{"id":4736,"date":"2026-03-06T15:36:39","date_gmt":"2026-03-06T15:36:39","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/06\/irans-muddywater-hackers-hit-us-firms-with-new-dindoor-backdoor\/"},"modified":"2026-03-06T15:36:39","modified_gmt":"2026-03-06T15:36:39","slug":"irans-muddywater-hackers-hit-us-firms-with-new-dindoor-backdoor","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/06\/irans-muddywater-hackers-hit-us-firms-with-new-dindoor-backdoor\/","title":{"rendered":"Iran&#8217;s MuddyWater Hackers Hit US Firms with New &#8216;Dindoor&#8217; Backdoor"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Several US companies have been targeted by Iranian hacking group MuddyWater in a new campaign that started in early February and has continued after the US and Israeli military strikes on Iran.<\/p>\n<p>The campaign was detected by the Threat Hunter Team at Broadcom\u2019s Symantec and Carbon Black.<\/p>\n<p>The potential victims include a US bank, a US airport, non-governmental organizations in both the US and Canada and the Israeli operation of a US software company that supplies the defense and aerospace sectors. Each of these organizations has experienced suspicious activity on their networks in recent days and weeks, said the Threat Hunter Team in a March 5 report.<\/p>\n<p>The campaign involves a previously unknown backdoor, dubbed \u2018Dindoor\u2019 by the cyber threat researchers.<\/p>\n<h2><strong>Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater<\/strong><\/h2>\n<p>The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.<\/p>\n<p>Signed with a certificate issued to \u201cAmy Cherne,\u201d this backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute.<\/p>\n<p>The researchers also observed an attempt to exfiltrate data from the software company using Rclone, a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket. \u00a0It is not clear if this attempt was successful.<\/p>\n<p>A different, Python backdoor called Fakeset was found on the networks of the US airport. It was signed by certificates issued to \u201cAmy Cherne\u201d and \u201cDonald Gay\u201d.<\/p>\n<p>The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, a hacking group active since 2017 and associated with the Iranian Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros and Static Kitten.<\/p>\n<p>The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company.<\/p>\n<p>The Donald Gay certificate was also used to sign a sample from the malware family the researchers track as \u2018Stagecomp,\u2019 which downloads the Darkcomp\u00a0backdoor.<\/p>\n<p>The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.<\/p>\n<p>This malware wasn\u2019t seen on the targeted networks, but the use of the same certificates suggests MuddyWater was involved, said the Threat Hunter Team.<\/p>\n<p>\u201cWhile we have disrupted these breaches, other organizations could still be vulnerable to attack,\u201d the researchers added.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Several US companies have been targeted by Iranian hacking group MuddyWater in a new campaign that started in early February and has continued after the US and Israeli military strikes on Iran. The campaign was detected by the Threat Hunter Team at Broadcom\u2019s Symantec and Carbon Black. The potential victims include a US bank, a<\/p>\n","protected":false},"author":2,"featured_media":4737,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4736-a6ce0e2e-b44a-4359-90dd-bf98a684782e-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4736"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4736\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4737"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}