Security researchers disrupted a cyber espionage campaign targeting several organizations across North America and Israel. Attackers breached these networks, deployed custom hidden backdoors, and attempted to steal organizational data using cloud storage services.

Who was behind the attack?

The attacks were carried out by an Advanced Persistent Threat (APT) group known as Seedworm (also referred to as MuddyWater). Operating since 2017, this group is a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) and is highly known for conducting classic espionage and intelligence gathering.

What was the nature and goal of the attack?

The primary goal of this campaign was espionage and information theft. By establishing a hidden presence on these networks prior to recent geopolitical hostilities, the threat actors positioned themselves to quietly gather sensitive intelligence or potentially launch further disruptive attacks.

Were specific industries or people targeted?

Yes. The attackers focused on high-value targets, including a U.S. bank, a U.S. airport, non-profit organizations in both the U.S. and Canada, and the Israeli branch of a U.S. software company that supplies the defense and aerospace industries.

How was the attack carried out?

The attackers used specialized, custom-built malware (named Dindoor and Fakeset) to create backdoors into the targeted systems. To bypass security software, they disguised their malware using stolen or fraudulent digital certificates and used legitimate cloud services—like Backblaze for downloading tools and Wasabi for attempting to smuggle data out.

Why might the targeted entities be attractive to attackers?

Entities like defense suppliers, banks, and critical infrastructure (such as airports) possess highly sensitive intellectual property, strategic operational data, and financial records. This makes them prime targets for state-sponsored groups looking to gain an economic or military advantage.

Is this a widespread issue or a targeted one?

While Seedworm has broadened its focus globally in recent years to include various sectors across multiple continents, this specific campaign was highly targeted at a select few organizations in specific regions.

What actions should organizations take to protect themselves?

Organizations should check their systems for the specific fraudulent digital certificates used in this attack, tightly monitor the use of programming runtimes like Python and Deno, and restrict unauthorized data transfer tools from connecting to external cloud storage buckets.

Threats Feed|Seedworm|Last Updated 11/03/2026|AuthorCertfa Radar|Publish Date05/03/2026

Iranian APT Seedworm Targets U.S., Israel, and Canada with Novel Backdoors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Malware
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The Iranian APT group Seedworm has targeted multiple organizations across the U.S., Canada, and Israel since February 2026. Leveraging custom malware, the threat actors compromised networks within the financial, aviation, software, defense, and non-profit sectors. Attackers deployed a novel JavaScript/TypeScript backdoor named Dindoor, alongside a Python-based backdoor called Fakeset. To evade detection, the group signed their payloads with digital certificates issued to "Amy Cherne" and "Donald Gay." Additionally, the attackers utilized legitimate cloud services, including Backblaze for staging and Rclone for attempted data exfiltration to Wasabi buckets. Given Seedworm’s affiliation with the Iranian Ministry of Intelligence and Security, these intrusions pose a significant espionage threat amidst current geopolitical conflicts.

Reference and Credit: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company - March 2026

Symantec

Detected Targets

Type	Description	Confidence
Sector	Banking	Verified
Sector	Information Technology	Verified
Sector	Aerospace	Verified
Sector	Civic	Verified
Region	Canada	Verified
Region	United States	Verified

Extracted IOCs

moonzonet[.]com
serialmenot[.]com
uppdatefile[.]com
077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6
15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84
1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0
bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888

download

Tip: 28 related IOCs (0 IP, 3 domain, 0 URL, 0 email, 25 file hash) to this threat have been found.

FAQs

Seedworm Cyber Campaign Targeting U.S. and Israeli Networks

: Security researchers disrupted a cyber espionage campaign targeting several organizations across North America and Israel. Attackers breached these networks, deployed custom hidden backdoors, and attempted to steal organizational data using cloud storage services.
: The attacks were carried out by an Advanced Persistent Threat (APT) group known as Seedworm (also referred to as MuddyWater). Operating since 2017, this group is a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) and is highly known for conducting classic espionage and intelligence gathering.
: The primary goal of this campaign was espionage and information theft. By establishing a hidden presence on these networks prior to recent geopolitical hostilities, the threat actors positioned themselves to quietly gather sensitive intelligence or potentially launch further disruptive attacks.
: Yes. The attackers focused on high-value targets, including a U.S. bank, a U.S. airport, non-profit organizations in both the U.S. and Canada, and the Israeli branch of a U.S. software company that supplies the defense and aerospace industries.
: The attackers used specialized, custom-built malware (named Dindoor and Fakeset) to create backdoors into the targeted systems. To bypass security software, they disguised their malware using stolen or fraudulent digital certificates and used legitimate cloud services—like Backblaze for downloading tools and Wasabi for attempting to smuggle data out.
: Entities like defense suppliers, banks, and critical infrastructure (such as airports) possess highly sensitive intellectual property, strategic operational data, and financial records. This makes them prime targets for state-sponsored groups looking to gain an economic or military advantage.
: While Seedworm has broadened its focus globally in recent years to include various sectors across multiple continents, this specific campaign was highly targeted at a select few organizations in specific regions.
: Organizations should check their systems for the specific fraudulent digital certificates used in this attack, tightly monitor the use of programming runtimes like Python and Deno, and restrict unauthorized data transfer tools from connecting to external cloud storage buckets.

About Affiliation

Seedworm

Associate threats