Iranian cyber ops maintain US network footholds, target cameras for regional surveillance

Iran-linked cyber activity is showing two tracks at once. One is quiet, persistent access inside US and Canadian networks. The other is fast-moving surveillance activity aimed at internet-connected cameras across the Middle East. Recent reporting from Broadcom, Check Point Research, and other security firms suggests both efforts fit a broader intelligence and pre-positioning strategy rather than a single one-off campaign.

Broadcom’s Symantec and Carbon Black researchers said activity linked to Seedworm, also known as MuddyWater, was spotted on the networks of multiple US organizations beginning in February 2026 and continuing into recent days. The victims included a US bank, a US airport, US and Canadian non-profits, and the Israeli operations of a US software company that supplies the defense and aerospace industries. The US government has previously linked MuddyWater to Iran’s Ministry of Intelligence and Security.

At the same time, Check Point Research said it observed a sharp spike starting February 28 in attempts to target Hikvision and Dahua IP cameras in Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. The researchers tied that activity to multiple Iran-nexus threat actors and said the timing aligned with the opening phase of the current regional conflict.

What Broadcom found inside US and Canadian networks

Broadcom said the intrusions involved previously undocumented malware, including a new backdoor called Dindoor and a separate Python backdoor called Fakeset. Dindoor was seen on the networks of a US bank, a Canadian non-profit, and the Israeli branch of a US software company serving defense and aerospace clients. Fakeset appeared on the networks of a US airport and a non-profit organization.

The technical details stand out. Broadcom said Dindoor uses the Deno runtime to execute JavaScript and TypeScript, while Fakeset is Python-based. Researchers also linked Fakeset to certificates previously used to sign Stagecomp and Darkcomp malware, which they said strengthens the case that the same actor, Seedworm, was behind the activity.

Broadcom also said there was an attempt to exfiltrate data from the targeted software company using Rclone to a Wasabi storage bucket, though it was not clear whether that transfer succeeded. That points to espionage and collection rather than immediate destructive action.

Why these footholds matter now

The concern is not only that MuddyWater got in. It is that the group already had a foothold before hostilities escalated. Broadcom warned that even if the current conflict disrupts some Iranian operations, existing access on US and Israeli-linked networks puts Seedworm in a dangerous position to launch follow-on actions.

That makes the campaign more serious than an ordinary isolated intrusion. A threat actor that already sits inside banking, aviation, nonprofit, and defense-adjacent environments does not need to rush. It can watch, collect, and choose its next step based on events around it.

Camera targeting has become part of the playbook

Check Point’s findings show a second track that is easier to overlook but strategically useful. The company said Iran-nexus actors were targeting internet-connected cameras, especially Hikvision and Dahua devices, across several Middle Eastern countries. The researchers said the activity likely aimed to identify exposed systems that could provide live visibility during wartime conditions.

According to Check Point, the scanning and exploitation attempts focused on known flaws including CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044. The company said it saw no similar targeting of other camera brands from the same infrastructure.

This matters because compromised cameras can act as low-cost surveillance tools. They can show damage after strikes, movement near key facilities, emergency response patterns, and activity around military or civilian infrastructure. Wired, citing Check Point’s work, reported that the camera-hacking attempts were closely timed to the first days of the current conflict.

What the two campaigns have in common

These operations look different on the surface, but they share the same practical logic. One campaign preserves access inside high-value networks. The other tries to turn exposed physical security devices into battlefield sensors. Both give Iranian-linked actors more visibility without requiring immediate disruptive attacks.

That is why the combination is important. Persistent footholds support long-term espionage and contingency planning. Camera exploitation supports near-real-time awareness in a conflict zone. Together, they show a hybrid approach that mixes cyber espionage with tactical surveillance.

Where Handala fits into the picture

A separate but related signal came from the cyberattack on Stryker. Reuters reported that Stryker said a March 11 cyberattack caused widespread disruption to orders, manufacturing, and shipping, while an Iranian-linked group called Handala claimed responsibility. Reuters did not independently verify the broader claims around the incident, but the attack shows the wider role of Iran-linked proxy or aligned actors during the current period of tension.

It is important to separate what is confirmed from what is claimed. Stryker confirmed the disruption and said patient-related services and connected medical products were not affected. Public claims about the scale of exfiltration and device wiping came from attackers or secondary reporting, not from Reuters’ verification.

Key malware and infrastructure details

Element	What researchers said	Why it matters
Dindoor	New backdoor using the Deno runtime	Suggests a tailored persistence tool for long-term access
Fakeset	Python backdoor found on airport and non-profit networks	Shows multiple implants across different victim types
Stagecomp / Darkcomp link	Shared signing certificates tied to earlier MuddyWater malware	Helps attribute the activity to Seedworm/MuddyWater
Rclone to Wasabi	Attempted exfiltration from software company	Points to espionage and data theft goals
Hikvision / Dahua targeting	Focused camera exploitation attempts	Suggests low-cost regional surveillance gathering

Camera vulnerabilities highlighted by Check Point

CVE	Affected area	Research note
CVE-2017-7921	Hikvision IP camera firmware	Improper authentication flaw
CVE-2021-36260	Hikvision web server component	Command injection vulnerability
CVE-2023-6895	Hikvision Intercom Broadcasting System	OS command injection issue
CVE-2025-34067	Hikvision Integrated Security Management Platform	Unauthenticated remote code execution flaw
CVE-2021-33044	Multiple Dahua products	Authentication bypass vulnerability

What organizations should do now

Organizations in banking, aviation, defense supply chains, healthcare, and nonprofit sectors should review for signs of Deno runtime abuse, unexpected Python execution, unusual code signing chains, and outbound transfers involving tools such as Rclone. Broadcom’s findings suggest that certificate reuse and uncommon runtime activity are useful detection leads.

Teams running Hikvision or Dahua devices should patch exposed systems quickly, disable unnecessary remote access, segment cameras from core networks, and monitor outbound traffic from those devices. Check Point’s report suggests these systems are being treated as intelligence collection targets, not just opportunistic internet scans.

Bottom line

The current picture is not just about noisy retaliation. It is about sustained access and practical surveillance. Broadcom’s reporting suggests MuddyWater already had footholds inside sensitive North American networks before the latest hostilities intensified, while Check Point’s findings show Iran-nexus actors also trying to turn ordinary security cameras into regional intelligence tools.

For defenders, the message is simple. Watch for quiet persistence as closely as headline-grabbing disruption. In this case, the most important threat may be the actor that is already inside and the camera that no one thought to treat as part of the battlefield.

FAQ