BROADCOM’S Symantec Threat Hunter Team uncovered a campaign by the Iran-linked MuddyWater (aka SeedWorm, TEMP[.]Zagros, Mango Sandstorm, TA450, and Static Kitten) targeting several U.S. organisations, with activity beginning in February 2026 and continuing into recent days. The group deployed a new backdoor called Dindoor, infiltrating networks across sectors including banks, airports, nonprofits, and a software supplier to the defence and aerospace sectors with operations in Israel.
The Dindoor backdoor relies on the Deno runtime to execute JavaScript and TypeScript, and was signed with a certificate issued to “Amy Cherne.” Researchers also observed an attempt to exfiltrate data from a targeted software company using Rclone to a Wasabi Technologies cloud storage bucket, though it is unclear whether the transfer succeeded.
In addition, a separate Python backdoor, named Fakeset, was found on U.S. airport and nonprofit networks and was signed with certificates tied to Seedworm, with the malware hosted on Backblaze servers and sharing certificates with other Seedworm-linked families. The report notes that Iran’s operations periodically mount destructive attacks to send a message rather than to steal information, potentially putting any targeted organisation in the firing line.