Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor
Iranian state-linked group MuddyWater is targeting US companies with a new backdoor called Dindoor, signed with a certificate issued to 'Amy Cherne' and leveraging the Deno runtime.
Iranian state-linked hacking group MuddyWater has launched a new campaign targeting multiple US companies, deploying a previously unknown backdoor dubbed 'Dindoor' that leverages the Deno runtime. The campaign, detected by Broadcom's Symantec and Carbon Black threat hunter teams, began in early February 2026 and has continued even after US and Israeli military strikes on Iran, according to a March 5 report published March 5.
The potential victims include a US bank, a US airport, non-governmental organizations in both the US and Canada, and the Israeli operation of a US software company that supplies the defense and aerospace sectors. Each of these organizations has experienced suspicious activity on their networks in recent days and weeks, the researchers said.
The Dindoor backdoor was found on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization. Signed with a certificate issued to 'Amy Cherne,' this backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute malicious code. The researchers also observed an attempt to exfiltrate data from the software company using Rclone, a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket. It is not clear if this attempt was successful.
A different, Python backdoor called Fakeset was found on the networks of the US airport. It was signed by certificates issued to 'Amy Cherne' and 'Donald Gay.' The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, a hacking group active since 2017 and associated with the Iranian Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros and Static Kitten.
The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company. The Donald Gay certificate was also used to sign a sample from the malware family the researchers track as 'Stagecomp,' which downloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
While this malware wasn't seen on the targeted networks, the use of the same certificates suggests MuddyWater was involved, said the Threat Hunter Team. 'While we have disrupted these breaches, other organizations could still be vulnerable to attack,' the researchers added.
The campaign highlights the continued evolution of MuddyWater's tactics, including the use of legitimate cloud services for command-and-control and data exfiltration, as well as the adoption of modern runtimes like Deno to evade detection. Organizations are advised to monitor for suspicious activity involving signed executables and cloud storage usage.