INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Iran's Dindoor Backdoor Exploited on US Firms

| 2026-03-06 15:15 CRITICAL HIGH
JSON
Executive Summary AI-generated
The Iranian hacking group MuddyWater has been linked to a series of high-profile cyber attacks targeting US firms, including a major bank and an airport. The group's use of sophisticated malware, such as the Dindoor backdoor and Fakeset Python backdoor, suggests a deep understanding of network architecture and exploitation techniques. Researchers have identified multiple instances of MuddyWater activity across different sectors, from finance to aerospace, highlighting the threat actor's adaptability and reach. As the group continues its campaign, it is essential for organizations to remain vigilant and implement robust security measures to prevent further breaches.
Technical Mitigations AI-generated
* Use a secure runtime like Deno to prevent exploitation of the Dindoor backdoor. * Implement a cloud storage policy that includes regular backups and monitoring for suspicious activity, such as Wasabi cloud storage bucket exfiltration attempts. * Regularly update software and systems with the latest security patches and updates to reduce the attack surface against known vulnerabilities. * Use multi-factor authentication (MFA) whenever possible to prevent unauthorized access to sensitive data or networks.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
MuddyWaterMuddyWater CarbonCarbon
Target & Sectors
NORTH_AMERICA NORTH_AMERICA aerospaceaerospace defensedefense
Incident Timeline
approximately 2018
Threat actors used MuddyWater to target US firms with a new 'Dindoor' backdoor.
target_region Iran, Islamic Republic of
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
source_region United States
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
attribution the Iranian Ministry of Intelligence and Security
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
source_region United Kingdom
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
attribution FBI
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
attribution National Cyber Security Centre
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
threat_actor MuddyWater
The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and UK National Cyber Security Centre (NCSC) say MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.
May 2025
Threat actors used a new 'Dindoor' backdoor to target US firms with compromised servers containing live CCTV streams from Jerusalem.
target_region Iran, Islamic Republic of
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
threat_actor MuddyWater
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
organisation CCTV
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
February 28
Threat actors used Check Point's software to target internet-connected surveillance cameras in Israel and other Middle Eastern countries.
target_region Israel
On Wednesday, Check Point security researchers said they tracked "hundreds" of exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28.
organisation Check Point
On Wednesday, Check Point security researchers said they tracked "hundreds" of exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28.
March 5
Threat actors used a previously unknown backdoor to gain access into US firms' networks.
2026-03-06
MuddyWater hackers used the Donald Gay certificate to sign malware linked to their operation, a hacking group associated with Iran's Ministry of Intelligence and Security (MOIS).
threat_actor MuddyWater
Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor.
Several US companies have been targeted by Iranian hacking group MuddyWater in a new campaign that started in early February and has continued after the US and Israeli military strikes on Iran.
The reuse of these certificates indicates MuddyWater was behind the US network activity, the analysts said.
Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.
When asked about the intent of these intrusions, and if MuddyWater appeared to be searching for defense intel and other sensitive IP to steal, or prepositioning for future cyberattacks, Gorman said, "it's difficult to say for sure."  "Iranian cyber operations span a range of motives," she added.
The Donald Gay certificate has been used previously to sign malware linked to MuddyWater , a hacking group active since 2017 and associated with the Iranian Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros and Static Kitten.
Symantec and Carbon Black's threat hunting team told The Register that they uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (aka Seedworm, Static Kitten).
It was signed by certificates issued to "Amy Cherne" and "Donald Gay," and the latter has previously been used to sign Stagecomp and Darkcomp malware, both linked to MuddyWater.
The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
This malware wasn’t seen on the targeted networks, but the use of the same certificates suggests MuddyWater was involved, said the Threat Hunter Team.
organisation New 'Dindoor' Backdoor
Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor.
organisation Rclone
Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks "There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket," the security sleuths wrote.
The researchers also observed an attempt to exfiltrate data from the software company using Rclone , a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket.
organisation Fakeset
" A separate Python-based backdoor called Fakeset was found on the airport and a US nonprofit's networks.
A different, Python backdoor called Fakeset was found on the networks of the US airport.
organisation Gorman
This particular crew typically uses phishing emails or vulnerabilities in public-facing applications as its initial infection vector, Gorman told us.
organisation Reused Certificates Tie New Backdoors
Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.
organisation Dindoor
Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.
organisation IP
When asked about the intent of these intrusions, and if MuddyWater appeared to be searching for defense intel and other sensitive IP to steal, or prepositioning for future cyberattacks, Gorman said, "it's difficult to say for sure."  "Iranian cyber operations span a range of motives," she added.
organisation The Register
Symantec and Carbon Black's threat hunting team told The Register that they uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (aka Seedworm, Static Kitten).
organisation Seedworm
Symantec and Carbon Black's threat hunting team told The Register that they uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (aka Seedworm, Static Kitten).
organisation Google
The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
organisation Microsoft
The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
organisation Kaspersky
The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
organisation Threat Hunter Team
Symantec and Carbon Black's Threat Hunter Team doesn't know how the intruders gained initial access to the victims' networks.
organisation the Threat Hunter Team
The campaign was detected by the Threat Hunter Team at Broadcom’s Symantec and Carbon Black.
organisation TypeScript
" Dindoor uses Deno, the secure runtime for JavaScript and TypeScript, to execute.
Signed with a certificate issued to “Amy Cherne,” this backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute.
June 23
Threat actors used a new 'Dindoor' backdoor to target US firms with compromised servers containing live CCTV streams from Jerusalem.
target_region Iran, Islamic Republic of
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
threat_actor MuddyWater
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
organisation CCTV
" In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city.
Intelligence Sources
The Register - Cybercrime 2026-03-05
Infosecurity-Magazine 2026-03-06