MuddyWater Hackers Target US Firms with New Dindoor Backdoor

Iranian Hackers Launch New Campaign Against US Targets

American companies are facing a fresh wave of cyberattacks from a familiar adversary. The Iranian hacking group MuddyWater has been actively targeting US organizations since early February, continuing its operations even after recent military strikes against Iran. Security researchers at Broadcom’s Symantec and Carbon Black Threat Hunter Team uncovered the campaign, which shows no signs of slowing down.

Who’s in the crosshairs? The list includes a major US bank, a US airport, and several non-governmental organizations operating in both the US and Canada. Even the Israeli branch of a US software company that supplies the defense and aerospace industry found itself under scrutiny. Each of these entities reported suspicious network activity in recent weeks, signaling a broad and persistent threat.

Unmasking the Dindoor Backdoor

At the heart of this campaign is a newly discovered piece of malware researchers have named ‘Dindoor.’ This backdoor represents a new tool in MuddyWater’s arsenal. It was discovered on the networks of the Israeli software company outpost, the targeted US bank, and a Canadian non-profit.

Dindoor operates with a clever disguise. It uses a digital certificate issued to “Amy Cherne” and leverages Deno, a secure runtime for JavaScript and TypeScript, to execute its commands. This technique helps the malware blend in with legitimate software. In one attempted breach, the hackers tried to steal data from the software company using Rclone, a common file management tool, directing it to a Wasabi cloud storage bucket. Whether that data theft succeeded remains unclear.

The Telltale Sign: Reused Hacker Certificates

How do researchers know MuddyWater is behind this? The evidence lies in the digital fingerprints left behind. On the US airport’s network, a different backdoor called ‘Fakeset’ was found. This Python-based malware was signed with two certificates: one for “Amy Cherne” and another for “Donald Gay.”

That second name is a major clue. The “Donald Gay” certificate has a history. It has been used repeatedly to sign malware definitively linked to MuddyWater, a group active since 2017 and associated with Iran’s Ministry of Intelligence and Security. Security experts also track this group under names like Seedworm, Temp Zagros, and Static Kitten. The Fakeset backdoor itself was downloaded from servers belonging to the cloud storage company Backblaze.

The connection deepens. The same Donald Gay certificate was used to sign a sample of ‘Stagecomp’ malware, which is designed to download the ‘Darkcomp’ backdoor. Both Stagecomp and Darkcomp have been publicly attributed to MuddyWater by giants in the security industry, including Google, Microsoft, and Kaspersky. While these specific malware families weren’t found on the newly targeted networks, the reuse of these distinctive certificates strongly points to the same actor.

A Persistent and Evolving Threat

What does this mean for other organizations? The Threat Hunter Team issued a stark warning. “While we have disrupted these breaches, other organizations could still be vulnerable to attack,” they stated. The campaign demonstrates MuddyWater’s adaptability—shifting tools, reusing trusted infrastructure, and persistently targeting critical sectors.

The group’s focus on a defense supplier, financial institution, and transportation hub highlights its strategic interests. This isn’t random digital vandalism; it’s a coordinated intelligence-gathering operation. The continued activity after geopolitical events shows these hackers operate on their own timeline, driven by long-term objectives rather than short-term political reactions. For security teams, the message is clear: vigilance and awareness of these evolving tactics are non-negotiable.