MuddyWater Cyberattacks Target US, Canada, and Israel Networks, Critical Infrastructure
Published
Key Takeaways
- Persistent Presence: Iranian cyber group MuddyWater infiltrated multiple U.S. and Israeli networks, maintaining persistent access since at least early February 2026.
- New Backdoor: Attackers deployed the new Dindoor backdoor against major targets, including a US bank and a software company’s Israeli arm.
- Cyber Operations: This campaign highlights escalating Iranian cyber operations, enabling sustained intelligence gathering or potential disruptive actions against critical infrastructure.
MuddyWater compromised the network infrastructure of several critical organizations across the United States, Canada, and Israel. The intrusions deployed two distinct, custom-developed backdoors targeting a strategically diverse portfolio of entities, including a software development company that provides technology solutions to the defense and aerospace sectors.Â
US and Israeli Network Compromises
Broadcom’s Symantec and Carbon Black security researchers have attributed this activity, which has maintained persistence since at least early February, to the Iranian Ministry of Intelligence and Security (MOIS)-affiliated group. The reuse of digital certificates previously associated with MuddyWater operations has established a high-confidence attribution assessment.
MuddyWater, also known as Seedworm, Temp Zagros, and Static Kitten, disseminated a previously unknown implant designated Dindoor within the network environments of:
- A U.S. financial institution,Â
- A Canadian nonprofit organization,Â
- An Israeli operational branch of the compromised software firm.Â
A separate Python-based backdoor, Fakeset, was discovered within the network infrastructures of:
- An airport facility,Â
- A U.S. nonprofit entity.Â
An attempted data exfiltration operation from the compromised software company was documented during the investigation. While the initial access vector remains unconfirmed, the group has historically employed phishing.
Escalating State-Sponsored Cybersecurity Threats
These U.S. and Israeli network compromises provided threat actors with operational positioning to conduct either sustained intelligence exfiltration or execute disruptive attacks in response to geopolitical developments, following which researchers have warned of retaliatory cyberattacks.
In an October 2025 campaign, MuddyWater’s espionage campaign targeted more than 100 government entities across the Middle East and North Africa (MENA) with spear-phishing attacks using a compromised email to distribute a custom backdoor known as Phoenix.
Reports in 2024 revealed that MuddyWater’s phishing campaign targeting Israeli organizations deployed a previously undocumented, tailor-made backdoor.
In other recent news, suspected Iranian threat actors compromised IP camera feeds in Iran, Israel, the UAE, Qatar, and Bahrain.Â
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular