Iranian APT group MuddyWater targets multiple US companies

The Iranian advanced persistent threat (APT) group MuddyWater (aka Seedworm) has been active on the networks of multiple U.S. companies since early February 2026, with activity increasing following the Feb. 28 U.S.-Israeli attack on Iran.

In a March 5 blog post, researchers from Broadcom’s Symantec and Carbon Black, said MuddyWater’s targets included a U.S. bank, an airport, a non-profit, and the Israel operation of a U.S. software company that works as a supplier to the defense and aerospace industry.

The researchers explained that a previously unknown backdoor named Dindoor was found on the Israeli operation of the software company, as well as the U.S. bank and the Canadian non-profit. Dindoor executes via Deno, the secure runtime JavaScript and TypeScript.

Symantec and Carbon Black researchers believe that Iran launched the cyber operations in retaliation for the joint U.S.-Israeli attack and to avenge the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was killed on March 1.

Related reading:

Kevin E. Greene, chief cybersecurity technologist, public sector at BeyondTrust, said several intelligence reports from industry pointed to the potential for escalated Iranian cyber activity dating back to August 2025. Given the nature of Iranian cyber operations and activities, Greene said it's assumed there’s already some pre-positioning within important U.S. targets.

“Organizations should hunt for signals associated with pre-positioning and persistent access,” said Greene. “The goal is to hunt where adversaries silently lurk and disrupt their operations before activation occurs. We must reshape adversary behavior by preventing them from converting their initial access into any meaningful control within the environment. Privilege is the fuel that drives their pre-positioning and long-term access. We must cut off that fuel to elevate our cyber defenses.” 

Denis Calderone, principal and chief technology officer at Suzu Labs, added that last week, his team warned the industry that Iran's cyber operators were pre-positioning, and that defenders in financial services and defense needed to start hunting.

“Well, here's the confirmation,” said Calderone. “MuddyWater was already sitting on the networks of a U.S. bank, an airport, and a defense-aerospace software supplier weeks before the first airstrike. The cyber war didn't start when the bombs dropped. It was well underway in February."

Calderone noted that what really caught his team’s attention here was the Dindoor backdoor: a custom malware nobody has seen before, which means signature-based detection isn't going to help defenders.

MuddyWater runs as an arm of Iran's Ministry of Intelligence, and Calderone said the fact that they had brand new tooling deployed and operational before the kinetic conflict even started says a lot about their level of preparation. They were also using Rclone to exfiltrate data to cloud storage and signing their backdoors with stolen certificates, so everything looks legitimate until the teams dig deeper, said Calderone.

“If you're in financial services, defense, aerospace, or transportation, this is your confirmation that you're in scope,” said Calderone. “Hunt for anomalous access, watch for unexpected cloud storage connections, and audit your certificates. The pre-positioning phase is over. We're in the execution phase now.”