A recently uncovered cyber espionage campaign attributed to MuddyWater, an Iranian state-aligned threat group, has targeted United States networks and several sectors including aviation, financial services, and software development. Researchers say the attackers deployed a previously undocumented backdoor called Dindoor, which uses the Deno runtime environment to run JavaScript or TypeScript outside a browser, along with another backdoor named Fakeset written in Python.
The campaign appears to have started in early 2026 and affected organisations such as a U.S. airport, a U.S. bank, a Canadian non-profit, and a software supplier connected to defence and aerospace industries; the activity is attributed to MuddyWater (also tracked as Seedworm). According to the FBI, CISA and the UK’s National Cyber Security Centre, MuddyWater has long been linked to Iranian intelligence operations and typically conducts long-term access operations rather than quick disruption.
Indicators of compromise include several domains, and security teams are advised to monitor for Rclone usage and Deno runtime processes on enterprise systems. The findings are complemented by SOCRadar’s Iran–Israel Cyber Conflict Dashboard, which tracks related threat activity.