The geopolitical aftershocks of U.S. and Israeli military strikes on Iran are now reverberating through corporate networks. Since early February 2026, Symantec and Carbon Black researchers have tracked a surge of MuddyWater intrusions — a threat actor formally attributed to Iran's Ministry of Intelligence and Security (MOIS) — striking U.S. banks, airports, non-profits, and an Israeli software firm. These are not opportunistic attacks. They are a calculated cyber doctrine response to kinetic conflict.
What makes this campaign operationally significant is its tooling evolution. MuddyWater has introduced Dindoor, a backdoor built on the Deno JavaScript runtime — a novel technique not previously observed in nation-state APT toolkits — alongside Fakeset, a Python-based implant signed with legitimate MuddyWater certificates sourced from Backblaze. Combined with spear-phishing and honeytrap social engineering, the group is moving fast and targeting organizations with direct or peripheral ties to U.S.-Israel defense operations.
This post breaks down the campaign mechanics, maps TTPs to MITRE ATT&CK, connects the broader Iranian cyber threat landscape, and gives your security team actionable detection and mitigation steps.
MuddyWater's 2026 Toolset: Dindoor and Fakeset Dissected
MuddyWater has historically relied on PowerShell-based tooling and living-off-the-land techniques. The introduction of a Deno-based backdoor marks a deliberate evolution — one designed to exploit defender blind spots in JavaScript runtime monitoring.
Dindoor: Deno Runtime as a Weaponized Backdoor
Dindoor leverages Deno, a modern JavaScript and TypeScript runtime built on V8 and Rust, as its execution environment. This choice is tactically shrewd. Most endpoint detection and response (EDR) solutions and security information and event management (SIEM) platforms maintain extensive behavioral baselines for Node.js and Python — but Deno remains largely unmonitored in enterprise environments.
Dindoor's post-compromise behavior centers on data exfiltration:
- Establishes persistence through scheduled tasks or Run key registry modifications
- Exfiltrates collected data via Rclone — a legitimate cloud sync utility — routed to Wasabi cloud storage
- Specifically targeted a defense supplier's Israeli operations, suggesting precision intelligence tasking
- Abuses Deno's built-in network and filesystem APIs to avoid calling Windows APIs that trigger EDR alerts
Important: Rclone is a legitimate, signed tool that many organizations permit on endpoints for cloud backup workflows. MuddyWater's use of Rclone to Wasabi buckets means exfiltration traffic may appear completely benign in network logs without outbound destination analysis.
Fakeset: Python Implant with Signed Certificate Persistence
Fakeset is a Python-based implant with direct code overlaps to prior MuddyWater tooling — specifically Stagecomp and Darkcomp — confirming shared development infrastructure. Its most significant attribute is its code-signing certificate, legitimately issued through Backblaze and previously associated with MuddyWater infrastructure. This signing status allows Fakeset to bypass many signature-based security controls.
Researchers note that while Fakeset has been staged across compromised environments, execution has not been confirmed in all intrusions. This "pre-positioned but dormant" pattern is consistent with MuddyWater's historical approach of establishing persistence before activating destructive or espionage payloads.
Table: MuddyWater 2026 Malware Comparison
| Attribute | Dindoor | Fakeset |
|---|---|---|
| Language / Runtime | JavaScript (Deno) | Python |
| Primary Function | Exfiltration backdoor | Staged implant |
| Signing Status | Unsigned | Signed (Backblaze cert) |
| Execution Confirmed | Yes | Staged only |
| Exfil Destination | Wasabi via Rclone | TBD |
| ATT&CK Technique | T1048, T1059.007 | T1059.006, T1553.002 |
| Prior Overlaps | Novel | Stagecomp, Darkcomp |
Initial Access and Social Engineering Tactics
How is MuddyWater gaining entry into well-defended financial institutions and airport networks? Attribution analysis points to two primary initial access techniques operating in parallel.
Spear-Phishing and Honeytrap Operations
MuddyWater has long relied on spear-phishing (T1566.001), and this campaign follows established patterns. Lure themes align with geopolitical events: communications impersonating government advisories, conflict-related policy updates, and vendor security notifications have all been observed. The group also deploys honeytrap social engineering — building rapport with targeted individuals over professional networking platforms before delivering malicious documents or credential harvesting links.
Organizations should treat the following as elevated-risk inbound vectors right now:
- Emails referencing U.S.-Iran tensions, sanctions, or conflict-related compliance requirements
- LinkedIn or professional network contact from unknown individuals expressing interest in defense, aerospace, or financial technology roles
- Vendor communications arriving outside of established channels, particularly those requesting credential verification
Vendor Certificate Abuse and Supply Chain Persistence
Fakeset's use of a legitimately-issued Backblaze certificate reveals a persistent MuddyWater technique: acquiring or compromising code-signing certificates from cloud storage and software vendors to legitimize malware. This approach directly undermines certificate-based trust models and highlights a critical gap — certificate provenance matters as much as certificate validity.
Pro Tip: Audit your organization's trusted certificate store and enforce certificate pinning for critical internal applications. Alert on any signed executable communicating with cloud storage endpoints (Wasabi, Backblaze, Rclone destinations) outside of approved backup workflows.
Table: MuddyWater Initial Access Techniques — ATT&CK Mapping
| Technique ID | Name | Observable Indicator | Detection Priority |
|---|---|---|---|
| T1566.001 | Spear-Phishing Attachment | Macro-enabled Office docs | High |
| T1566.002 | Spear-Phishing Link | Credential harvest pages | High |
| T1553.002 | Code Signing Abuse | Signed Python executables | Critical |
| T1078.004 | Cloud Account Compromise | Abnormal cloud storage auth | High |
| T1591 | Gather Victim Org Info | OSINT on LinkedIn/social | Medium |
The Broader Iranian Cyber Threat Landscape in 2026
MuddyWater's campaign does not exist in isolation. It sits within an accelerating Iranian cyber offensive that spans multiple threat clusters, targeting methodologies, and geographies. Understanding the full threat landscape helps security teams contextualize their risk exposure.
Handala, APT-Iran, and Critical Infrastructure Scanning
Concurrent with MuddyWater's intrusions, Handala and related Iran-affiliated actors have been actively scanning Hikvision IP cameras exploiting CVE-2017-7921 — a critical authentication bypass vulnerability with a CVSS score of 9.8 that remains unpatched across thousands of enterprise and government deployments. These camera networks provide physical surveillance access and serve as pivot points into enterprise networks.
Additionally, wiper malware campaigns targeting Israeli organizations have intensified, consistent with MOIS and Islamic Revolutionary Guard Corps (IRGC) operational doctrine of combining espionage with disruptive attacks during active conflict periods.
IRGC Cloud Targeting and Operation UltraViolet
Intelligence reporting on Operation UltraViolet indicates Iran is actively prioritizing identity infrastructure and cloud environments as retaliation vectors. IRGC-affiliated actors have reportedly claimed access to Amazon Web Services infrastructure in Bahrain — a strategically significant regional hub. Meanwhile, pro-Russia hacktivist groups operating in coordination with Iranian objectives have targeted U.S. industrial control systems (ICS) and operational technology (OT) environments.
This convergence of state-sponsored espionage, cloud identity attacks, and ICS targeting represents a threat matrix that stretches across multiple security domains simultaneously.
Table: Iranian Threat Actor Landscape — 2026 Campaign Overview
| Actor | Affiliation | Primary Target | Primary Method | Key Concern |
|---|---|---|---|---|
| MuddyWater | MOIS | US banks, airports, Israeli tech | Spear-phish, Dindoor/Fakeset | Deno runtime evasion |
| Handala | Iran-linked | Israeli/Western infra | CVE exploitation, wipers | OT/camera pivot access |
| IRGC Clusters | IRGC | Cloud identity, AWS | Credential theft, cloud abuse | Identity infrastructure |
| Pro-Russia Hacktivists | Coordinated | US ICS/OT systems | DDoS, unauthorized access | ICS availability impact |
Detection and Mitigation: Priorities for Exposed Organizations
If your organization operates in U.S. financial services, aviation, defense supply chains, or has material ties to Israeli business operations, you should treat this advisory as active and directional to your environment. The following mitigations directly address MuddyWater's confirmed TTPs.
Identity and Access Hardening
The single highest-impact control against MuddyWater's social engineering and cloud targeting campaigns is phishing-resistant multi-factor authentication (MFA). Standard TOTP or SMS-based MFA does not meet this bar — adversarial-in-the-middle (AiTM) phishing kits trivially bypass these controls. Implement FIDO2/WebAuthn hardware keys or passkey-based authentication for all privileged and remote-access accounts.
Additional identity hardening steps:
- Enforce conditional access policies restricting authentication from non-managed devices
- Review and revoke dormant service accounts with cloud storage permissions
- Audit OAuth application consents for Wasabi, Backblaze, and Rclone integrations
Network Segmentation and OT Offline Backups
For organizations with OT or ICS environments, the convergence of pro-Russia hacktivist ICS targeting with Iranian cloud campaigns demands urgent architecture review:
- Maintain offline, air-gapped backups of OT configurations and historian data
- Segment operational technology networks from corporate IT with hardware-enforced boundaries
- Disable internet-facing Hikvision cameras immediately or apply available firmware patches for CVE-2017-7921
Threat Hunting Priorities
Security operations teams should initiate immediate hunts across the following signals:
- Deno runtime (
deno.exe) process execution on any endpoint outside approved developer workflows - Rclone execution with command-line arguments referencing Wasabi endpoints (
s3.wasabisys.com) - Python processes signed with Backblaze-associated certificates
- Outbound traffic to cloud storage endpoints from non-standard processes or outside business hours
Key Takeaways
- Hunt for Deno runtime execution immediately —
deno.exeon non-developer endpoints is a critical anomaly that strongly indicates Dindoor activity. - Block or alert on Rclone-to-Wasabi traffic — legitimate backup workflows should be explicitly approved; all other Rclone destinations warrant investigation.
- Enforce FIDO2/WebAuthn MFA across all remote access and privileged accounts to neutralize AiTM phishing campaigns.
- Patch CVE-2017-7921 on all Hikvision devices or take them offline — this 2017 vulnerability remains an active initial access vector in 2026.
- Treat staged-but-dormant Fakeset implants as active compromises — pre-positioned malware awaiting operator activation demands full incident response, not just remediation.
- Brief your IR team on Operation UltraViolet — cloud identity and AWS infrastructure targeting by IRGC-linked actors expands the attack surface well beyond endpoint security.
Conclusion
MuddyWater's 2026 campaign against U.S. and Israeli-connected organizations represents more than an incremental threat update — it signals Iran's intent to use cyber operations as a direct, scalable response to kinetic military action. The introduction of Deno-based tooling, signed Python implants, and Rclone-based exfiltration to commercial cloud storage demonstrates a sophisticated effort to exploit defender monitoring gaps.
The broader Iranian threat landscape compounds this risk. From Hikvision camera exploitation to IRGC cloud targeting and ICS harassment, your organization faces a multi-vector threat that no single control can address. Defense requires layered responses: phishing-resistant MFA, network segmentation, proactive threat hunting, and offline OT backups.
Start today by validating Deno and Rclone monitoring in your EDR, reviewing cloud storage egress policies, and confirming MFA posture for all internet-facing systems. The threat is active, directional, and geopolitically motivated — your response timeline should match that urgency.
Frequently Asked Questions
Q: What types of organizations are most at risk from the current MuddyWater campaign?
A: Organizations with direct or indirect ties to U.S.-Israel defense operations face the highest risk, including U.S. financial institutions, aviation infrastructure, defense suppliers with Israeli operations, and technology firms supporting government contracts. Non-profits with Middle East policy exposure have also been targeted, suggesting MuddyWater is pursuing intelligence collection across a broader target set than purely military-adjacent organizations.
Q: Why is Deno's use in Dindoor significant from a detection standpoint?
A: Deno is a modern JavaScript runtime that most enterprise security tools do not monitor with the same depth as Node.js or Python. Security baselines, behavioral rules, and application control policies rarely account for Deno execution, creating a monitoring blind spot that MuddyWater deliberately exploits. Defenders should immediately add Deno process execution to their EDR alert rules and application allowlists.
Q: How does Fakeset bypass code-signing security controls?
A: Fakeset carries a legitimate code-signing certificate previously associated with Backblaze infrastructure, causing many signature-verification security controls to classify it as trusted. This technique — known as certificate abuse (MITRE T1553.002) — highlights that certificate validity alone is insufficient; security teams must also verify certificate provenance, issuing authority legitimacy, and expected signing patterns for Python executables in their environments.
Q: What compliance frameworks require action in response to this advisory?
A: Organizations operating under NIST SP 800-171 or CMMC (defense contractors), PCI DSS (financial institutions), and ISO 27001 have existing control requirements directly applicable to this threat — specifically around access control, incident response, and continuous monitoring. CISA's Known Exploited Vulnerabilities (KEV) catalog already includes CVE-2017-7921, meaning any organization subject to CISA BOD 22-01 has a binding remediation obligation for the Hikvision vulnerability.
Q: How should incident responders treat a Fakeset staging detection where no execution has occurred?
A: A staged-but-dormant implant should be treated as an active, confirmed compromise requiring full incident response — not simply endpoint remediation. MuddyWater's pattern of pre-positioning payloads before activation means the threat actor likely has persistent access through an alternate mechanism. Responders should assume lateral movement has occurred, conduct full network forensics, rotate all credentials accessible from affected systems, and notify relevant stakeholders per your incident response plan.