Iranian APT Group Seedworm Targets U.S. and Israeli Networks Amid Escalating Conflict
Since February 2026, the Iranian advanced persistent threat (APT) group Seedworm (also known as MuddyWater, Temp Zagros, or Static Kitten) has been detected on the networks of multiple U.S. organizations, with activity persisting in recent days. The campaign follows U.S. and Israeli military strikes on Iran including the killing of Iran’s Supreme Leader Ayatollah Ali Khamenei on March 1 which have heightened regional tensions and increased the likelihood of retaliatory cyber operations.
Targets and Tactics
Seedworm has compromised networks across critical sectors, including:
- A U.S. bank
- A U.S. airport
- A U.S. software company with Israeli operations (a supplier to defense and aerospace industries)
- A Canadian non-profit organization
The group deployed two previously unknown backdoors:
- Dindoor – A Deno-based backdoor signed with a certificate issued to "Amy Cherne," found on the Israeli branch of the targeted software company, a U.S. bank, and the Canadian non-profit. Attackers attempted to exfiltrate data using Rclone to a Wasabi cloud storage bucket, though success remains unconfirmed.
- Fakeset – A Python-based backdoor signed with certificates for "Amy Cherne" and "Donald Gay" (a certificate previously linked to Seedworm). It was downloaded from Backblaze cloud storage servers and deployed against a U.S. airport and non-profit.
Seedworm also leveraged Stagecomp and Darkcomp malware, historically associated with the group, though these were not directly observed in the latest intrusions. The use of shared certificates suggests a coordinated campaign.
Broader Iranian Cyber Threat Landscape
Seedworm, a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS), has been active since 2017, initially focusing on Middle Eastern targets before expanding to telecommunications, defense, government, and energy sectors globally. The group employs custom malware, dual-use tools, and social engineering including spear-phishing and "honeytrap" operations to gain access.
Recent Activity by Iranian-Aligned Groups
-
Handala (Iranian-aligned hacktivist group):
- December 2025: Claimed to compromise the phones of former Israeli PM Naftali Bennett and Benjamin Netanyahu’s Chief of Staff, leaking contacts and media (though researchers disputed full device access).
- February–March 2026: Alleged breaches of Israel’s largest healthcare network and Sharjah National Oil Corporation, exfiltrating 1.3TB of sensitive data (including financial records and oil contracts). Some claims may be exaggerated for psychological impact.
- Ongoing: Threatened to target Netanyahu and other high-profile figures.
-
Marshtreader (Pink Sandstorm/Agrius):
- June 2025: Scanned Israeli vulnerable cameras (CVE-2023-6895, CVE-2017-7921) for bombing damage assessment (BDA) and reconnaissance.
- Conducted password-spraying attacks on Israeli municipal governments, followed by spear-phishing to deliver remote access tools (RATs).
-
DieNet (Pro-Palestinian hacktivist group):
- Emerged in March 2025, intensifying DDoS attacks on U.S. critical infrastructure (energy, finance, healthcare, government) after the arrest of activist Mahmoud Khalil.
Geopolitical Context and Cyber Escalation Risks
The February 28, 2026, U.S.-Israeli airstrikes which killed Khamenei and other Iranian officials triggered retaliatory missile strikes by Iran against U.S. and Israeli targets. Cyber operations are a key component of Iran’s asymmetric response, with both nations having a history of destructive attacks (e.g., Iran’s Shamoon wiper, Israel’s Stuxnet).
The UK’s National Cyber Security Centre (NCSC) warned that Iranian state-linked actors retain cyber capabilities despite potential disruptions, while Check Point reported that Handala has used Starlink since January 2026 to maintain connectivity amid Iranian internet shutdowns.
Expected Threat Vectors
Given Iran’s past tactics, defenders should anticipate:
- DDoS and defacements targeting government, energy, transportation, and financial sectors for psychological and economic pressure.
- Credential harvesting (password spraying, mailbox compromises) against defense, NGOs, and logistics contractors.
- Hack-and-leak operations (e.g., Handala’s partial data leaks) to intimidate and disrupt.
- Destructive attacks (wipers, ransomware) on critical infrastructure, particularly in energy, telecoms, and defense supply chains.
- Opportunistic targeting of exposed OT systems, logistics networks, and contractor VPNs.
Historical Precedents
- Stuxnet (2010): A U.S.-Israeli cyberweapon that sabotaged Iran’s Natanz nuclear facility, demonstrating the potential for physical destruction via cyber means. The facility was hit again in June 2025 and March 2026 U.S. strikes.
- Druidfly (Homeland Justice/Karma):
- 2022: Wiped Albanian government systems after diplomatic fallout over MEK dissidents.
- 2023–2025: Deployed BibiWiper against Israeli targets, encrypting files and destroying master boot records (MBRs).
- June 2025: Targeted Albania again, disrupting Tirana’s public services.
Conclusion
Seedworm’s recent intrusions pre-positioned before the latest conflict escalation highlight Iran’s strategic cyber capabilities and willingness to leverage espionage, disruption, and destruction against perceived adversaries. With hacktivist groups amplifying attacks and state-aligned actors refining their tooling, organizations in the U.S., Israel, and allied nations remain at heightened risk of targeted cyber operations as the conflict evolves.
Source: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
New Canadians Centre cybersecurity rating report: https://www.rankiteo.com/company/newcanadianscentre
"id": "NEW1772742770",
"linkid": "newcanadianscentre",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Banking',
'location': 'United States',
'name': 'U.S. Bank',
'type': 'Financial Institution'},
{'industry': 'Aviation',
'location': 'United States',
'name': 'U.S. Airport',
'type': 'Transportation'},
{'industry': 'Defense and Aerospace Software',
'location': 'Israel',
'name': 'U.S. Software Company (Israeli Branch)',
'type': 'Technology'},
{'location': 'Canada',
'name': 'Canadian Non-Profit Organization',
'type': 'Non-Profit'}],
'attack_vector': ['Spear-phishing',
'Backdoors',
'Malware Deployment',
'Credential Harvesting'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'number_of_records_exposed': '1.3TB (alleged)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive Data',
'Financial Records',
'Oil Contracts',
'Personally Identifiable '
'Information']},
'date_detected': '2026-02-01',
'description': 'Since February 2026, the Iranian advanced persistent threat '
'(APT) group Seedworm (also known as MuddyWater, Temp Zagros, '
'or Static Kitten) has been detected on the networks of '
'multiple U.S. organizations, with activity persisting in '
'recent days. The campaign follows U.S. and Israeli military '
'strikes on Iran, including the killing of Iran’s Supreme '
'Leader Ayatollah Ali Khamenei on March 1, which have '
'heightened regional tensions and increased the likelihood of '
'retaliatory cyber operations.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': ['Data Exfiltration Attempts',
'Network Intrusions'],
'systems_affected': ['Networks', 'Cloud Storage', 'OT Systems']},
'initial_access_broker': {'backdoors_established': ['Dindoor', 'Fakeset'],
'entry_point': ['Spear-phishing',
'Password Spraying',
'Vulnerable Cameras'],
'high_value_targets': ['Defense',
'Aerospace',
'Energy',
'Telecommunications']},
'investigation_status': 'Ongoing',
'motivation': ['Retaliation',
'Espionage',
'Disruption',
'Geopolitical Influence'],
'post_incident_analysis': {'root_causes': ['Geopolitical escalation',
'Pre-positioned backdoors',
'Exploitation of known '
'vulnerabilities']},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': ['Defenders should anticipate DDoS and defacements '
'targeting government, energy, transportation, and '
'financial sectors.',
'Monitor for credential harvesting (password spraying, '
'mailbox compromises) against defense, NGOs, and '
'logistics contractors.',
'Prepare for hack-and-leak operations to intimidate and '
'disrupt.',
'Secure exposed OT systems, logistics networks, and '
'contractor VPNs.',
'Enhance monitoring for destructive attacks (wipers, '
'ransomware) on critical infrastructure.'],
'references': [{'source': 'UK’s National Cyber Security Centre (NCSC)'},
{'source': 'Check Point'}],
'threat_actor': 'Seedworm (MuddyWater, Temp Zagros, Static Kitten)',
'title': 'Iranian APT Group Seedworm Targets U.S. and Israeli Networks Amid '
'Escalating Conflict',
'type': ['Espionage', 'Cyber Attack', 'Data Exfiltration'],
'vulnerability_exploited': ['CVE-2023-6895', 'CVE-2017-7921']}