Severity
High
Analysis Summary
In early 2026, Iranian cyber operations intensified, with state-linked threat actors, including the APT group MuddyWater, embedding themselves in US and Canadian networks. Targeted sectors included banking, aviation, defense supply chains, and non-profit organizations. Investigations by Reesearcher revealed that MuddyWater maintained unauthorized access since February 2026, deploying undocumented malware to establish persistent footholds. The group’s campaign focused on long-term intelligence collection rather than immediate disruption, highlighting its state-sponsored espionage objectives. Malware families associated with these operations included Dindoor, Fakeset, Stagecomp, and Darkcomp, each tailored for stealth and long-term network access.
MuddyWater’s Dindoor backdoor targeted a US software company in the defense and aerospace sector, leveraging the Deno runtime for command execution. Fakeset, a Python-based backdoor, was discovered on the networks of a US airport and a non-profit organization, both engineered to remain undetected while preserving persistent access. The presence of these tools underscores the sophistication and strategic focus of Iran’s cyber espionage efforts, which rely on custom malware and long-term infiltration rather than overt attacks. Digital certificates previously linked to MuddyWater were used to sign malware, indicating a coordinated and traceable campaign.
Beyond network intrusions, Iranian operators exploited internet-connected surveillance cameras across the Middle East, targeting devices from Hikvision and Dahua. Research observed scanning and exploitation activity beginning February 28, 2026, coinciding with the onset of regional hostilities. Vulnerabilities such as CVE-2017-7921 and CVE-2021-33044 were leveraged to monitor emergency response movements and assess post-strike damage, turning everyday security cameras into low-cost battlefield intelligence platforms. This tactic, first seen during the June 2025 Iran-Israel conflict, demonstrates Iran’s repeated use of IP camera exploitation for operational awareness, taking advantage of outdated firmware and lack of standard monitoring.
Iran-aligned hacktivist group Handala further expanded this threat landscape, claiming a destructive attack against Stryker, a Fortune 500 medical technology firm, which included exfiltration of roughly 50 terabytes of data and deployment of wiper malware. Organizations using vulnerable cameras are advised to apply all firmware patches, segment camera networks from core systems, disable unnecessary remote access, enforce strong authentication, and monitor for unusual outbound traffic. For MuddyWater-targeted sectors, detecting Dindoor and Fakeset involves monitoring anomalous Deno or Python activity and outbound Rclone traffic. Certificate-based detection and proactive incident response are critical to mitigating these high-priority risks amid the ongoing geopolitical tensions.
Impact
- Sensitive Data Theft
- Gain Access
- Financial Loss
Indicators of Compromise
CVE
- CVE-2017-7921
- CVE-2021-36260
- CVE-2023-6895
- CVE-2025-34067
- CVE-2021-33044
MD5
- 8d8aa0be8f82d22deab96f96d9af34b8
- 41c19fc6c8a8687988f28fc487048bf3
- ca37e31d651bbd5bbddef3ea716b8b4f
- 6d1d4e938ed1e46210375308ef3bcb08
- 29953b2e46aeaf0157d487c13c4a0643
- 838c8fd4ae7e3c4972adc8800db44929
- 591aae15106147bdb5bc7b26049b943f
- 7f3c8a7fe78d3d05b6022df3ea0c15fb
- 2115e69f71d9f51a6c6c2effdaee2df2
SHA-256
- 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
- 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
- bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
- 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
- 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
- 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
- ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
- a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
- 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
SHA1
- 42111d2ebcd42fa1fa7069560401db736c483776
- 3de597e3237d5c7e7cc66ecb58b9ea2af149afa1
- de9707a8505683930fccf5536e311242425d420
- 4ebfa2d967ce7983790b77a3987cb1c5d1b868f2
- 429efcf0370b53cc3c455b634dc066b1d08b568d
- 2b781b3a352db44db67ad56e8477e6a1016b2597
- cecf87d582b4df4323eaef04c9a648d43325043a
- 0ba2306ec15f7124fafc7615e81f34c7986ba9a5
- 559052799a52d1b29ac7e87935e9a0c80df5fb16
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Monitor for unusual Deno runtime or Python processes on endpoints.
- Inspect outbound Rclone traffic that could indicate data exfiltration.
- Implement certificate-based detection to identify malware signed with known MuddyWater certificates.
- Isolate critical networks and apply strict segmentation to limit lateral movement.
- Regularly update and patch all software to prevent exploitation of known vulnerabilities.
- Conduct continuous threat hunting for persistent malware families like Dindoor, Fakeset, Stagecomp, and Darkcomp.
- Ensure robust logging and monitoring to detect anomalous activity promptly.
- Apply all available firmware patches, especially addressing CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044.
- Segment camera networks from core enterprise networks to prevent lateral movement.
- Disable unnecessary remote access features on cameras.
- Enforce strong authentication for all connected devices.
- Monitor outbound traffic from camera systems for signs of active exploitation.
- Replace or decommission outdated or unsupported devices that cannot be patched.
- Treat persistent footholds as high-priority risks given current geopolitical tensions.
- Conduct tabletop exercises to simulate malware intrusion and camera exploitation scenarios.
- Implement regular backups and validate recovery processes to minimize data loss.
- Use threat intelligence feeds to stay updated on emerging Iran-linked campaigns.