Iran-linked threat actors are escalating cyber operations against U.S. and allied networks, with Seedworm recently deploying new backdoors against critical infrastructure and high-value organizations amid the current regional conflict.
Activity associated with the Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been observed on the networks of multiple U.S. organizations since early February 2026, continuing through the latest U.S.-Israeli strikes on Iran.
Targets include a U.S. bank, a U.S. airport, North American non-profits, and the Israeli operations of a U.S. software supplier to the defense and aerospace sectors.
Having this foothold in both U.S. and Israeli environments during a period of active hostilities places Seedworm in a potentially dangerous position to pivot to disruptive or destructive attacks if tasked.
First published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks.
Researchers identified a previously unknown backdoor dubbed Dindoor on systems belonging to the software company’s Israeli branch, as well as on a U.S. bank and a Canadian non-profit.
Dindoor leverages the Deno runtime for JavaScript and TypeScript rather than more commonly monitored frameworks, and samples were signed with a certificate issued to “Amy Cherne,” indicating an attempt to abuse or impersonate trusted code-signing infrastructure.
In at least one intrusion, the attackers attempted data exfiltration using Rclone to a Wasabi cloud storage bucket, though it remains unclear whether this transfer succeeded.
Seedworm infrastructure
On the networks of the U.S. airport and a non-profit, investigators uncovered a separate Python-based backdoor named Fakeset, which was signed by certificates attributed to “Amy Cherne” and “Donald Gay.”
The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer.
The “Donald Gay” certificate has previously been associated with Seedworm-linked malware, strengthening analytic confidence that the same operator is behind this latest activity.
Fakeset was retrieved from Backblaze cloud storage infrastructure hosted at domains including gitempire.s3.us-east-005.backblazeb2.com and elvenforest.s3.us-east-005.backblazeb2.com, reflecting a broader Iranian trend of abusing legitimate cloud platforms for staging and command-and-control.
The Donald Gay certificate has also been used to sign Stagecomp, a loader that pulls down the Darkcomp backdoor, a toolset previously tied to Seedworm by multiple major vendors.
While Stagecomp and Darkcomp have not been directly observed on the compromised networks in this campaign, certificate reuse and overlapping tooling form a strong forensic bridge between historic Seedworm operations and current intrusions.
Seedworm, which CISA has described as operating under Iran’s Ministry of Intelligence and Security (MOIS), has historically focused on espionage against telecommunications, government, and energy entities across several regions, developing custom malware while also relying on dual-use and living-off-the-land tools.
The campaign unfolds against the backdrop of coordinated U.S. and Israeli airstrikes on Iran beginning on February 28, 2026, which killed Supreme Leader Ayatollah Ali Khamenei and other senior officials and triggered retaliatory missile and drone attacks across the Gulf region.
A U.S. intelligence assessment reviewed in early March warned that Iran and its proxies are likely to respond with cyber operations, emphasizing website defacements, DDoS, and other opportunistic activity by state-aligned “hacktivists” rather than large-scale kinetic attacks on U.S. soil.
Both Iran and Israel have a documented history of using destructive cyberattacks for signaling and coercion, meaning organizations in the U.S., Israel and partner countries could face spillover even if they are not directly tied to military targets.
Handala, an Iran-aligned group supporting Palestine, has claimed breaches of Israeli officials, healthcare entities and regional energy firms, and recent reporting indicates it has used Starlink satellite internet since mid-January 2026 to maintain operations during nationwide internet disruptions in Iran.
DieNet, a pro-Palestinian hacktivist collective that emerged in 2025, has claimed DDoS attacks against U.S. critical infrastructure sectors including energy, financial services, healthcare and transit, typically using DDoS-as-a-service platforms and classic volumetric techniques such as TCP SYN floods and amplification attacks.
What defenders should watch for now
Given Seedworm’s current access and Iran’s broader playbook, defenders should anticipate both noisy and low-and-slow activity aimed at U.S. and allied critical infrastructure.
In parallel, more capable state-aligned actors are expected to continue credential-harvesting, vulnerability exploitation, and persistence operations against critical infrastructure operators and their supply chains to position for espionage or future destructive attacks.
High-visibility campaigns are likely to include DDoS, defacements and leak claims targeting government portals, airports and ports, logistics providers, banks, telecoms and media, designed to send political messages and generate psychological pressure.
Strengthening monitoring of internet-facing assets for DDoS patterns, web exploitation attempts and password-spraying, combined with enforcing multi-factor authentication, hardening identity systems and maintaining offline, immutable backups, will be crucial steps in mitigating the risk from this evolving Iranian-linked threat activity.
Security teams should pay particular attention to indicators such as unusual use of tools like Rclone, anomalous data transfers to cloud storage providers, unexpected use of runtimes like Deno, and code-signed binaries associated with previously abused certificates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
