An Iranian cyber group, associated with the Ministry of Intelligence and Security (MOIS), has reportedly compromised several US organizations, including a bank, a software company, and an airport. This infiltration has been ongoing since early February 2026, coinciding with increased military tensions in the region.
Discovery of the Backdoor
Security researchers from Symantec and Carbon Black identified this activity after receiving indicators of compromise related to the MuddyWater group, also known as Seedworm or Static Kitten. The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the UK National Cyber Security Centre (NCSC) have confirmed the group’s affiliation with Iranian intelligence operations since around 2018.
Targeted Organizations and Malware
The affected entities include not only the bank and airport but also non-governmental organizations in the US and Canada. Notably, the compromised software firm provides technology to the defense and aerospace sectors and has operations in Israel. The primary target appears to be Israeli networks, where a new backdoor called Dindoor was discovered, alongside attempts to exfiltrate data using Rclone to a Wasabi cloud storage bucket. The success of this data exfiltration attempt remains unconfirmed.
Technical Details of the Intrusion
The Dindoor backdoor utilizes Deno, a secure runtime for JavaScript and TypeScript, and was signed with a certificate linked to an individual named Amy Cherne. Additionally, another backdoor, Fakeset, was found on the airport and a US nonprofit’s networks, signed by certificates associated with both Cherne and Donald Gay, who has previously signed other malware linked to MuddyWater.
Uncertain Motives and Future Risks
While the exact method of initial access to these networks is unclear, the MuddyWater group typically employs phishing emails or exploits vulnerabilities in public-facing applications. Analysts have noted that the intent behind these intrusions could range from intelligence gathering to potential disruption. Given the current geopolitical climate, there is a heightened risk that previously compromised networks could be leveraged for more aggressive cyber operations in the future.
As the situation develops, the implications of these intrusions underscore the ongoing challenges faced by organizations in safeguarding their networks against sophisticated cyber threats.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
