MuddyWater Deploys Dindoor Backdoor Against US Bank, Airport

Iranian state-sponsored hackers have compromised networks at a US bank, an airport, and a software company supplying the defense sector, deploying a previously unknown backdoor that abuses the Deno JavaScript runtime to evade detection. Symantec and Carbon Black researchers attribute the campaign to MuddyWater, an APT group linked to Iran's Ministry of Intelligence and Security.

TL;DR

• What happened: MuddyWater breached multiple US organizations using new Dindoor backdoor
• Who's affected: US banks, airports, defense contractors, non-profits in US and Canada
• Attribution: MOIS-affiliated Seedworm/MuddyWater APT
• Action required: Hunt for Deno runtime abuse; block Wasabi cloud exfiltration; review spear-phishing controls

The Dindoor Backdoor

Researchers discovered Dindoor on compromised networks belonging to a US-based software company with Israeli operations and ties to the defense and aerospace sectors. The malware was also found at a US bank and a Canadian non-profit organization.

What sets Dindoor apart is its execution environment. Rather than traditional compiled malware, it leverages Deno, a modern JavaScript and TypeScript runtime. This choice helps the backdoor blend with legitimate developer tooling and complicates signature-based detection.

Dindoor provides attackers with:

• Remote command execution
• File system access
• Persistent network presence
• Encrypted communications designed to merge with normal traffic

The use of Deno represents an evolution in Iranian threat actor tooling. MuddyWater has historically relied on PowerShell and Python for post-exploitation, but Dindoor suggests the group is experimenting with newer technologies to stay ahead of defenders.

Data Exfiltration via Cloud Storage

Beyond Dindoor, researchers observed attackers attempting to exfiltrate data using Rclone, a command-line tool for managing cloud storage. The stolen data was destined for Wasabi cloud storage buckets controlled by the threat actors.

Rclone abuse has become a common technique among ransomware groups and APTs alike. The tool's legitimate use for cloud backups makes it harder to detect when weaponized, and its support for multiple cloud providers gives attackers flexibility.

Supporting Malware: Fakeset

A second backdoor called Fakeset appeared on networks at the airport and non-profit targets. This Python-based implant was downloaded from Backblaze cloud storage servers.

The digital certificate used to sign Fakeset matches certificates previously used to sign MuddyWater tools Stagecomp and Darkcomp. Security vendors detect Fakeset as:

• Microsoft: Trojan:Python/MuddyWater.DB!MTB
• Kaspersky: Backdoor.Python.MuddyWater.a

This certificate overlap provided researchers with high-confidence attribution to the Seedworm cluster, which the security community tracks as MuddyWater.

Escalating Iran-US Cyber Conflict

The timing matters. This campaign launched in early February 2026, weeks before US and Israeli military strikes against Iranian targets on February 28. Since those strikes, Iranian cyber operations have intensified dramatically.

Unit 42's recent threat brief on Iranian cyber escalation documents dozens of active hacktivist groups conducting DDoS attacks, website defacements, and data destruction operations. MuddyWater's quiet intelligence gathering stands in contrast to the loud hacktivist campaigns, but both serve Iranian strategic interests.

We've seen similar patterns from other Iranian groups. The APT28 MSHTML zero-day campaign showed how state actors exploit geopolitical tensions to expand their operations. Iran's cyber apparatus operates under the same playbook.

Who is MuddyWater?

MuddyWater, also tracked as Seedworm, Earth Vetala, and Static Kitten, has operated since at least 2017. The group focuses on espionage campaigns targeting government agencies, telecommunications companies, and critical infrastructure across the Middle East, Europe, and North America.

US and UK intelligence agencies have publicly attributed MuddyWater to Iran's MOIS. The group is known for:

• Sophisticated spear-phishing campaigns
• "Honeytrap" social engineering operations
• Credential theft and password spraying
• Exploitation of identity and cloud control planes

Defensive Recommendations

Organizations in sectors of interest to Iranian intelligence should:

1. Monitor for Deno runtime abuse - Unexpected Deno processes on servers warrant investigation
2. Block unauthorized cloud storage access - Restrict Rclone and similar tools; monitor for connections to Wasabi, Backblaze
3. Implement phishing-resistant MFA - MuddyWater excels at credential theft
4. Audit third-party software providers - Supply chain compromise remains a priority for this group
5. Segment critical networks - Limit lateral movement opportunities

The current geopolitical climate makes Iranian intrusion attempts highly likely to continue. Organizations with any connection to defense, aerospace, financial services, or infrastructure should assume they're targets.