Iran-Linked Hackers Target U.S. Critical Infrastructure Amid Rising Cyber Threat Activity
5 min. read 
Published on
Iran-linked cyber threat actors have intensified operations against U.S. organizations, raising concerns across the cybersecurity community. Security researchers say the advanced persistent threat group known as Seedworm has been active inside several networks since early February 2026.
Seedworm, also tracked as MuddyWater, Temp.Zagros, and Static Kitten, has historically targeted telecommunications firms, government agencies, and energy organizations. Recent investigations suggest the group expanded its activity toward sectors connected to finance, transportation, and defense supply chains.
Researchers believe the latest wave of cyber activity follows growing geopolitical tensions in the Middle East. Cybersecurity analysts note that state-backed hacking operations often increase during periods of military conflict or diplomatic escalation.
Seedworm has been active since at least 2017 and is widely believed to operate on behalf of Iran’s Ministry of Intelligence and Security. Over time, the group shifted from regional espionage operations to broader campaigns targeting organizations in North America, Europe, Asia, and Africa.
Cybersecurity researchers recently observed intrusion attempts affecting multiple organizations in the United States and Canada. Investigators identified activity inside the networks of a U.S. bank, an airport operator, a software company connected to defense and aerospace industries, and several non-governmental organizations.
The Israeli branch of the targeted software company appears to have been a major focus of the intrusion. Analysts believe attackers may have used the company’s international network infrastructure as a potential bridge to reach additional targets.
Security experts also observed that some of these intrusions began before recent geopolitical tensions escalated. This suggests attackers had already established footholds in critical systems before global attention shifted to the region.
The United Kingdom’s National Cyber Security Centre warned that Iranian state-aligned threat actors likely retain the ability to conduct cyber operations even during periods of domestic disruption inside Iran. Many such groups operate infrastructure outside their home country, allowing campaigns to continue even if national internet connectivity is restricted.
At the same time, several pro-Iran hacktivist groups have increased their online activity. One group known as DieNet has claimed responsibility for distributed denial-of-service attacks targeting infrastructure organizations in sectors such as energy, finance, healthcare, and transportation.
These attacks typically rely on large-scale traffic floods designed to overwhelm servers. Researchers say techniques observed include TCP SYN floods, DNS amplification attacks, and NTP amplification attacks.
The presence of both state-backed espionage groups and hacktivist collectives creates a layered threat environment. While espionage groups focus on long-term intelligence gathering, hacktivists often aim to disrupt services or attract public attention.
Newly identified backdoors used in the campaign
Security researchers identified two previously undocumented backdoors associated with the latest Seedworm activity. These tools are designed to maintain long-term access to compromised systems while avoiding detection.
| Backdoor | Description | Observed targets |
|---|---|---|
| Dindoor | A backdoor designed to run through the Deno runtime for JavaScript and TypeScript | Software company networks, bank infrastructure |
| Fakeset | Python-based backdoor used to maintain persistent access and execute commands remotely | Airport networks and nonprofit organizations |
| Stagecomp | Downloader used to deliver additional malware payloads | Multiple compromised systems |
| Darkcomp | Known Seedworm backdoor previously linked to Iranian cyber operations | Enterprise environments |
The Dindoor backdoor runs through Deno, an emerging runtime environment for JavaScript and TypeScript applications. Because many security tools focus primarily on traditional executables, using a modern runtime platform can help malware blend into legitimate activity.
Fakeset uses Python to execute commands remotely and maintain persistence inside compromised systems. Researchers identified digital certificates used to sign these tools, including certificates issued under the names Amy Cherne and Donald Gay.
The certificate associated with Donald Gay had previously appeared in malware connected to earlier Seedworm campaigns. This reuse of infrastructure allowed researchers to connect the new activity with past operations attributed to the group.
Data exfiltration techniques observed
During one intrusion involving the targeted software company, attackers attempted to move data using Rclone. Rclone is a legitimate file synchronization tool commonly used for cloud storage management.
Threat actors frequently abuse legitimate software to move stolen data because it appears similar to normal administrative activity. In this case, investigators observed attempts to transfer files to a Wasabi cloud storage bucket.
Security analysts have not confirmed whether the data transfer succeeded. However, the use of cloud storage services for exfiltration is becoming increasingly common in advanced cyber espionage operations.
Indicators organizations should monitor
Security teams can look for several warning signs associated with this campaign.
• Unusual outbound connections to cloud storage services
• Unexpected execution of JavaScript or Python processes in enterprise environments
• Suspicious file transfers using tools such as Rclone
• Authentication attempts from unusual geographic locations
• Network connections to previously unknown command-and-control servers
Organizations should investigate these indicators quickly because advanced threat groups often move laterally through networks once access is obtained.
Recommended defensive measures
Cybersecurity agencies recommend several security practices that can reduce the risk of compromise.
• Enforce multi-factor authentication for all remote access services
• Monitor network traffic for abnormal data transfers
• Restrict access to external cloud storage platforms where possible
• Deploy web application firewalls with updated rules
• Maintain offline, immutable backups of critical data
• Conduct regular threat hunting to identify hidden intrusions
Security teams should also ensure systems and security tools remain fully updated. Many advanced threats rely on exploiting unpatched vulnerabilities or weak access controls.
FAQ
Seedworm is an advanced persistent threat group widely believed to operate on behalf of Iran’s Ministry of Intelligence and Security. The group conducts cyber espionage and network intrusions against organizations worldwide.
Recent investigations show activity affecting banking institutions, airport operators, defense-linked software companies, and nonprofit organizations.
Researchers observed several tools including the Dindoor and Fakeset backdoors, as well as legitimate utilities such as Rclone used for data exfiltration.
Threat actors deploy backdoors and use stolen credentials to maintain long-term access while blending into normal network activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages