Iranian cyber operations in early 2026 saw state-linked actors establish persistent footholds within US and Canadian networks, while simultaneously targeting surveillance cameras across the Middle East for battlefield intelligence. This dual-pronged approach highlights a sophisticated, multi-faceted cyber strategy aimed at both espionage and real-time operational awareness.
The Iranian APT group MuddyWater, reportedly tied to Iran’s Ministry of Intelligence and Security (MOIS), maintained unauthorized access to multiple American organizations since February 2026. The targeted sectors spanned banking, aviation, defense supply chains, and non-profit organizations, indicating a broad interest in critical infrastructure and sensitive information.
The intrusions were revealed through reports by cybersecurity firms Symantec and Carbon Black, which identified suspicious MuddyWater activity across US and Canadian networks. Investigators discovered the group deployed undocumented malware to establish persistent footholds within victim environments. This focus on long-term intelligence collection, rather than immediate disruption, is characteristic of state-sponsored espionage campaigns.
PolySwarm analysts identified several malware families associated with MuddyWater’s targeting of US entities, including Dindoor, Fakeset, Stagecomp, and Darkcomp. The Dindoor backdoor, for instance, was found within the network of a US software company serving defense and aerospace clients. It leveraged the Deno runtime for JavaScript and TypeScript to execute commands and maintain access. Meanwhile, Fakeset, a Python-based backdoor, was discovered on the networks of a US airport and a non-profit organization. Both tools were engineered for stealth, aiming to preserve long-term access.
Beyond network infiltration, Iranian-linked infrastructure initiated a significant wave of scanning activity targeting internet-connected surveillance cameras starting February 28, 2026. Check Point Research observed a surge in exploit attempts directed at Hikvision and Dahua cameras, which are deployed across commercial, governmental, and municipal environments throughout the region. This scanning activity affected Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Lebanon, and Cyprus. The timing of these camera intrusions coincided with the commencement of major regional hostilities, suggesting a deliberate integration into Iran’s battlefield intelligence strategy.
Adding another layer to Iran’s cyber operations, the Iran-aligned hacktivist group Handala claimed responsibility for a destructive cyberattack against Stryker, a Fortune 500 medical technology firm. The attackers reportedly exfiltrated approximately 50 terabytes of data before deploying wiper malware across the company’s global network. Corporate laptops and mobile devices managed by enterprise systems were remotely wiped, forcing some locations to revert to manual operational processes. This incident underscores the increasing involvement of Iran-aligned proxy groups across various sectors of its broader cyber operations.
Surveillance Camera Exploitation: A Low-Cost Intelligence Platform
The exploitation of internet-connected surveillance cameras represents a calculated tactic rather than a purely opportunistic endeavor. It transforms common security infrastructure into a real-time battlefield observation platform. By compromising Hikvision and Dahua devices through known vulnerabilities, Iranian operators can gain insights into locations, track emergency response movements, and assess damage following missile or drone strikes.
Specific vulnerabilities exploited in this campaign include CVE-2017-7921, an improper authentication flaw in Hikvision firmware, and CVE-2021-33044, an authentication bypass in Dahua devices. This same tactic was previously observed during the June 2025 Iran-Israel conflict, where compromised cameras were allegedly used to monitor the aftermath of strikes against Israeli targets. The repeated use of IP camera exploitation in early 2026 demonstrates that Iranian actors consider it a reliable and cost-effective intelligence tool.
These devices often operate with outdated firmware and typically fall outside standard enterprise security monitoring protocols, rendering them relatively easy targets with significant operational value. Organizations relying on Hikvision or Dahua cameras are strongly advised to apply all available firmware patches immediately. Particular attention should be paid to updates addressing vulnerabilities such as CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044.
Further mitigation strategies include isolating camera systems from core enterprise networks through proper segmentation. This can help prevent lateral movement in the event of a compromise. Disabling unnecessary remote access features and enforcing strong authentication across all connected devices are also crucial steps. Security teams should maintain vigilance for unusual outbound traffic originating from camera systems, as this can be a strong indicator of active exploitation.
For organizations operating within sectors targeted by MuddyWater, such as banking, aviation, defense, and healthcare, detecting malware like Dindoor and Fakeset is paramount. This requires monitoring for atypical Deno runtime activity, unexpected Python processes, and outbound Rclone traffic that may signal data exfiltration. Malware samples have been observed being signed with digital certificates previously linked to MuddyWater, making certificate-based detection and traffic inspection essential components of any robust defense strategy.
Incident response teams should prioritize addressing these identified network footholds as high-risk concerns, particularly given the current geopolitical climate. The ongoing activities suggest a persistent threat landscape where cyber espionage and battlefield intelligence gathering are increasingly intertwined. Future monitoring will likely focus on the evolution of these tactics and the potential for further escalation.