Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness.
Recent incidents tied to APT group MuddyWater, camera‑focused infrastructure, and hacktivist collective Handala point to an ecosystem that is operational but constrained, prioritizing persistence, visibility, and selective disruption over large‑scale, coordinated cyber campaigns.
Since early February 2026, Iranian APT MuddyWater (aka Seedworm/Static Kitten) has maintained access to multiple organizations in the United States and Canada, including a US bank, a US airport, non‑profits, and a software supplier serving defense and aerospace customers.
Reporting from Symantec and Carbon Black highlights a previously undocumented backdoor dubbed Dindoor, which uses the Deno JavaScript and TypeScript runtime to execute commands and maintain persistence within victim environments.
A separate Python‑based backdoor, Fakeset, was identified on networks at the airport and a non‑profit, further expanding the group’s toolset and reinforcing attribution through reused signing certificates tied to earlier MuddyWater activity.
Investigators also observed attempted data theft via the Rclone synchronization utility to a Wasabi cloud storage bucket, indicating that intelligence collection rather than immediate disruption remains the primary objective of this campaign.
Cameras as regional ISR sensors
In parallel, researchers observed Iran‑linked infrastructure ramping up exploitation attempts against internet‑connected Hikvision and Dahua cameras across Israel and Gulf states starting on February 28, 2026, coinciding with an escalation in regional hostilities.
The activity focused on known flaws, including Hikvision vulnerabilities CVE‑2017‑7921, CVE‑2021‑36260, CVE‑2023‑6895, CVE‑2025‑34067, and Dahua authentication bypass CVE‑2021‑33044, all of which have patches available but remain exposed in many deployments.
Compromised cameras in countries such as Israel, Qatar, Bahrain, Kuwait, the UAE, Lebanon, and Cyprus can provide real‑time views of sensitive sites, enabling intelligence, surveillance, and reconnaissance (ISR), monitoring of emergency response, and rapid battle damage assessment after missile or drone strikes.
Similar tactics were documented during earlier Iran–Israel flare‑ups, reinforcing the view that Tehran treats commercial IP cameras as an inexpensive extension of traditional reconnaissance capabilities.
On the disruptive side of the spectrum, Iranian‑aligned hacktivist group Handala has claimed responsibility for a major cyberattack against global medical technology company Stryker, a Fortune 500 manufacturer of surgical and neurotechnology equipment.
Sources cited by KrebsOnSecurity and other outlets indicate attackers abused Microsoft Intune device management to issue large‑scale remote wipes, rather than deploying a classic wiper binary, allegedly impacting hundreds of thousands of devices and forcing facilities to fall back to manual processes.
In manifestos and statements, Handala also claimed theft of roughly 50 TB of corporate data, pairing destructive activity with data‑driven pressure in line with past Iran‑linked hacktivist campaigns targeting Israeli‑associated organizations.
Multiple cybersecurity firms have previously tied Handala to Iran’s Ministry of Intelligence and Security (MOIS), positioning the group as a flexible proxy for deniable, politically calibrated disruption.
A cyber ecosystem under strain
Recent reporting and threat intelligence analysis suggest that Iran’s cyber apparatus remains capable but has absorbed significant disruption to infrastructure and command structures due to military strikes and sanctions pressure.
As outlined in recent PolySwarm‑referenced assessments of Iranian hybrid warfare, Tehran is increasingly relying on pre‑positioned access in Western networks, commodity infrastructure, and proxy actors such as Handala hacker group to sustain pressure while centralized coordination appears degraded.
The result is a cyber ecosystem that is “surviving but not thriving”: MuddyWater quietly holds access inside banking, aviation, and defense‑adjacent environments; Iran‑linked operators turn exposed cameras into ISR nodes; and hacktivist proxies execute opportunistic but high‑impact disruptive operations.
For defenders, this mix of espionage footholds, surveillance‑driven targeting, and proxy‑delivered disruption underscores the need to treat Iranian activity as a persistent, adaptive threat even as its overall cohesion and tempo remain below their potential peak.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
