, OilRig, and TA450, has demonstrated evolving tradecraft and operational maturity in this operation, mixing official government and personal email addresses to increase the likelihood of successful compromise. The campaign's scale and targeting suggest either a significant increase in capability or a broader intelligence collection mandate from Iranian authorities. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has a history of targeting government, energy, telecom, and defense sectors, focusing on long-term espionage rather than destructive attacks. Analysts warn that further activity is likely amid ongoing regional tensions.
Mar 21, 2026