{ "id": "eb6a388d-cd7d-4ff5-bb63-21783f6a44b2", "created_at": "2026-04-29T02:20:43.166839Z", "updated_at": "2026-04-29T08:21:56.78038Z", "deleted_at": null, "sha1_hash": "ed67f53dd3e7e8cd890929f2c8faeb25118318a2", "title": "Iranian APT MuddyWater Uses Dindoor Malware to Target U.S. Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50954, "plain_text": "Iranian APT MuddyWater Uses Dindoor Malware to Target U.S.\r\nNetworks\r\nBy Ameer Owda\r\nPublished: 2026-03-09 · Archived: 2026-04-29 02:05:19 UTC\r\n1. Home\r\n2. Blog\r\n3. Cyber News\r\n4. Iranian APT MuddyWater Uses Dindoor Malware to Target U.S. Networks\r\nMar 09, 2026\r\n6 Mins Read\r\nA recently uncovered cyber espionage campaign attributed to the Iranian state-linked threat group MuddyWater\r\nhas drawn attention from security researchers after several organizations in the United States were compromised\r\nusing newly observed malware. The attacks reportedly targeted sectors including aviation, financial services, and\r\nsoftware development, highlighting how geopolitical tensions can extend into cyberspace.\r\nResearchers discovered that the attackers deployed a previously undocumented backdoor known as Dindoor,\r\nalong with additional malware tools, to maintain access within victim networks. The campaign appears to have\r\nstarted in early 2026 and involved organizations such as a U.S. airport, a bank, a non-profit organization, and a\r\nsoftware supplier connected to the defense and aerospace industry.\r\nThe activity is attributed to MuddyWater (also tracked as Seedworm), a threat actor believed to operate under\r\nIran’s Ministry of Intelligence and Security.\r\nWho Is the MuddyWater Threat Group?\r\nMuddyWater is a state-aligned Advanced Persistent Threat (APT) group that has been active for several years and\r\nis widely associated with Iranian intelligence operations. Security agencies, including the FBI, CISA, and the\r\nUK’s National Cyber Security Centre, have linked the group to the Iranian Ministry of Intelligence and Security.\r\nSOCRadar Threat Actor Intelligence profile showing MuddyWater’s activity\r\nThe group primarily conducts cyber espionage campaigns aimed at government entities, telecommunications\r\nproviders, financial organizations, and critical infrastructure. Its operations typically involve long-term access to\r\nvictim environments rather than quick disruption attacks.\r\nhttps://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/\r\nPage 1 of 4\n\nMuddyWater has previously used spear-phishing, malicious documents, and custom backdoors to gain footholds\r\ninside targeted networks.\r\nWhat Is the Dindoor Malware?\r\nOne of the key discoveries in the recent campaign is Dindoor, a previously unknown backdoor used to execute\r\ncommands on compromised systems.\r\nDindoor is notable because it uses the Deno runtime environment, which allows JavaScript or TypeScript code\r\nto run outside a web browser. This design enables attackers to execute commands and maintain control over\r\ninfected machines while blending into legitimate software processes.\r\nBecause the malware had not been publicly documented before, traditional signature-based security tools may\r\nstruggle to detect it immediately.\r\nResearchers also identified another backdoor called Fakeset, which is written in Python and used for similar\r\nremote access purposes.\r\nWhich Organizations Were Targeted?\r\nThe campaign affected several organizations across different sectors, including:\r\nA U.S. airport\r\nA U.S. bank\r\nA Canadian non-profit organization\r\nA software company connected to the defense and aerospace industries\r\nSecurity researchers believe the Israeli operations of the software company may have been a primary target.\r\nThe targeting pattern suggests a focus on sectors with strategic or geopolitical importance, particularly\r\norganizations that handle sensitive operational or financial information.\r\nHow Did the Attackers Operate Inside the Networks?\r\nInvestigators found evidence that the attackers had already gained access to several networks before the campaign\r\nwas publicly identified. In some cases, the threat actors had maintained access for weeks before the discovery of\r\nthe malware.\r\nOnce inside the environment, the attackers deployed backdoors to establish persistent access and potentially\r\ncollect sensitive data. Researchers also observed an attempt to exfiltrate data from one victim organization using\r\nRclone, an open-source file synchronization tool, to transfer files to a cloud storage bucket hosted by Wasabi.\r\nThis type of tool abuse is common in advanced cyber espionage campaigns because legitimate utilities can help\r\nattackers avoid detection.\r\nWhy Is This Campaign Significant?\r\nhttps://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/\r\nPage 2 of 4\n\nOne important aspect of this campaign is its timing. Researchers noted that MuddyWater had already gained\r\naccess to some networks before tensions in the region increased. Having this type of access allows attackers to\r\ngather intelligence or prepare for future operations.\r\nBecause MuddyWater is linked to Iranian state interests and some of the targets are connected to aviation, finance,\r\nand defense-related sectors, the activity may also be connected to the wider cyber activity surrounding the\r\nongoing tensions between the U.S., Israel, and Iran.\r\nFor more context on how cyber operations have appeared alongside this conflict, see SOCRadar’s analysis:\r\nhttps://socradar.io/blog/cyber-reflections-us-israel-iran-war/\r\nWhat Indicators of Compromise Are Associated With the Campaign?\r\nSecurity researchers and threat intelligence analysts have also shared indicators of compromise (IoCs) linked to\r\nthe MuddyWater activity. These indicators can support threat hunting and help organizations identify potential\r\ncommunication with attacker infrastructure.\r\nThe following domains have been observed in connection with the campaign:\r\ngitempire.s3.us-east-005.backblazeb2[.]com\r\nelvenforest.s3.us-east-005.backblazeb2[.]com\r\nuppdatefile[.]com\r\nserialmenot[.]com\r\nmoonzonet[.]com\r\nSecurity teams should investigate environments for connections to these domains and monitor for unusual\r\noutbound traffic to cloud storage services, especially when combined with tools such as Rclone or unexpected\r\nDeno runtime processes on enterprise systems.\r\nWhat Should Security Teams Watch For?\r\nSecurity teams can reduce risk by focusing on behaviors associated with the campaign rather than relying solely\r\non malware signatures.\r\nKey defensive measures include:\r\nMonitoring unusual use of tools like Rclone for potential data exfiltration\r\nInvestigating unexpected execution of Deno runtime processes\r\nReviewing certificate usage associated with suspicious binaries\r\nStrengthening monitoring for persistence mechanisms and backdoor activity\r\nHunting for indicators of compromise associated with MuddyWater campaigns\r\nThreat actors associated with nation-state operations often maintain access for long periods before taking action.\r\nEarly detection of unusual behavior can significantly reduce potential damage.\r\nTracking the Cyber Dimension of the Iran–Israel Conflict\r\nhttps://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/\r\nPage 3 of 4\n\nCyber activity linked to the Iran–Israel conflict continues to evolve alongside geopolitical developments.\r\nCampaigns involving groups like MuddyWater highlight how cyber operations can appear as part of broader\r\nregional tensions.\r\nTo help security teams monitor these developments, SOCRadar provides a live Iran–Israel Cyber Conflict\r\nDashboard, which tracks cyber incidents, threat actor activity, and attack claims related to the conflict. The\r\ndashboard brings together intelligence on APT operations, hacktivist campaigns, DDoS attacks, data leaks, and\r\nregional targeting patterns in one place.\r\nSOCRadar Iran–Israel Cyber Conflict Dashboard mapping cyber operations, threat actors, and regional targets\r\nlinked to the conflict\r\nBy combining verified intelligence with real-time updates, the dashboard helps analysts and organizations better\r\nunderstand how cyber operations are evolving during the conflict.\r\nSource: https://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/\r\nhttps://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/" ], "report_names": [ "iran-muddywater-dindoor-malware-us-networks" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1777429243, "ts_updated_at": 1777450916, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed67f53dd3e7e8cd890929f2c8faeb25118318a2.pdf", "text": "https://archive.orkl.eu/ed67f53dd3e7e8cd890929f2c8faeb25118318a2.txt", "img": "https://archive.orkl.eu/ed67f53dd3e7e8cd890929f2c8faeb25118318a2.jpg" } }