InfoSecBulletin Cybersecurity for mankind
An Iran-related hacking group (Seedworm) has infiltrated multiple US organizations since early February, heightening fears of potential larger cyber operations linked to rising geopolitical tensions in the Middle East.
New backdoors used by Seedworm
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Researchers from Symantec and Carbon Black have connected the activity to Seedworm (also known as MuddyWater), an Iranian group linked to the Ministry of Intelligence and Security, known for targeting government and critical infrastructure.
According to researchers, suspicious activity linked to Seedworm has been identified on the networks of:
A US bank
A US airport
Non-profit organizations, and
The Israeli operations of a US software company that supplies the defense and aerospace industries.
The activity started in early February 2026 and is still ongoing, with the group using new malware.
- The Dindoor backdoor, named thus due to its use of Deno, a runtime environment for JavaScript and TypeScript, for executing commands on infected machines
- A Python-based backdoor called Fakeset.
According to the researchers, Dindoor was digitally signed with a certificate issued to an individual named “Amy Cherne”. Fakeset was also signed, using using certificates attributed to both “Amy Cherne” and “Donald Gay,” the latter of which has previously been associated with the Stagecomp and Darkcomp malware used by the Seedworm APT.
The attackers appear to be spying; they aim to steal data from the software company and upload it to a Wasabi cloud storage bucket using the Rclone tool.
“While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on US and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks,” the researchers noted.
It is unknown what tricks or exploits the APT used to gain initial access to these organizations’ networks.
Exposed VPS reveals Seedworm tooling
In related news, independent threat-intel research collective Ctrl-Alt-Intel recently claimed to have accessed infrastructure used by Seedworm / Muddy Water, which allowed them to harvest “C2 tooling, scripts, logs, victim data, and other operational artefacts from a VPS hosted in the Netherlands.”
Israeli healthcare and government organizations, EgyptAir, Jordan’s government, UAE businesses, US organizations, and Jewish/Israeli-linked NGOs.
The exposed infrastructure reveals details about a MuddyWater operation, from initial reconnaissance to data theft. The key takeaway is the scale of the operation rather than the complexity of individual tools. It involves numerous targeted organizations, several custom C2 frameworks, exploitation of various CVEs including new SQL injection vulnerabilities, password spraying, Ethereum-based C2 resolution, and multiple exfiltration methods including cloud storage and EC2 instances, the group stated.
“MuddyWater continues to demonstrate a willingness to rapidly adopt public exploit code, modify it for operational use, and deploy it at scale – all while developing custom tooling in parallel.”
