Iran-Linked Seedworm Hackers Target U.S. Bank Airport and Defense Supply Chain in New Cyber Espionage Campaign

CyberDefender 6 mins0

Recent threat intelligence reports indicate that an Iranian state-linked cyber espionage group known as Seedworm (also tracked as MuddyWater, Mango Sandstorm, Mercury, or Static Kitten) has conducted cyber operations targeting multiple organizations in the United States and allied regions. The campaign highlights the growing role of cyber operations in geopolitical conflict and intelligence gathering.

Researchers from Broadcom’s Symantec and Carbon Black Threat Hunter teams observed the activity beginning in early February 2026, with malicious operations continuing through early March. The attacks affected organizations across multiple sectors, including finance, transportation, and defense-related software supply chains.

Targets Identified in the Campaign

Threat intelligence analysis identified several compromised or targeted organizations:

  • A U.S. bank
  • A U.S. airport
  • A non-governmental organization (NGO) operating in the United States and Canada
  • The Israeli branch of a U.S. software company that supplies the defense and aerospace sectors

These intrusions suggest the attackers prioritized critical infrastructure and defense-adjacent networks, potentially aiming to gather intelligence, stage disruptive attacks, or prepare for future cyber operations.

The activity intensified shortly after U.S. and Israeli military strikes against Iran, indicating the possibility that the campaign is connected to escalating geopolitical tensions.

Malware and Backdoors Used

Researchers identified multiple malicious tools deployed by the attackers inside victim networks.

1. Dindoor Backdoor

Seedworm deployed a new backdoor called “Dindoor.”

Key characteristics:

  • Installed on networks of:
    • U.S. bank
    • Israeli software company
    • Canadian NGO
  • Used to maintain persistent access
  • Signed with a certificate issued to “Amy Cherne.”

The malware allowed attackers to maintain stealthy communication with compromised systems and potentially exfiltrate sensitive data.

2. Fakeset Python Backdoor

Researchers also discovered another malicious tool:

  • Python-based backdoor called “Fakeset”
  • Observed on:
    • U.S. airport networks
    • Non-profit organizations
  • Signed with certificates including “Amy Cherne” and “Donald Gay”, which were previously used in earlier MuddyWater campaigns.

These tools allowed attackers to:

  • Execute commands remotely
  • Maintain long-term persistence
  • Collect intelligence from compromised systems

Attribution: The Seedworm (MuddyWater) Threat Group

The attacks are attributed to Seedworm, a long-running Iranian advanced persistent threat (APT) group linked to the Iranian Ministry of Intelligence and Security (MOIS).

Known Characteristics of Seedworm

  • Active since at least 2017
  • Focuses primarily on cyber espionage
  • Frequently targets:
    • Government organizations
    • Telecommunications firms
    • Defense contractors
    • Critical infrastructure networks

Their campaigns typically involve spear-phishing, credential theft, and exploitation of vulnerable systems to gain initial access to networks.

Strategic Implications

Security researchers warn that the presence of Iranian attackers inside U.S. networks before the escalation of geopolitical conflict is particularly concerning.

Because these actors already have footholds in victim environments, they may be able to:

  • Launch disruptive attacks quickly
  • Conduct sabotage operations
  • Exfiltrate sensitive operational data
  • Target supply chains connected to defense industries

This strategic positioning could allow cyber activity to serve as a digital extension of geopolitical conflict, especially during periods of military escalation.

Broader Cyberwarfare Context

Cyber operations have increasingly become a critical component of modern conflicts. During the 2026 Iran war, cyber activities have supported military operations and information warfare campaigns across the region.

At the same time, Iranian-aligned groups and hacktivists have conducted activities such as:

  • Distributed denial-of-service (DDoS) attacks
  • Website defacements
  • Phishing campaigns
  • Data-leak operations targeting Western organizations.

Security Recommendations

Organizations—especially those in critical sectors—should take steps to mitigate the risk of similar intrusions.

Recommended defensive measures include:

  • Patch known vulnerabilities promptly
  • Enforce multi-factor authentication (MFA)
  • Monitor network traffic for unusual command-and-control behavior
  • Conduct threat hunting for known MuddyWater indicators
  • Segment critical systems from external-facing infrastructure
  • Monitor certificate abuse and signed malware activity

Conclusion

The recent Seedworm campaign highlights the persistent cyber threat posed by state-sponsored Iranian actors targeting U.S. and allied networks. With attackers already embedded in several organizations, cybersecurity teams must remain vigilant against potential follow-on attacks.

As geopolitical tensions increase, cyber operations are likely to play an even larger role in intelligence gathering, economic disruption, and strategic warfare.

CyberDefender