Iranian Cyber Operations on the Rise: Targeting the U.S. and Exploiting Connected Devices
Iranian cyber actors are reportedly amplifying their operations aimed at U.S. institutions while leveraging internet-connected cameras throughout the Middle East for intelligence gathering and battlefield awareness. This shift indicates a strategic focus on maintaining a persistent, albeit discreet, operational presence rather than conducting grand-scale coordinated cyber campaigns.
Recent investigations reveal that the APT group known as MuddyWater, alongside activities linked to camera-specific infrastructure and the hacktivist collective Handala, are emphasizing endurance, visibility, and targeted disruption. These tactics are designed to position themselves for long-term operations with less chance of immediate detection.
As of early February 2026, reports indicate that the Iranian APT MuddyWater—also known by various aliases such as Seedworm and Static Kitten—has managed to infiltrate several organizations across the United States and Canada. Targets include a U.S. bank, an airport, non-profit organizations, and a software provider catering to defense and aerospace sectors. Notable findings from cybersecurity researchers at Symantec and Carbon Black have unveiled a previously undocumented backdoor named Dindoor, which utilizes the Deno JavaScript and TypeScript runtime. This backdoor enables attackers to execute commands and maintain unauthorized access within the victim’s network.
Additionally, a separate Python-based backdoor dubbed Fakeset was detected within the systems of both the airport and a non-profit, further expanding the tools available to MuddyWater. Investigations have confirmed the reuse of signing certificates associated with their previous operations. Moreover, attempts were made to exfiltrate sensitive data via the Rclone synchronization utility directed toward a Wasabi cloud storage bucket. These actions suggest that the campaign prioritizes intelligence collection over immediate disruption, indicating a calculated approach to cyber espionage.
Cameras as Regional ISR Sensors
Parallel to the activities of MuddyWater, researchers noted a significant uptick in exploitation attempts targeting internet-connected Hikvision and Dahua cameras primarily in Israel and Gulf states, which began around February 28, 2026, amidst escalating regional tensions. The focus of these operations was on exploiting known vulnerabilities—including Hikvision’s CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067, as well as Dahua’s CVE-2021-33044 for authentication bypass. While patches exist for these vulnerabilities, many deployments remain exposed, thereby presenting significant security risks.
Compromised cameras in nations such as Israel, Qatar, Bahrain, Kuwait, the UAE, Lebanon, and Cyprus could provide adversaries with real-time visibility of sensitive locations, offering crucial intelligence, surveillance, and reconnaissance (ISR) capabilities. This level of monitoring is vital for assessing emergency responses and evaluating damage in the wake of missile or drone assaults. This modus operandi aligns with previous tactics employed during heightened Iran-Israel conflicts, underscoring Tehran’s view of commercial IP cameras as a cost-effective extension of traditional reconnaissance methods.
On the disruption front, the hacktivist group Handala has taken credit for a substantial cyberattack against Stryker, a prominent global medical technology company known for its surgical and neurotechnology equipment. Reports from KrebsOnSecurity and other sources indicate that the attackers exploited Microsoft Intune device management capabilities to execute large-scale remote wipes, impacting hundreds of thousands of devices and compelling various facilities to revert to manual processes. Handala claimed to have stolen approximately 50 TB of corporate data, coupling this destructive activity with data-driven tactics reminiscent of previous Iran-linked hacktivist campaigns that focused on Israeli-associated institutions.
Cybersecurity firms have previously established connections between Handala and Iran’s Ministry of Intelligence and Security (MOIS), depicting the group as a flexible proxy for conducting deniable and strategically calibrated disruptions.
A Cyber Ecosystem Under Strain
Recent analyses and reports suggest that Iran’s cyber capabilities remain intact but have sustained noticeable disruption to their infrastructure and command structures, largely due to military actions and sanctions. As detailed in assessments of Iranian hybrid warfare, Tehran is increasingly relying on pre-established access routes in Western networks, commodity infrastructure, and proxy groups like Handala to sustain persistent pressure despite a decline in centralized coordination.
The outcome is a cyber ecosystem that is “surviving but not thriving.” MuddyWater maintains access within sectors such as banking, aviation, and defense; Iran-linked operators are turning exposed cameras into ISR resources; and hacktivist proxies are executing opportunistic yet impactful disruptive operations.
For cybersecurity defenders, this combination of espionage footholds, surveillance-driven targeting, and proxy-enabled disruptions highlights the necessity to view Iranian cyber activities as a persistent and adaptive threat, even amidst a backdrop of diminished overall cohesion and reduced operational tempo. As global tensions continue to unfold, vigilance remains crucial in countering this multifaceted threat landscape.