Washington | As geopolitical tensions between Iran and Western allies intensify, cybersecurity researchers say a long-running Iranian hacking group has increased its activity inside the digital networks of organizations linked to critical infrastructure in the United States and Canada.
The group, widely known by the name Seedworm, has been detected operating within multiple systems since early February 2026, according to threat intelligence researchers. The campaign appears to have begun weeks before the escalation of military conflict that followed coordinated strikes by the United States and Israel on February 28, an operation that dramatically altered the region’s strategic landscape.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Analysts say the timing suggests the intrusions were not spontaneous responses but part of a longer preparation period in which attackers quietly established footholds inside high-value networks.
Security experts describe Seedworm as an advanced persistent threat group linked to Iran’s Ministry of Intelligence and Security. Over nearly a decade of operations, the group has built a reputation for conducting espionage campaigns across government, telecommunications, defense and energy sectors.
Recent findings indicate that its latest wave of activity may now be reaching into organizations tied to financial services, transportation infrastructure and the aerospace industry.
Long-Running Cyber Campaign Expands Its Reach
Seedworm has been active since at least 2017 and is known by several other aliases, including MuddyWater, Temp Zagros and Static Kitten. Over time, the group has gradually expanded its targeting beyond the Middle East.
Investigators now say the group has compromised or attempted to infiltrate the networks of a U.S. bank, a major airport, a software firm with ties to the defense and aerospace sectors, and several non-governmental organizations operating in North America.
In one of the incidents examined by researchers, the attackers appeared particularly interested in the Israeli operations of a multinational software company. Security analysts believe the group may have used that company’s international infrastructure as a bridge to move laterally through interconnected networks.
The intrusions themselves were already underway before the outbreak of the latest military conflict, suggesting that the hackers had quietly embedded themselves within targeted systems in advance.
Such positioning, cybersecurity specialists say, is typical of state-aligned espionage operations that seek long-term access rather than immediate disruption.
A Digital Battlefield Beyond Iran’s Borders
Even as internet connectivity inside Iran has faced disruption during the ongoing conflict, Western cybersecurity agencies warn that Iranian-linked cyber operations remain active.
The United Kingdom’s National Cyber Security Centre recently cautioned that Iranian state-aligned actors still retain the capability to conduct cyber activities despite domestic infrastructure limitations.
Experts say this resilience stems from the decentralized nature of modern cyber operations. Many groups maintain infrastructure or personnel outside their home countries, allowing campaigns to continue even if domestic networks face outages.
Alongside Seedworm, other actors aligned with Iran’s geopolitical interests have intensified their activity online. One such group, known as DieNet, emerged in 2025 and has claimed responsibility for distributed denial-of-service attacks against sectors including energy, healthcare, finance and transportation.
These attacks have reportedly used common disruption techniques such as TCP SYN floods, DNS amplification and NTP amplification, creating waves of traffic designed to overwhelm digital systems.
Security analysts say the combination of espionage campaigns by state-linked groups and disruptive attacks by ideologically aligned hackers has created a layered threat environment.
New Backdoors and Stealth Techniques
Investigators say the most recent Seedworm campaign introduced several new tools designed to maintain persistent access inside compromised networks.
Among them are two previously identified backdoors known as Dindoor and Fakeset.
Dindoor, researchers say, operates through Deno — a runtime environment for JavaScript and TypeScript. The unusual platform may allow the malware to evade traditional security monitoring systems that are tuned to detect more conventional tools.
The second backdoor, Fakeset, is written in Python and was deployed on networks linked to an airport and a non-profit organization.
Both tools were digitally signed with certificates tied to identities previously associated with Seedworm malware, providing investigators with additional evidence linking the activity to the group’s established infrastructure.
Other components of the intrusion included a downloader known as Stagecomp, which was used to deploy a separate malware tool previously attributed to the same hacking operation by major cybersecurity firms.
In at least one instance, the attackers attempted to move data from a compromised network using Rclone, a legitimate file-transfer program commonly used for cloud storage synchronization. Researchers believe the files were destined for a cloud storage service, though it remains unclear whether the transfer was successful.
Critical Infrastructure Under Pressure
Cybersecurity experts warn that the latest wave of activity underscores the vulnerability of interconnected infrastructure systems.
Banks, airports, healthcare providers and energy companies increasingly rely on complex digital environments that are linked through global supply chains and shared software platforms.
A compromise in one organization, analysts say, can potentially create access points into several others.
To counter such threats, security specialists recommend a range of protective measures, including multi-factor authentication for remote access, monitoring of unusual outbound data transfers and restrictions on external cloud storage connections.
They also emphasize the importance of maintaining secure offline backups that can allow organizations to recover quickly in the event of destructive cyberattacks.
As geopolitical tensions increasingly spill into cyberspace, analysts say the boundary between traditional conflict and digital warfare is becoming harder to distinguish — with critical infrastructure systems often caught in the middle.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
