Dindoor Backdoor
Threat intelligence research has uncovered evidence of an Iranian state-aligned cyber operation that successfully embedded itself within the networks of several organizations across North America. The affected entities include banks, airports, non-profit organizations, and the Israeli branch of a software company serving the defense and aerospace sectors.
The campaign has been attributed to MuddyWater, also known as Seedworm, a threat group associated with Iran's Ministry of Intelligence and Security (MOIS). Investigators assess that the operation began in early February 2026. Network activity linked to the campaign surfaced shortly after military strikes conducted by the United States and Israel against Iran, suggesting a potential geopolitical trigger behind the cyber activity.
Particular attention appears to have been directed at the Israeli division of the targeted software provider. The company supplies solutions to multiple industries, including defense and aerospace, making it a strategically valuable target for intelligence collection and potential disruption.
Table of Contents
Dindoor: A Newly Identified Backdoor Leveraging Deno
Security analysts examining the intrusions identified the deployment of a previously undocumented backdoor called Dindoor. The malware uses the Deno JavaScript runtime as part of its execution environment, a relatively uncommon technique that may help the malware evade detection in traditional security monitoring systems.
The attacks involving the software vendor, a U.S. banking institution, and a Canadian non-profit organization appear to have served as entry points for installing this backdoor.
Evidence of attempted data exfiltration was also identified. Investigators observed the use of the Rclone utility to transfer information from the compromised software company's environment to a cloud storage bucket hosted on Wasabi. At the time of analysis, it remained unclear whether the data exfiltration attempt was ultimately successful.
Fakeset Backdoor Appears in Additional Compromised Networks
A separate malware component known as Fakeset, written in Python, was detected within the networks of a U.S. airport and another non-profit organization. This backdoor was retrieved from infrastructure associated with Backblaze, a U.S.-based cloud storage and backup provider.
The malicious payload was digitally signed using a certificate that has previously been linked to two other malware families, Stagecomp and Darkcomp, both historically associated with MuddyWater operations.
Threat researchers have identified malware samples bearing the following signatures tied to the MuddyWater ecosystem:
- Trojan:Python/MuddyWater.DB!MTB
- Backdoor.Python.MuddyWater.a
Although Stagecomp and Darkcomp themselves were not discovered on the compromised networks examined in this investigation, the reuse of the same digital certificate strongly suggests involvement by the same threat actor, reinforcing the attribution to Seedworm.
Expanding Iranian Cyber Capabilities and Social Engineering Tactics
Iranian cyber threat actors have significantly improved their operational capabilities in recent years. Their malware development and tooling have grown more sophisticated, enabling stealthier persistence and more effective lateral movement inside victim networks.
Equally notable is the expansion of their human-focused attack strategies. Iranian operators have demonstrated increasingly advanced social engineering methods, including highly targeted spear-phishing campaigns and long-term 'honeytrap' operations designed to build trust with individuals of interest. These tactics are frequently used to gain account access or extract sensitive information.
Surveillance Through Vulnerable Cameras
Parallel investigations have revealed that other Iran-linked threat groups are actively probing internet-connected surveillance devices. One such actor, Agrius, also known by the aliases Agonizing Serpens, Marshtreader, and Pink Sandstorm, has been observed scanning for vulnerable video surveillance infrastructure.
Researchers documented exploitation attempts targeting Hikvision cameras and video intercom systems through known vulnerabilities. These activities have intensified amid the ongoing Middle East conflict, particularly in Israel and several Gulf states.
The campaign has focused on exploiting vulnerabilities affecting surveillance equipment from Dahua and Hikvision, including:
- CVE-2017-7921
- CVE-2023-6895
- CVE-2021-36260
- CVE-2025-34067
- CVE-2021-33044
Security analysts believe such compromises may support military intelligence gathering, including operational surveillance and battle damage assessment (BDA) related to missile operations. In some cases, camera intrusions may occur prior to missile launches to assist with targeting or monitoring outcomes.
Cyber Activity as a Precursor to Kinetic Operations
The coordinated targeting of surveillance infrastructure aligns with long-standing assessments that Iranian cyber doctrine integrates digital reconnaissance into broader military planning. Compromised cameras can provide real-time visual intelligence and situational awareness.
Consequently, monitoring scanning activity and exploitation attempts against camera infrastructure tied to known Iranian cyber assets may serve as an early warning signal for potential follow-on kinetic operations.
Rising Cyber Retaliation Risks
The escalating conflict involving the United States, Israel, and Iran has heightened the risk of cyber retaliation. In response to the growing threat landscape, the Canadian Centre for Cyber Security (CCCS) has issued an advisory warning that Iran is likely to leverage its cyber capabilities against critical infrastructure and conduct influence or information operations to advance strategic interests.
These developments highlight the expanding role of cyberspace as a parallel battlefield during geopolitical conflicts, where espionage, disruption, and intelligence gathering increasingly accompany traditional military actions.
