Cybersecurity researchers have recently uncovered a new cyber campaign linked to the Iranian hacking group known as MuddyWater. The group is believed to have connections with Iran’s Ministry of Intelligence and Security. In this campaign, attackers managed to infiltrate several organizations and quietly place malicious tools inside their systems. Researchers say the hackers used a newly identified backdoor called “Dindoor” to maintain hidden access inside the networks.

Concept illustration of a digital backdoor used by the Dindoor malware to secretly access compromised systems.

MuddyWater is a well-known cyber-espionage group that has been active for several years. The group has previously targeted government agencies, infrastructure systems, and private companies in different countries. Over time, cybersecurity companies have tracked this group under different names. Some of the names linked to the group include Seedworm, Static Kitten, TEMP.Zagros, and Mango Sandstorm.

The recent campaign was discovered by researchers from Broadcom’s Symantec and Carbon Black Threat Hunter Team. During their investigation, they found that the attackers had already gained access to several networks. These networks belonged to organizations in the United States, Canada, and Israel. The malicious activity is believed to have started around February 2026.

Hacker silhouette representing cyber espionage operations carried out by the MuddyWater threat group.

Among the targeted organizations were a U.S. bank, a U.S. airport, and a software company connected to the defense and aerospace sector. Researchers also found that several nonprofit organizations in the United States and Canada were affected. This shows that the attackers were targeting different sectors at the same time. Such wide targeting is often seen in cyber-espionage campaigns.

One of the most important discoveries in this investigation was the malware called Dindoor. This malware works as a backdoor, allowing attackers to secretly access infected systems. The malware uses the Deno JavaScript runtime environment to run commands on compromised machines. With this access, attackers can control systems remotely and move further inside the network.

Security operations center technology monitoring suspicious cyber activity linked to MuddyWater hackers.

Researchers discovered the Dindoor malware in the networks of a U.S. bank and a Canadian nonprofit organization. It was also found in the Israeli branch of the targeted software company. The presence of this backdoor suggests that the attackers were trying to maintain long-term access. This technique allows hackers to stay inside networks without being noticed for long periods.

Another malware tool used in the campaign was a Python-based backdoor known as Fakeset. This malware was discovered inside the networks of a U.S. airport and a U.S. nonprofit organization. Investigators found that the malware was downloaded from servers hosted by the cloud storage service Backblaze. Using cloud platforms can help attackers hide their activities and avoid detection.

Illustration of Python-based malware used by hackers in cyber espionage campaigns targeting organizational networks.

Researchers also noticed that attackers attempted to transfer data from the targeted software company. They used a tool called Rclone to move files to a cloud storage bucket hosted on Wasabi. However, investigators are still not sure whether the data transfer was successful. Experts believe such campaigns are often linked to geopolitical tensions and intelligence gathering activities.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news