Broadcom’s Symantec and Carbon Black Threat Hunter Team says the Iran-linked hacking group MuddyWater embedded itself inside several U.S. organizations and used a newly identified backdoor called Dindoor to maintain access. The victims included banks, airports, a non-profit organization, and the Israeli arm of a software company.
The researchers attributed the activity to MuddyWater, also known as Seedworm, a state-sponsored group affiliated with Iran’s Ministry of Intelligence and Security. According to the report, the intrusions show the group continuing to target organizations of strategic interest while relying on custom tooling to preserve long-term access inside compromised networks.
Symantec said the attackers deployed Dindoor after gaining access to victim environments, using the malware as a backdoor to keep control of infected systems. The report described the campaign as an espionage operation rather than financially motivated crime, with the focus placed on persistence inside networks tied to sensitive sectors.
The latest activity adds to Cyberwarzone’s prior coverage of Iran-linked cyber operations, including Iran-linked cyber groups operating across the Middle East and earlier cases where attackers used embedded backdoors for long-term access, such as the Pulse Secure backdoor intrusion.
Symantec said the campaign showed the group had already established itself inside victim environments before Dindoor was identified, indicating the malware was part of a broader intrusion set rather than a standalone initial access tool. The mix of targeted sectors and the use of a custom backdoor fits MuddyWater’s history of state-linked intelligence gathering.
