Recent intrusions have been linked to Seedworm, also known as MuddyWater, Temp Zagros, and Static Kitten, a long-running Iranian threat group associated with espionage and covert network access.
The activity began in February 2026 and continued in recent weeks. Reported targets include a U.S. bank, a U.S. airport, a U.S. software company with operations in Israel, and non-profit organizations in the U.S. and Canada.
Researchers say the timing is significant, as it comes during a period of rising military tension involving Iran, the U.S., and Israel.
That raises concern that already-compromised networks could be used for future disruptive, destructive, or intelligence-driven operations.
One of the most important findings is a previously unknown backdoor now called Dindoor. It was found on the network of the Israeli branch of a U.S. software company.
It was also seen on the systems of a U.S. bank and a Canadian non-profit. Dindoor uses Deno, the JavaScript and TypeScript runtime, to execute. Researchers said the malware was signed using a certificate issued to “Amy Cherne.”
Another suspicious tool, a Python backdoor named Fakeset, was discovered on the networks of the U.S. airport and a non-profit organization.
This malware was signed with certificates issued to “Amy Cherne” and “Donald Gay.” The Donald Gay certificate has previously been linked to malware associated with the Seedworm threat. Fakeset was downloaded from infrastructure hosted on Backblaze cloud storage.
Researchers also observed an attempt to move data from the software company using Rclone to a Wasabi cloud storage bucket.
It is still unclear whether that exfiltration attempt succeeded. Even so, the presence of multiple backdoors, certificate overlaps, and cloud-based staging methods suggests a coordinated campaign designed for persistence and stealth.
Seedworm has a history of espionage-focused operations, but security Iranian-linked groups have also used wipers, DDoS attacks, credential harvesting, mailbox compromise, and leak operations in past campaigns.
That means defenders should prepare for both quiet intrusions and louder disruptive actions.
Organizations in banking, transportation, energy, telecom, healthcare, defense, and logistics should watch for repeated login failures, password spraying, suspicious cloud transfers, unexpected use of tools like Rclone, mailbox abuse, and abnormal access to internet-facing systems.
Monitoring contractor access, enforcing MFA, restricting legacy authentication, segmenting operational networks, and maintaining offline backups are also critical.
The broader lesson is clear: Iranian-linked actors may already be inside some networks. For defenders, the priority is to detect early access, contain it quickly, and strengthen resilience before espionage turns into disruption.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post U.S. Critical Infrastructure Faces Growing Threat From Iran-Linked Hackers appeared first on Cyber Security News.
Fan-favorite Pokémon series Pokémon XD: Gale of Darkness is now available to play again via…
Sony is issuing automatic refunds to players who paid for additional content in Highguard. Highguard…
Alan Wake developer Remedy has launched its final update to FBC: Firebreak, its Control multiplayer…
Crimson Desert developer and publisher Pearl Abyss has confirmed the global release time for the…
Avatar: The Last Airbender might not be the newest Universes Beyond release anymore after the…
ABILENE, Texas (KTAB/KRBC) - Lyndsey Williamson has been named associate superintendent for curriculum and instruction…
This website uses cookies.