Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
AWS-LC Flaw Enables Certificate Verification Bypass
March 10, 2026
Rewterz
Multiple Apache Ranger Vulnerabilities
March 10, 2026

Iran-Linked Hackers Target U.S. Critical Infrastructure – Active IOCs

Severity

High

Analysis Summary

The Iranian advanced persistent threat (APT) group Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten, has been actively infiltrating multiple U.S. networks since early February 2026. This surge in activity closely follows the U.S. and Israeli military strikes on Iran on February 28, 2026, which killed Iran’s Supreme Leader and escalated regional tensions. Seedworm has a long history, active since at least 2017, and is formally linked to Iran’s Ministry of Intelligence and Security (MOIS). Over time, the group has expanded its focus beyond the Middle East to target telecommunications firms, defense contractors, local governments, and oil and gas organizations across North America, Europe, Asia, and Africa.

Recent intrusions identified by researchers affected a U.S. bank, a U.S. airport, a software company with defense and aerospace ties, and multiple non-governmental organizations in North America. The software company’s Israeli operations were a primary focus, serving as a lateral movement bridge across the organization’s global network. Notably, these breaches began before the military conflict, suggesting pre-positioning by Seedworm inside high-value networks. The UK National Cyber Security Centre confirmed that Iran-aligned actors retain active cyber capabilities despite domestic internet disruptions, highlighting their operational resilience across multiple countries.

Seedworm has deployed two newly identified backdoors, Dindoor and Fakeset, to maintain stealthy persistence. Dindoor, built to run through Deno (a secure JavaScript/TypeScript runtime), was observed on the software company, U.S. bank, and Canadian NGO networks, signed with a certificate issued to “Amy Cherne.” Fakeset, a Python-based backdoor, targeted the airport and non-profit networks, signed with both “Amy Cherne” and “Donald Gay” certificates, the latter linking this activity to previous Seedworm campaigns. Additional tools such as Stagecomp and Darkcomp were leveraged, alongside legitimate utilities like Rclone, to attempt data exfiltration to Wasabi cloud storage, though the success of these attempts remains uncertain.

The overall threat environment is compounded by hacktivist groups aligned with Iranian interests, such as Handala leveraging Starlink for connectivity, and DieNet conducting DDoS attacks against U.S. critical infrastructure using TCP SYN floods, DNS amplification, and NTP amplification. Organizations facing these threats are advised to implement robust defensive measures, including multi-factor authentication for all remote access, continuous monitoring for abnormal outbound traffic, deployment of web application firewalls with updated rules, restriction of external cloud storage access, and offline immutable backups to ensure rapid recovery in the event of destructive cyberattacks.

Impact

  • Sensitive Data Theft
  • Gain Access

Indicators of Compromise

Domain Name

  • gitempire.s3.us-east-005.backblazeb2.com
  • elvenforest.s3.us-east-005.backblazeb2.com
  • uppdatefile.com
  • serialmenot.com
  • moonzonet.com

MD5

  • 8d8aa0be8f82d22deab96f96d9af34b8
  • 41c19fc6c8a8687988f28fc487048bf3
  • f8560b9a893eeb2130fc7159e9c1b851
  • 2115e69f71d9f51a6c6c2effdaee2df2
  • c0a52cd5dd35bf9d5d08c7eb12cfa422
  • e6fafcb72f2f315692218182ba84e0ef

SHA-256

  • 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
  • 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
  • 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6
  • 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
  • c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
  • 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6

SHA1

  • 42111d2ebcd42fa1fa7069560401db736c483776
  • 3de597e3237d5c7e7cc66ecb58b9ea2af149afa1
  • 4a54b7237dc9fdd745d0d19083a1ce4857c91de4
  • 559052799a52d1b29ac7e87935e9a0c80df5fb16
  • 6b186f2881729a977beb6aecb61ac0fe83c5777d
  • 9c5cc25e80df75f91873bf31a6269e7bdab7c6d2

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Apply multi-factor authentication (MFA) on all remote access points and VPNs to prevent unauthorized access.
  • Continuously monitor network traffic for unusual data transfers or connections to external cloud storage.
  • Use web application firewalls (WAFs) with the latest rule sets to block suspicious requests and prevent exploitation of web-facing applications.
  • Limit or control the use of cloud storage services like Wasabi to prevent unauthorized exfiltration of sensitive data.
  • Ensure regular backups are offline and immutable to allow rapid recovery in case of ransomware or destructive attacks.
  • Actively search for indicators of compromise (IoCs) such as Dindoor, Fakeset, Darkcomp, or unusual certificate usage.
  • Keep all software, operating systems, and applications up to date to reduce the risk of exploitation through known vulnerabilities.
  • Implement network segmentation and least-privilege access controls to contain any potential intrusion within isolated segments.
  • Train employees to recognize malicious emails or links that could be used to deploy malware like Seedworm’s backdoors.
  • Collaborate with cybersecurity authorities, industry partners, and CERTs to stay informed on new attack tools and techniques.