Since early February 2026, a lot of noise has been made about geopolitical tensions between the U.S., Israel, and Iran. But while diplomats talk and headlines roll, something quieter and arguably more dangerous has been happening in the background. Iran’s state-sponsored hacking group, MuddyWater, has been actively breaking into organizations across North America, and they came prepared.
Who Is MuddyWater?
MuddyWater, also tracked as Seedworm and Mango Sandstorm, is a cyber espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). They have been active since at least 2017 and have historically targeted government agencies, telecom companies, defense contractors, and critical infrastructure across the Middle East, Europe, and North America.
They are not opportunistic script kiddies. They are a well-resourced, patient, and methodical threat actor with a clear mission: steal data, maintain persistent access, and position themselves for disruption when the time is right.
What’s Happening Right Now
Starting in early February 2026, MuddyWater launched a targeted campaign hitting organizations in the United States and Canada. The targets were not random. They included:
- A U.S. bank
- A major airport
- Multiple nonprofits
- A software supplier serving the defense and aerospace sectors, with ties to Israel
The timing is not a coincidence. Activity escalated following the February 28 U.S.-Israeli strike on Iran. But here is the part that should concern every security professional: the tools were already deployed and operational before that strike happened. This was not a reactive attack. It was a pre-planned operation that was simply waiting to be activated.
The New Weapon: Dindoor Backdoor
MuddyWater introduced a previously unknown piece of malware in this campaign called Dindoor. Here is what makes it notable:
- It is built on the Deno JavaScript runtime, an unconventional choice that makes it harder to detect with traditional endpoint tools tuned for more common malware runtimes.
- It uses stolen digital certificates to appear legitimate and blend into normal system activity.
- Alongside Dindoor, attackers used Rclone to quietly siphon data to a Wasabi cloud storage bucket, a tactic that is increasingly common because outbound traffic to commercial cloud providers rarely raises alarms.
Certificate reuse across known MuddyWater malware families helped researchers confirm attribution, but the operational security on this campaign was noticeably tighter than previous efforts.
The Bigger Picture: 100+ Governments Hit in 2025
This is not an isolated surge. In late 2025, MuddyWater ran a large-scale phishing campaign distributing the Phoenix v4 backdoor to over 100 governmental targets worldwide, with a heavy concentration across the Middle East and North Africa.
Taken together, the pattern is clear. MuddyWater has been systematically expanding its footprint, testing new tooling, and building access across a wide range of sectors. The 2026 campaign targeting North American critical infrastructure looks like the next phase of that broader strategy.
Are You in Scope?
If your organization operates in any of the following sectors, you should treat this as a direct warning:
- Financial services
- Defense and aerospace
- Transportation and aviation
- Government and public sector
- Healthcare
- Any organization with ties to Israel-related contracts or operations
What You Should Do Right Now
The good news is that MuddyWater’s tactics, while sophisticated, leave detectable traces. Here is where to focus your defensive energy:
- Hunt for anomalous RMM tool usage. MuddyWater frequently abuses legitimate remote management tools. Flag any RMM activity that does not match expected behavior or authorized change windows.
- Audit outbound connections to cloud storage providers. Rclone syncing to Wasabi, Backblaze, or similar services from endpoints that have no business doing so is a major red flag.
- Monitor for unexpected or stolen certificate usage. Certificate-signed binaries from unusual directories or processes are worth investigating immediately.
- Restrict privileges aggressively. Lateral movement is how a foothold becomes a catastrophe. Limit what compromised credentials can actually reach.
- Review your threat intel feeds for Dindoor and Deno-based indicators of compromise (IOCs). Vendors including Broadcom/Symantec have published detection signatures. Make sure yours are updated.
The Bottom Line
The pre-positioning phase is over. MuddyWater is not casing the building anymore. They are inside it.
Cyber defense has always required thinking ahead of adversaries, but that window gets smaller when a nation-state actor is doing the planning. The organizations that will weather this wave are the ones that already have visibility into their environments, not the ones that start building it after the breach notification arrives.
If you have questions about how to assess your exposure or want help reviewing your detection coverage for MuddyWater-specific tactics, feel free to reach out.
Sources: Broadcom Threat Intelligence, Symantec Security Research, published IOC reports, March 2026.
Thanmay Sarath is a Mensa member, ethical hacker, entrepreneur, and technologist passionate about cybersecurity and innovation. A researcher, international speaker, and published author, he works at the intersection of technology, security, and social impact, helping organizations and communities stay safe in an increasingly digital world.