Cybersecurity researchers have uncovered a new cyber-espionage campaign by the Iran-linked hacking group MuddyWater, which has infiltrated the networks of multiple organisations in the United States, including a bank, an airport, a software company, and a non-profit entity.
The campaign, discovered by researchers from Broadcom’s Symantec and Carbon Black Threat Hunter teams, involves the deployment of a newly identified malware backdoor called Dindoor, designed to maintain persistent access within compromised networks.
Security experts say the activity began in February 2026 and demonstrates the continued evolution of state-linked cyber-espionage operations targeting strategic organisations.
Attack Targets Banks, Airports, NGOs And Software Firms
According to researchers, the hackers successfully embedded themselves inside the networks of several organisations across different sectors. The compromised targets include a U.S. bank, an airport, a non-governmental organisation operating in the U.S. and Canada, and the Israeli branch of a software company.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
The attackers reportedly used the Dindoor backdoor to establish persistent access and potentially exfiltrate sensitive information from the affected networks. In at least one instance, the group attempted to steal data from the Israeli branch of the targeted software firm.
Experts warn that such intrusions can allow attackers to conduct long-term espionage, monitor internal communications, and move laterally across systems.
Additional Malware And Signed Certificates Used
Researchers also discovered another malicious tool used in the campaign — a Python-based backdoor called “Fakeset.” The malware was detected in systems belonging to a U.S. airport and a non-profit organisation.
Both the Dindoor and Fakeset backdoors were reportedly digitally signed using certificates issued under the names “Amy Cherne” and “Donald Gay.” These certificates had also been observed in earlier MuddyWater cyber campaigns.
The use of legitimate-looking digital certificates allows attackers to make malicious software appear more trustworthy and bypass certain security checks.
MuddyWater Linked To Iranian Intelligence
Cybersecurity agencies have long tracked MuddyWater as an advanced persistent threat (APT) group believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group has been active since at least 2017 and is known for targeting government agencies, critical infrastructure, and private organisations across multiple regions.
The group has used a variety of tactics in previous campaigns, including spear-phishing emails, malicious documents, and custom malware tools designed to maintain stealthy access inside victim networks.
Security Experts Warn Of Ongoing Threat
Although the observed activity has reportedly been disrupted, researchers caution that other organisations may still be vulnerable to similar intrusions.
The campaign highlights the persistent threat posed by state-sponsored cyber groups, particularly those targeting sensitive sectors such as financial institutions, transportation infrastructure, and technology firms.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
