Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a heightened risk of Iranian retaliatory cyber activity against U.S. and allied organizations, with expected operations spanning ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering (e.g., fake job offers and malicious attachments). Likely target sets highlighted include critical infrastructure, banking, and environments involving industrial control systems/PLCs, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation.
Separately, MuddyWater (Seedworm), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a U.S. bank, an airport, a non-profit, and the Israel operation of a U.S. software company supplying the defense/aerospace sector, and identified a previously unknown backdoor, Dindoor, observed in several victims; Dindoor executes via Deno (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential pre-positioning in high-value targets and recommended proactive hunting for signs of persistent access before activation.
Timeline
Mar 20, 2026
Augur reports broader Iranian threat activity and hacktivist activation
Augur Security reported elevated activity from multiple Iranian threat groups, including APT33, APT34, APT35, CyberAv3ngers, and Cotton Sandstorm, in the period surrounding the strikes. It also said at least 60 hacktivist groups, including Handala and Cyber Fattah, were activated by Iran after the U.S.-Israel attacks.
Mar 6, 2026
Expel reports no confirmed Iran-linked incidents in customer environments
As of early March 2026, Expel said it had not confirmed any Iran-related incidents in its customer environments despite warning of elevated retaliatory cyber risk. The company advised organizations to harden defenses and monitor for Iranian tradecraft and infrastructure shifts.
Mar 6, 2026
Researchers identify Dindoor backdoor on victim networks
Broadcom researchers discovered a previously unknown backdoor called Dindoor on several victim networks. The malware was noted for executing via Deno, adding new technical detail to the campaign.
Mar 1, 2026
Ayatollah Ali Khamenei dies
Reporting on the campaign linked the apparent retaliatory Iranian cyber activity to the death of Ayatollah Ali Khamenei. The death was cited as occurring on March 1, 2026.
Feb 28, 2026
MuddyWater activity intensifies after the strikes on Iran
Researchers said MuddyWater's operations escalated after the February 28 U.S.-Israeli attack on Iran and assessed the campaign as likely retaliatory. The activity was also linked in reporting to the death of Ayatollah Ali Khamenei on March 1.
Feb 28, 2026
U.S. and Israeli forces strike Iran
Coordinated U.S. and Israeli strikes against Iran took place on February 28, 2026. Multiple security reports cited the operation as the trigger for heightened concern over Iranian retaliatory cyber activity.
Feb 1, 2026
MuddyWater begins activity inside multiple U.S. networks
Broadcom's Symantec and Carbon Black reported that MuddyWater had been active inside multiple U.S. company networks since early February 2026. Identified victims included a U.S. bank, an airport, a non-profit, and the Israeli operation of a U.S. software company serving the defense and aerospace sector.
Sep 1, 2025
MuddyWater stages attack infrastructure in September 2025
Augur Security observed more than half a dozen CIDR blocks linked to MuddyWater during a 72-hour period in September 2025, most associated with an Estonian ASN provider. Researchers later assessed with medium confidence that this buildup was preparation for cyber operations following the later U.S.-Israel strikes on Iran.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
MuddyWater (Seedworm) Espionage Campaign Using Dindoor Backdoor Against U.S. Organizations
Security researchers reported a cyber-espionage campaign attributed to Iran-linked **MuddyWater** (aka **Seedworm**), assessed as operating under Iran’s **Ministry of Intelligence and Security (MOIS)**, targeting multiple U.S.-based organizations and related operations. Victims cited across reporting include a **U.S. airport**, a **U.S. bank**, **non-governmental/non-profit organizations** in North America, and the **Israeli operations of a U.S. software supplier** connected to the defense and aerospace sector—indicating interest in both critical infrastructure-adjacent environments and the defense supply chain. The intrusions were described as beginning in **early 2026** (with Symantec/Carbon Black tracking activity starting in early February) and focused on establishing and maintaining access consistent with long-term intelligence collection. One report highlighted deployment of a newly observed backdoor, **Dindoor**, alongside additional tooling to sustain persistence in victim networks, while broader analysis framed the activity as potentially aligned with heightened regional tensions and warned that Iranian-aligned actors may continue reconnaissance and access operations; organizations were advised to increase monitoring and defensive readiness, particularly where exposed services could enable initial access.
1 months ago
Iran Retaliation Cyber Risk After U.S. and Israeli Strikes
Coordinated U.S. and Israeli strikes on Iranian targets have raised expectations of **Iranian state-aligned cyber retaliation** against U.S., Israeli, and allied interests. Reporting and vendor intelligence assessments warn that Iran has historically paired kinetic escalation with cyber operations ranging from *low-level disruption* (website defacements and DDoS) to *higher-impact activity* (ransomware-style disruption, hack-and-leak operations, espionage, and destructive/wiper malware), with likely targeting pressure on government, critical infrastructure, defense, financial services, academia, and media. The situation is described as fast-moving, with no definitive public attribution yet tying major new cyber campaigns directly to the latest strikes. Separately, multiple reports highlight **unrelated** security issues: GreyNoise observed large-scale reconnaissance and SSL VPN enumeration against **SonicWall SonicOS** devices via commercial proxy infrastructure—activity consistent with precursor targeting that often precedes credential attacks and ransomware intrusions. CISA also issued updated technical details on **RESURGE**, a stealthy implant used in zero-day exploitation of **Ivanti Connect Secure** via `CVE-2025-0282`, including passive C2 behavior and TLS-fingerprint-based authentication/evasion; Mandiant linked the exploitation to China-nexus activity (UNC5221). Other items in the set include a generic IoT security pitfalls article, a weekly security roundup, and a conference write-up, none of which materially advance the Iran-retaliation storyline.
2 weeks ago
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
4 days ago