Iran’s MuddyWater Implants Custom Backdoor in US Bank, Airport, and Software Company Networks
An Iranian cyber-espionage group linked to the Ministry of Intelligence and Security has been embedded in American critical infrastructure since early February — with a previously unknown backdoor that security researchers are calling “Dindoor.”
The Discovery
Symantec and Carbon Black’s Threat Hunter Team has uncovered a deeply concerning campaign: MuddyWater — also tracked as Seedworm and Static Kitten — has compromised networks belonging to a US bank, a US airport, a software company serving the defense and aerospace industries, and multiple non-governmental organizations in the United States and Canada.
The intrusions began in early February 2026, with activity intensifying in the days following US and Israeli military strikes against Iran. The timing is not coincidental.
“Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks,” said Brigid O’Gorman, senior intelligence analyst with the Symantec and Carbon Black Threat Hunter Team.
Dindoor: A New Custom Backdoor
At the center of this campaign is Dindoor, a previously unknown backdoor that uses Deno — the secure runtime for JavaScript and TypeScript — to execute its payload. This is a notable technical choice: Deno is a legitimate development tool, making the backdoor harder to detect through conventional security scanning.
Dindoor was found on networks belonging to:
- The Israeli location of the compromised software company (believed to be the primary target)
- A US bank
- A Canadian nonprofit organization
The backdoor was digitally signed with a certificate issued to “Amy Cherne,” lending it an appearance of legitimacy that could bypass cursory security checks.
A Second Backdoor: Fakeset
Researchers also discovered Fakeset, a Python-based backdoor deployed on separate networks:
- A US airport
- A US nonprofit organization
Fakeset was signed with certificates issued to both “Amy Cherne” and “Donald Gay.” The latter certificate has previously been used to sign Stagecomp and Darkcomp malware — both definitively linked to MuddyWater operations. This certificate reuse provided the forensic thread that tied all the intrusions together.
The Intelligence Connection
The FBI, CISA, and the UK’s National Cyber Security Centre have officially attributed MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS). The group has been conducting cyber campaigns on behalf of Iran’s intelligence apparatus since approximately 2018.
The current campaign’s targets reveal a strategic pattern:
| Target | Location | Significance |
|---|---|---|
| Software company | Israel & US | Serves defense/aerospace industries |
| Bank | United States | Financial infrastructure |
| Airport | United States | Transportation critical infrastructure |
| NGOs | US & Canada | Intelligence gathering on civil society |
Data Exfiltration Attempts
The attackers attempted to exfiltrate data from the compromised software company using Rclone — a legitimate command-line program for managing cloud storage — to transfer files to a Wasabi cloud storage bucket. Whether this exfiltration was successful remains unclear.
This technique of “living off the land” — using legitimate tools for malicious purposes — is a hallmark of sophisticated state-sponsored operations. Rclone is commonly used by IT administrators, making its presence on a network unremarkable to most monitoring systems.
From Espionage to Potential Disruption
The most alarming aspect of this campaign is its dual-use potential. While the initial indicators point toward intelligence gathering, O’Gorman warned that the calculus could change rapidly.
“Iranian cyber operations span a range of motives,” she explained. “In some cases there’s intelligence gathering involved. In others, it’s disruption.”
This isn’t hypothetical. In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, enabling real-time surveillance of the city. On June 23, Iran bombed Jerusalem, and Israeli authorities reported that Iranian forces had exploited compromised security cameras to collect intelligence and adjust missile targeting in real-time.
The progression from digital surveillance to kinetic military action demonstrates that cyber intrusions by state actors are not merely espionage — they can be precursors to physical attacks.
The Broader Threat Landscape
This discovery comes amid a surge in Iranian cyber activity:
- Check Point researchers reported “hundreds” of exploitation attempts targeting internet-connected surveillance cameras across Israel and the Middle East since hostilities began on February 28
- Multiple security firms have noted increased spying expeditions, digital probes, and DDoS attacks in the past week
- No destructive cyberattacks have been confirmed yet — but the infrastructure for such attacks is already in place
What Organizations Should Do
The Symantec and Carbon Black Threat Hunter Team was unable to determine MuddyWater’s initial access vector in this campaign, but the group historically relies on:
- Phishing emails with malicious attachments or links
- Exploitation of vulnerabilities in public-facing applications
Organizations — particularly those in financial services, transportation, defense supply chains, and civil society — should:
- Audit for Deno runtime processes in unexpected locations
- Review certificates signed by “Amy Cherne” or “Donald Gay”
- Monitor for Rclone or similar data transfer tools connecting to external cloud storage
- Check for indicators of compromise shared by Symantec and Carbon Black
- Enhance phishing defenses and patch public-facing applications immediately
- Implement network segmentation to limit lateral movement
The Bottom Line
MuddyWater’s presence inside US critical infrastructure — including a bank and an airport — represents exactly the scenario that cybersecurity officials have warned about for years. State-sponsored actors pre-positioning themselves inside networks during peacetime, ready to pivot from intelligence gathering to disruption when geopolitical tensions escalate.
The question is no longer whether Iran has the capability to disrupt American infrastructure. It’s whether they’ll choose to use the access they already have.
This article is based on research published by Symantec and Carbon Black’s Threat Hunter Team on March 5, 2026, and reporting by The Register.
