Executive Summary

A newly identified campaign orchestrated by the Iranian state-sponsored advanced persistent threat group MuddyWater (also known as Seedworm and attributed to Iran’s Ministry of Intelligence and Security, MOIS) is actively targeting U.S. organizations with a sophisticated malware arsenal. The centerpiece of this campaign is a novel backdoor dubbed Dindoor, which leverages the Deno JavaScript runtime for execution, marking a significant evolution in the group’s tradecraft. This campaign, first observed in early 2026, has impacted sectors including banking, aviation, non-profits, and technology, with confirmed incidents at U.S. banks, airports, and the Israeli branch of a major software company. The attackers employ a multi-stage infection chain, combining social engineering, credential theft, and cloud-based command-and-control (C2) infrastructure, and have also deployed the Python-based Fakeset backdoor. The use of legitimate cloud storage services for malware delivery and data exfiltration, along with advanced obfuscation and certificate reuse, underscores the critical need for enhanced detection and response capabilities across all organizations.

Threat Actor Profile

MuddyWater is a well-documented Iranian APT group, operational since at least 2017 and linked to Iran’s MOIS. The group is known for targeting government, defense, telecommunications, and critical infrastructure sectors across the Middle East, North America, and Europe. MuddyWater is characterized by its rapid adoption of new tools, use of multi-language malware (including PowerShell, Python, and JavaScript), and reliance on social engineering for initial access. The group’s campaigns often overlap with other Iranian threat actors such as OilRig, Charming Kitten, and Agrius, and are frequently coordinated with hacktivist fronts like Handala Hack and Void Manticore. Recent activity demonstrates a strategic focus on Western financial, aviation, and technology sectors, with a marked increase in operational tempo following regional geopolitical escalations.

Technical Analysis of Malware/TTPs

The Dindoor backdoor represents a significant technical leap for MuddyWater. Written in JavaScript and executed via the Deno runtime, Dindoor enables remote command execution, persistent access, and data exfiltration. The malware is typically delivered through spear-phishing emails or honeytrap operations, which lure victims into executing malicious payloads. Once initial access is achieved, Dindoor is deployed and executed using Deno, a modern JavaScript/TypeScript runtime that is less commonly monitored than Node.js, thereby evading many traditional endpoint detection solutions.

Dindoor communicates with its C2 infrastructure over HTTPS, using cloud storage providers such as Backblaze and Wasabi for both payload delivery and exfiltration. The malware is capable of downloading additional modules, executing arbitrary commands, and maintaining persistence through scheduled tasks or registry modifications. Notably, the campaign also utilizes the Fakeset backdoor, a Python-based implant distributed via cloud storage, which shares digital certificates with previously identified MuddyWater malware families such as Stagecomp and Darkcomp. This certificate reuse is a hallmark of the group’s operational security lapses but also provides a valuable detection vector.

For data exfiltration, the attackers employ the Rclone utility, which facilitates the transfer of large volumes of data to attacker-controlled cloud storage buckets. The use of legitimate cloud services for both C2 and exfiltration complicates detection and response, as traffic to these providers is often permitted by default in enterprise environments.

The campaign’s tactics, techniques, and procedures (TTPs) map to several MITRE ATT&CK techniques, including T1566 (Phishing), T1071.001 (Application Layer Protocol: Web Protocols), T1059.007 (Command and Scripting Interpreter: JavaScript), T1027 (Obfuscated Files or Information), T1041 (Exfiltration Over C2 Channel), and T1105 (Ingress Tool Transfer).

Exploitation in the Wild

The current MuddyWater campaign has resulted in confirmed compromises at U.S. banks, airports, and non-profit organizations, as well as the Israeli branch of a major software company with defense and aerospace ties. Attackers have demonstrated the ability to move laterally within victim networks, escalate privileges, and exfiltrate sensitive data to cloud storage. In several incidents, the attackers leveraged stolen credentials obtained via spear-phishing and honeytrap operations to gain initial access, followed by the deployment of Dindoor and Fakeset. The use of Rclone for data exfiltration has been observed in multiple cases, with data transferred to Wasabi cloud storage buckets under attacker control.

Simultaneous campaigns by other Iranian APTs, including Agrius, Charming Kitten, OilRig, Elfin, and Fox Kitten, have been reported, often targeting similar sectors and leveraging overlapping infrastructure. Hacktivist groups such as Handala Hack and Void Manticore have also been active, conducting disruptive operations in parallel with espionage-focused campaigns.

Victimology and Targeting

The primary targets of this campaign are U.S. financial institutions, airports, and non-profit organizations, as well as technology and defense companies with operations in Israel and North America. Secondary targeting includes organizations in Canada and the Gulf States, particularly those involved in critical infrastructure, government, and industrial control systems. The attackers exhibit a preference for organizations with high-value intellectual property, sensitive personal data, or strategic geopolitical significance. The use of social engineering and honeytrap tactics indicates a focus on compromising privileged users and administrators, enabling deeper access and broader impact within victim environments.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following countermeasures to mitigate the risk posed by the MuddyWater campaign and the Dindoor backdoor:

Monitor for unexpected installations or executions of the Deno runtime on endpoints, particularly in environments where JavaScript/TypeScript development is not standard practice. Audit access to cloud storage services such as Backblaze and Wasabi for anomalous uploads or downloads, and review firewall and proxy logs for connections to these providers. Search for evidence of Rclone usage in system and network logs, focusing on connections to unknown or unauthorized cloud storage buckets. Investigate the presence of digital certificates reused across Fakeset, Stagecomp, and Darkcomp malware, including those issued to “Amy Cherne” and “Donald Gay”. Review endpoint and server logs for unauthorized execution of Python or JavaScript scripts, especially in sensitive or high-value environments. Enhance phishing defenses by deploying phishing-resistant multi-factor authentication (MFA), conducting regular user awareness training, and simulating spear-phishing attacks targeting privileged users. Enforce network segmentation and least-privilege access controls to limit lateral movement opportunities. Ensure all internet-facing assets are fully patched, with particular attention to vulnerabilities previously exploited by Iranian APTs, such as CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044. Integrate threat intelligence feeds and YARA rules for Dindoor, Fakeset, and related malware into security monitoring platforms.

References

The Hacker News: Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor, Infosecurity Magazine: Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor, Security Affairs: Iran-linked MuddyWater deploys Dindoor malware against U.S. organizations, MITRE ATT&CK: MuddyWater (Seedworm), Reddit: Iran's MuddyWater Hackers Target U.S. Companies with Dindoor, LinkedIn: Cyber News Live - MuddyWater Dindoor

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to provide actionable insights and enhance organizational resilience. For further information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.