Iran intelligence backdoored US bank, airport, software outfit networks
An Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies' networks - including a bank, software firm, and airport, among others - since the beginning of February, with more activity in the days following the US and Israeli military strikes, according to security researchers.
Symantec and Carbon Black's threat hunting team told The Register that they uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (aka Seedworm, Static Kitten).
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
One of those indicators "led to this cluster of attacks and allowed us to discover additional malware," Brigid O Gorman, senior intelligence analyst with the Symantec and Carbon Black Threat Hunter Team, told The Register.
In addition to the bank, airport, and software firm, the affected organizations include non-governmental organizations in both the US and Canada, the security researchers said in a Thursday intelligence report. Plus, the compromised software company supplies its tech to defense and aerospace industries among others, and has a presence in Israel.
According to the researchers, the Israeli operation appears to be the primary target, and a new backdoor they named Dindoor was found on the Israeli location’s networks, plus those belonging to the US bank and a Canadian nonprofit.
Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks
"There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket," the security sleuths wrote. "It's not clear if this was successful."
Dindoor uses Deno, the secure runtime for JavaScript and TypeScript, to execute. The backdoor was signed with a certificate issued to "Amy Cherne."
A separate Python-based backdoor called Fakeset was found on the airport and a US nonprofit's networks. It was signed by certificates issued to "Amy Cherne" and "Donald Gay," and the latter has previously been used to sign Stagecomp and Darkcomp malware, both linked to MuddyWater.
The reuse of these certificates indicates MuddyWater was behind the US network activity, the analysts said.
Symantec and Carbon Black's Threat Hunter Team doesn't know how the intruders gained initial access to the victims' networks. This particular crew typically uses phishing emails or vulnerabilities in public-facing applications as its initial infection vector, Gorman told us.
When asked about the intent of these intrusions, and if MuddyWater appeared to be searching for defense intel and other sensitive IP to steal, or prepositioning for future cyberattacks, Gorman said, "it's difficult to say for sure."
"Iranian cyber operations span a range of motives," she added. "In some cases there's intelligence gathering involved. In others, it's disruption."
In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city. On the same day, Israeli authorities reported that Iranian forces were exploiting compromised security cameras to collect real-time intelligence and adjust missile targeting.
While the data exfiltration attempts in this latest campaign point to intelligence gathering, "even if the motive wasn't disruption originally, it's possible that groups such as Seedworm could pivot in response to the war and launch disruptive attacks on organizations they've already compromised," Gorman said.
"Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks," she added.
On Wednesday, Check Point security researchers said they tracked "hundreds" of exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28.
Other analysts have noted an increase in spying expeditions, digital probes, and distributed denial of service (DDoS) attacks in the past week - but no disruptive cyberattacks as of yet. ®
