Iranian cyber group MuddyWater, linked to Iran's Ministry of Intelligence and Security (MOIS), has been found embedded in multiple US and Canadian networks since early February 2026, including a bank, airport, software firm, and NGOs. Symantec and Carbon Black's Threat Hunter Team discovered two previously unknown backdoors: Dindoor (using the Deno JavaScript/TypeScript runtime) and a Python-based Fakeset, both signed with certificates tied to known MuddyWater infrastructure. The compromised software company supplies technology to defense and aerospace sectors and has an Israeli presence, which researchers believe is the primary target. Data exfiltration attempts using Rclone to a Wasabi cloud bucket were also observed. Analysts warn that MuddyWater's pre-positioned access to US and Israeli networks creates significant risk for future disruptive attacks, especially amid ongoing military hostilities.
Sort: