New research from Broadcom’s Symantec and Carbon Black Threat Hunter Team has uncovered evidence of Iranian hackers, identified as the state-sponsored group MuddyWater, infiltrating the networks of several U.S. companies. The targets include financial institutions, airports, non-profit organizations, and the Israeli branch of a software company, signaling a potential escalation in cyber warfare tactics amid ongoing geopolitical tensions.
MuddyWater’s Espionage Campaign Uncovered
The advanced persistent threat (APT) group MuddyWater, also known as Seedworm and affiliated with Iran’s Ministry of Intelligence and Security (MOIS), is believed to have initiated this campaign in early February. Recent activity has been observed following U.S. and Israeli military actions against Iran. The software company, a supplier to defense and aerospace sectors, appears to have been a specific target, with its Israeli operations being a focal point of the intrusions.
The attacks have reportedly led to the deployment of a previously unknown backdoor named Dindoor, which utilizes the Deno JavaScript runtime for execution. Broadcom’s analysis further revealed attempts to exfiltrate data from the software company using the Rclone utility to a Wasabi cloud storage bucket. It remains unconfirmed whether these data theft attempts were successful.
Separately, in the networks of a U.S. airport and a non-profit, a distinct Python backdoor known as Fakeset was discovered. This malware was downloaded from servers operated by Backblaze, an American cloud storage provider. Crucially, the digital certificate used to sign Fakeset has also been employed to sign Stagecomp and Darkcomp malware, both previously associated with MuddyWater’s activities. This shared digital signature strongly suggests the same actor was behind the intrusions into the U.S. companies’ networks, even though these specific malware strains were not found on those compromised systems.
Broader Iranian Cyber Offensive Trends
The findings by Symantec and Carbon Black align with a broader trend of increasing sophistication among Iranian threat actors. In recent years, these groups have demonstrated significant improvements in their tooling and malware capabilities. Furthermore, they have exhibited strong social engineering skills, employing spear-phishing campaigns and “honeytrap” operations to build rapport with targets and gain access to sensitive information or accounts.
This wave of cyber activity is occurring against a backdrop of escalating conflict in the Middle East. Research from Check Point has identified the pro-Palestinian hacktivist group Handala Hack, also known as Void Manticore, routing its operations through Starlink IP ranges. The group has been observed probing external-facing applications for misconfigurations and weak credentials, potentially in pursuit of intelligence or disruption.
In recent months, multiple Iran-nexus adversaries, including Agrius (also known as Agonizing Serpens, Marshtreader, and Pink Sandstorm), have been detected scanning for vulnerable Hikvision cameras and video intercom solutions. Exploitation attempts have targeted well-known security flaws such as CVE-2017-7921 and CVE-2023-6895. According to Check Point, these targeting efforts have intensified following the current Middle East conflict, with a surge in exploitation attempts against IP cameras in Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. Dahua and Hikvision cameras have been specifically targeted, leveraging the aforementioned vulnerabilities along with CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.
The exploitation of these camera systems is consistent with assessments that Iran leverages camera compromise for operational support and battle damage assessment for missile operations, potentially preceding missile launches. Tracking such camera-targeting activity could therefore serve as an early indicator of potential kinetic actions.
Government Advisories and Diversified Tactics
The escalating conflict has prompted advisories from various government entities. The Canadian Centre for Cyber Security (CCCS) has cautioned that Iran is likely to use its cyber apparatus for retaliatory attacks against critical infrastructure and for information operations to advance regime interests. This sentiment is echoed by Western organizations, which are advised to remain on high alert for potential cyber responses extending beyond hacktivism into destructive operations.
Recent developments highlight the diverse nature of Iranian cyber operations. Israeli intelligence agencies are reported to have compromised Tehran’s extensive traffic camera network for years to monitor key officials, a capability that potentially preceded the assassination of a top Iranian figure. In a separate incident, Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted Amazon’s data center in Bahrain, citing the company’s support for “enemy’s military and intelligence activities.”
Furthermore, active wiper campaigns are reportedly underway against Israeli energy, financial, government, and utility sectors. Iran’s arsenal of wipers includes numerous families, such as ZeroCleare, Meteor, Dustman, and DEADWOOD. Iranian APT groups like MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten have shown clear signs of activation and adaptation, positioning themselves for retaliatory operations amid the escalating conflict. Cyber operations represent one of Iran’s most accessible asymmetric tools for retaliation against Gulf states and those supporting U.S. operations.
A significant #OpIsrael cyber campaign, involving pro-Russian and pro-Iranian actors, has targeted Israeli industrial control systems (ICS) and government portals across several countries. This campaign is reportedly driven by groups including NoName057(16) and Handala Hack. Additionally, the pro-Russia hacktivist group Z-Pentest has claimed responsibility for compromising U.S.-based entities, including ICS/SCADA systems and CCTV networks, suggesting a potential prioritization of U.S. targets in conjunction with ongoing geopolitical events.
Iran’s Cyber Doctrine and Recommended Defenses
Iran’s offensive cyber capability has matured into a persistent instrument of state power, used for intelligence collection, regional influence, and strategic signaling during geopolitical tensions. A defining feature of Iran’s current cyber doctrine is its focus on identity and cloud control planes as the primary attack surfaces. Rather than relying solely on zero-day exploits or novel malware, Iranian operators often prioritize repeatable access techniques such as credential theft, password spraying, and social engineering, followed by establishing persistence through widely deployed enterprise services.
In response to these evolving threats, organizations are strongly advised to bolster their cybersecurity posture. This includes strengthening monitoring capabilities, limiting exposure to the internet, disabling remote access to operational technology (OT) systems, enforcing phishing-resistant multi-factor authentication (MFA), implementing network segmentation, and ensuring offline backups are maintained. It is also crucial to keep all internet-facing applications, VPN gateways, and edge devices updated with the latest security patches.
As the conflict continues, organizations, particularly Western entities, should maintain a heightened state of alert for potential cyber responses that may transition from hacktivism to destructive operations. The ongoing geopolitical situation suggests a continued and potentially evolving cyber threat landscape emanating from Iran.