Recent research by Broadcom (Symantec) and the Carbon Black Threat Hunter Team has exposed a large‑scale cyber espionage campaign conducted by the Iranian state‑linked APT group MuddyWater (also known as Seedworm). The group, associated with Iran’s Ministry of Intelligence and Security (MOIS), has established long‑term access in networks belonging to organizations in the United States, Israel and Canada, including a US bank, a US airport, multiple non‑profits and the Israeli office of a major software vendor supporting the defense and aerospace sectors.
Iranian APT MuddyWater: geopolitical backdrop and objectives
According to the researchers, the most active phase of the operation began in early February and intensified following US and Israeli military strikes on Iranian targets. This timing is consistent with Iran’s established doctrine, which treats offensive cyber operations as a tool for political signaling, coercion and retaliation alongside conventional military power.
MuddyWater has long been classified as a state‑sponsored advanced persistent threat (APT) focused on espionage and maintaining stealthy, persistent access. Previous public advisories by US and allied cybersecurity agencies have attributed operations against government, telecommunications, energy and technology sectors to this actor, underscoring its strategic role in Iran’s cyber apparatus.
Dindoor backdoor: Deno-based malware and cloud data exfiltration
In the networks of a US financial institution, a Canadian non‑profit and the Israeli branch of a software company, analysts identified a previously undocumented backdoor named Dindoor. The malware is notable for leveraging the Deno JavaScript runtime, which is far less common than Node.js and traditional Windows scripting environments.
By building on Deno, Dindoor can blend more easily into developer and server environments that permit modern scripting tools, while evading defensive controls tuned primarily for more prevalent runtimes. Once deployed, Dindoor provides attackers with remote command execution, system control and staging capabilities for follow‑on theft of sensitive data.
For data exfiltration, the operators rely on the popular command‑line synchronization utility Rclone, redirecting stolen information to Wasabi cloud storage. Because Rclone and S3‑compatible services are widely used in legitimate backup and data‑migration workflows, this technique makes malicious network traffic appear routine, complicating detection by perimeter monitoring and traditional data loss prevention tools.
Fakeset Python implant and links to earlier MuddyWater toolsets
In a US airport and an additional non‑profit organization, investigators uncovered a separate Python‑based backdoor dubbed Fakeset, which was downloaded from infrastructure hosted by US cloud provider Backblaze. Fakeset’s code‑signing certificate had previously been used for the Stagecomp and Darkcomp malware families, both of which have been linked to MuddyWater in earlier reporting.
Although Stagecomp and Darkcomp were not directly observed in this campaign, the reuse of the same digital certificate is a strong indicator of a single operational owner and demonstrates limited operational security on the attacker side. At the same time, the use of legitimate cloud platforms and signed binaries lowers the risk of automated blocking and reflects the group’s increasing operational maturity.
Targeting Hikvision and Dahua cameras for reconnaissance
Parallel research from Check Point highlights an uptick in activity by pro‑Iranian and pro‑Palestinian groups, including Handala Hack (also tracked as Void Manticore). This activity uses Starlink IP address ranges to scan exposed web applications for weak passwords and misconfigurations, expanding the attackers’ foothold across the internet perimeter.
Other Iranian‑aligned operators, such as Agrius (also known as Agonizing Serpens, Marshtreader or Pink Sandstorm), have focused on mass exploitation of vulnerable IP cameras and intercom systems from vendors including Hikvision and Dahua. Exploited vulnerabilities reportedly include CVE‑2017‑7921, CVE‑2023‑6895, CVE‑2021‑36260, CVE‑2025‑34067 and CVE‑2021‑33044.
Check Point data indicates a sharp increase in attacks on cameras in Israel, Gulf states (UAE, Qatar, Bahrain, Kuwait), Lebanon and Cyprus. Compromised video devices provide real‑time visual intelligence that can be used for operational reconnaissance and battle damage assessment (BDA), including support to missile or drone campaigns. Monitoring for systematic attempts to compromise cameras from specific infrastructures can therefore serve as an early warning signal of potential follow‑on kinetic operations.
Preferred tactics of Iranian APT groups: credentials, cloud and identity
The Canadian Centre for Cyber Security (CCCS) assesses that, given the current regional tensions, Iran is highly likely to use its cyber capabilities against critical infrastructure and to conduct information operations targeting Western countries. Analysis by private sector firms such as UltraViolet Cyber similarly concludes that Iranian offensive cyber power has evolved into a durable, normalized instrument of state power.
Instead of relying heavily on expensive and scarce zero‑day exploits, Iranian APTs increasingly favor highly repeatable and scalable access techniques: credential theft, password spraying, targeted phishing and long‑term social‑engineering operations (including “honeytrap” scenarios in which trust is slowly built with victims). This aligns with broader industry findings that a majority of breaches globally still involve the human element and credential misuse.
Particular emphasis is placed on compromising cloud and identity platforms—such as Active Directory, identity providers (IdPs) and SaaS control planes. Once these are under attacker control, adversaries can maintain durable access, impersonate legitimate users and move laterally across hybrid cloud and on‑premises environments with relatively low risk of exposure.
Practical defense measures against MuddyWater and allied actors
Organizations in the financial, transportation, defense, technology and non‑profit sectors should reassess their threat models for Iranian APT activity and associated hacktivist groups. A pragmatic defense strategy should include the following measures:
1. Enhanced monitoring and logging. Implement centralized log collection, behavioral analytics and SIEM/SOC correlation. Pay specific attention to outbound connections to cloud storage, including Rclone usage and S3‑compatible services such as Wasabi and Backblaze.
2. Reduce internet‑exposed attack surface. Restrict direct exposure of admin consoles, VPN gateways, IP cameras and OT systems. Where remote access is required, enforce VPN usage and IP allowlisting, and disable unnecessary protocols and services.
3. Strong authentication and account governance. Deploy phishing‑resistant multi‑factor authentication (MFA) such as FIDO2 security keys or hardware tokens. Conduct regular access reviews, tightly control service accounts and ban password reuse across systems and cloud services.
4. Network segmentation and OT security. Separate corporate IT and operational technology (OT) networks, and limit or fully disable remote access to critical control systems. Apply dedicated firewall rules and monitoring for CCTV, IP cameras and other IoT devices, which are frequently overlooked but highly attractive to attackers.
5. Backup and vulnerability management. Maintain offline or immutable backups and test recovery procedures regularly. Prioritize patching of Hikvision, Dahua and other edge devices, closing the known CVEs exploited in current campaigns to deny attackers an easy entry point or surveillance channel.
As regional conflicts increasingly spill over into cyberspace, Western and Middle Eastern organizations should assume that Iranian APT operations can quickly shift from espionage to disruptive or destructive attacks on critical systems. Continuous monitoring, disciplined identity and cloud security, rapid patching of exposed devices and regular staff awareness training are no longer optional controls—they are core requirements for maintaining resilience in an era where geopolitics and cyber operations are tightly intertwined.
