top of page
Search

Dindoor Malware Targets U.S. Networks in New MuddyWater Campaign

  • Mar 6
  • 2 min read

Key Findings


  • Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors

  • The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution

  • An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket

  • A separate Python backdoor called Fakeset was also found on the networks of a U.S. airport and a nonprofit

  • The Fakeset malware shared digital certificates with other MuddyWater-linked malware, indicating the group's involvement


Background


  • The MuddyWater APT group, also known as TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten, has targeted entities in the Middle East since 2017

  • Over the years, the group has expanded its operations to target European and North American countries, primarily in the telecommunications, government, and oil sectors

  • In January 2022, US Cyber Command officially linked the MuddyWater APT group to Iran's Ministry of Intelligence and Security (MOIS)


Dindoor Backdoor


  • The Dindoor backdoor is a previously unknown malware used by MuddyWater in the recent campaign

  • It leverages the Deno JavaScript runtime for execution, allowing it to run on various platforms

  • The malware was signed with a certificate issued to "Amy Cherne"


Data Exfiltration Attempt


  • Researchers observed an attempt to exfiltrate data from the targeted software company using the Rclone utility

  • The data was being transferred to a Wasabi cloud storage bucket, but it's unclear if the transfer was successful


Fakeset Backdoor


  • A separate Python backdoor called Fakeset was found on the networks of a U.S. airport and a nonprofit

  • The malware was hosted on Backblaze servers and shared digital certificates with other MuddyWater-linked malware

  • This suggests the Iranian group was behind the intrusions on these networks


Escalating Cyber Threats


  • The recent activity by Iranian-linked cyber actors shows a mix of espionage, disruption, and influence operations

  • Researchers warn that Iranian-aligned actors may escalate with DDoS attacks, defacements, credential theft, leaks, and potentially destructive operations targeting critical infrastructure, energy, transport, telecoms, healthcare, and defense sectors


Sources


  • https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html

  • https://securityaffairs.com/189060/apt/iran-linked-muddywater-deploys-dindoor-malware-against-u-s-organizations.html

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page