Iran-Backed Hackers Target US Infrastructure with New Malware

A sophisticated cyber espionage campaign linked to a known Iranian state-sponsored group has infiltrated networks across critical U.S. sectors, including finance and transportation. Security researchers have traced this ongoing activity to the group known as Seedworm, or MuddyWater, which operates on behalf of Iran’s Ministry of Intelligence and Security. The campaign, active since early February, represents a significant threat to national infrastructure and highlights the persistent digital risks emanating from geopolitical tensions.

The hackers have compromised systems at a major U.S. bank, a domestic airport, several non-profit groups, and the Israeli division of an American software firm that serves defense and aerospace clients. Their primary objective appears to be intelligence gathering, with evidence showing attempts to steal sensitive data from the software company and transfer it to a cloud storage service.

A key development in this campaign is the deployment of two previously unseen backdoor tools. The first, named Dindoor, is notable for its use of the Deno runtime environment to execute commands on compromised machines. The second, called Fakeset, is a Python-based backdoor. In a deliberate attempt to appear legitimate, both pieces of malware were digitally signed with fraudulent certificates issued to fictitious individuals, a tactic this group has employed in past operations.

Security analysts warn that by establishing a foothold in these networks before recent hostilities, the threat group is now in a strategically dangerous position. They could potentially launch disruptive or destructive attacks if directed, though their observed actions so far focus on stealthy data theft. The exact methods used for initial network penetration remain unclear, underscoring the challenge of defending against such determined adversaries.

In a separate but related development, an independent research collective gained access to a Seedworm command server hosted in the Netherlands. This breach provided an unprecedented look into the group’s operations, revealing a vast list of global targets. Beyond the U.S. entities, victims include Israeli organizations in healthcare, intelligence, and immigration, along with EgyptAir, the Jordanian government, various companies in the United Arab Emirates, and Jewish-linked non-governmental groups.

Analysis of the exposed server data paints a picture of a highly active and adaptable operation. The group’s strength lies not in ultra-sophisticated tools, but in the sheer scale and breadth of its campaigns. They employ multiple custom-built frameworks for command and control, exploit numerous known software vulnerabilities, and run extensive password-spraying attacks. The hackers also demonstrate a clear pattern of rapidly weaponizing public exploit code for their own use while maintaining parallel development of unique malware.

This incident serves as a stark reminder of the continuous cyber threat posed by state-aligned actors. The blending of opportunistic attacks using public tools with custom-developed malware allows groups like Seedworm to cast a wide net while maintaining persistent access to high-value targets. Protecting critical infrastructure requires constant vigilance, proactive threat hunting, and the assumption that sophisticated adversaries are already inside the network.

(Source: HelpNet Security)