The Iranian advanced persistent threat group known as Seedworm — also tracked as MuddyWater, Temp Zagros, and Static Kitten — has been found actively operating inside the networks of multiple U.S. organizations since early February 2026, raising serious alarms across the cybersecurity community.
The group’s intensified activity follows the coordinated U.S. and Israeli military strikes on Iran on February 28, 2026, which led to the death of Iran’s Supreme Leader and dramatically escalated regional tensions.
Iran’s response has not been limited to conventional military retaliation; its cyber operatives appear to have used the rising conflict as a direct trigger to accelerate intrusions against American and allied targets.
Seedworm has been active since at least 2017 and is formally classified by CISA as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS).
Over the years, the group has shifted its targeting focus from the Middle East to include telecommunications companies, defense contractors, local governments, and oil and natural gas organizations across Asia, Africa, Europe, and North America.
The group develops its own custom malware while also leveraging legitimate dual-use tools, allowing it to blend quietly into normal network environments.
Symantec researchers identified intrusion activity on the networks of a U.S. bank, a U.S. airport, a software company with defense and aerospace industry ties, and non-governmental organizations in both the U.S. and Canada.
The software company’s Israeli operations appeared to be the primary focus in that intrusion, with Seedworm seemingly using the company’s global presence as a lateral access bridge.
Notably, these breaches were already underway before the military conflict formally began, suggesting the group had been quietly positioning itself inside high-value networks well in advance of the escalation.
The UK’s National Cyber Security Centre issued a formal alert warning that Iranian state-aligned actors “almost certainly currently maintain at least some capability to conduct cyber activity,” even with the ongoing disruption to internet infrastructure inside Iran itself.
This underlines a key reality: Seedworm and other affiliated actors operate out of multiple countries, meaning domestic disruption inside Iran does not halt their overall operations.
The hacktivist group Handala, which operates in alignment with Iran’s geopolitical interests, has reportedly been leveraging the Starlink satellite network to maintain connectivity since mid-January 2026, well before Iran’s government announced a nationwide internet shutdown.
Beyond Seedworm, other Iran-linked actors have intensified their activity. The pro-Palestinian hacktivist group DieNet emerged in early 2025 and has since claimed responsibility for DDoS attacks targeting U.S. critical infrastructure across energy, financial, healthcare, and transportation sectors, using TCP SYN floods, DNS amplification, and NTP amplification techniques. This combination of state-sponsored espionage and hacktivist disruption creates a layered threat environment that no single defensive measure can fully contain.
Backdoor Deployment and Stealth Persistence
Seedworm’s most recent toolkit includes two newly identified backdoors: Dindoor and Fakeset.
Dindoor is a previously unknown backdoor built to execute through Deno, a secure runtime for JavaScript and TypeScript, giving it an unconventional footprint that many security tools may not immediately detect.
It was found on networks belonging to the software company’s Israeli branch, a U.S. bank, and a Canadian non-profit, signed with a certificate issued to “Amy Cherne.”
Fakeset, a Python-based backdoor, was deployed on the airport and non-profit networks, signed using certificates in the names of “Amy Cherne” and “Donald Gay.”
The “Donald Gay” certificate had been previously used to sign other Seedworm-linked malware, directly connecting this new activity to an established threat infrastructure chain.
The Stagecomp downloader, also signed with the “Donald Gay” certificate, was used to deliver the Darkcomp backdoor — formally linked to Seedworm by Google, Microsoft, and Kaspersky.
During the software company intrusion, attackers also attempted to exfiltrate data using Rclone, a legitimate file-transfer utility repurposed to move files to a Wasabi cloud storage bucket, though whether the attempt succeeded remains unclear.
Organizations should enforce multi-factor authentication across all remote access entry points, monitor closely for abnormal outbound data transfers, deploy web application firewalls with updated rule sets, restrict access to external cloud storage services, and maintain offline immutable backups to ensure rapid recovery following any potential destructive attack.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
