MuddyWater Surfaces in U.S. Critical Infrastructure With a Backdoor Built on JavaScript

If you've been watching the news lately, you know the Middle East is on fire — and I don't mean that metaphorically. U.S. and Israeli military strikes on Iran have turned an already volatile region into something resembling a powder keg with a lit fuse. What doesn't make the evening news quite as often is the digital front of that conflict, which is where things get really interesting for anyone who defends networks for a living.

Broadcom's Symantec and Carbon Black Threat Hunter Team just dropped a report that should make every security professional sit up a little straighter. MuddyWater, the Iranian state-sponsored hacking group affiliated with the Ministry of Intelligence and Security, has been quietly embedding itself in the networks of several U.S. organizations since early February. We're not talking about some obscure targets either — they've compromised networks belonging to banks, airports, a non-profit organization, and perhaps most concerning, a software company that supplies the defense and aerospace industries.

The group appears to have been particularly interested in that software company's Israeli operations, which tracks perfectly with Iran's geopolitical objectives. When your supreme leader just got assassinated and your country is eating cruise missiles, you tend to get creative about gathering intelligence on the people responsible.

What caught my attention in this campaign is the attackers' choice of tooling. MuddyWater is deploying a previously unknown backdoor called Dindoor, and here's the twist that will make every JavaScript developer in your organization feel a little queasy — it runs on the Deno JavaScript runtime. For those unfamiliar, Deno is essentially a modern reimagining of Node.js created by its original developer, designed to be more secure and efficient. Apparently, Iranian intelligence decided that "more secure" also means "great for malware." There's a certain dark irony in weaponizing a tool explicitly built with security improvements in mind.

The Dindoor backdoor gives attackers persistent access to compromised networks while blending in with legitimate development tooling that increasingly shows up in enterprise environments. This is classic APT tradecraft — why write custom malware in C when you can leverage trusted runtimes that defenders are less likely to flag as suspicious?

Alongside Dindoor, researchers also discovered the group deploying Fakeset, a Python-based backdoor downloaded from Backblaze's cloud storage infrastructure. Using legitimate cloud services for malware staging is old hat for MuddyWater at this point, but it remains effective because security teams can't exactly block access to major cloud providers without breaking half their organization's workflows.

What happens after MuddyWater establishes a foothold? They go shopping for data. Researchers identified attempts to exfiltrate information from the compromised defense software company using Rclone, a command-line program that syncs files to cloud storage. The attackers were pushing data to Wasabi, a cloud storage provider that bills itself as an affordable alternative to AWS S3. Whether the exfiltration succeeded remains unclear, but the intent is obvious — they wanted whatever that company knew about defense and aerospace operations, especially anything relating to Israel.

The technical indicators connecting these intrusions are solid. Digital certificates used to sign Fakeset have also been used to sign Stagecomp and Darkcomp malware, both previously attributed to MuddyWater. When you see the same signing certificates across multiple tools and campaigns, you're looking at a unified operation, not a coincidence.

This campaign doesn't exist in a vacuum. It's part of what researchers are calling Iran's broader cyber response to the ongoing conflict. Check Point has documented the pro-Palestinian hacktivist group Handala Hack routing operations through Starlink IP ranges to probe for misconfigurations and weak credentials in externally facing applications. Multiple Iran-nexus adversaries including Agrius, Charming Kitten, OilRig, and Fox Kitten have all shown "clear signs of activation and rapid retooling" according to LevelBlue's threat intelligence team.

The targeting extends beyond traditional IT infrastructure. Iranian groups have significantly increased their scanning for vulnerable Hikvision cameras and video intercom solutions, weaponizing old vulnerabilities like CVE-2017-7921 and CVE-2021-36260 alongside newer flaws. Check Point's analysis suggests this camera compromise activity directly supports Iranian missile operations, potentially providing battle damage assessment before and after strikes. If that assessment is accurate, compromising a security camera isn't just a privacy violation anymore — it's battlefield intelligence gathering.

The Financial Times reported something that reads like a spy novel: Israeli intelligence had been inside Tehran's traffic camera network for years, monitoring the movements of Ayatollah Khamenei's bodyguards and other top officials. That surveillance reportedly played a role in the recent assassination of the supreme leader. Cyber capabilities feeding into kinetic military operations isn't new, but we're seeing it play out in real-time at a scale and visibility that's genuinely unprecedented.

Active wiper campaigns are also underway against Israeli energy, financial, government, and utilities sectors. Iran's wiper arsenal now includes more than fifteen distinct malware families including ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, and several others. These aren't tools for intelligence gathering — they're digital weapons designed purely to destroy data and disrupt operations.

Iranian cyber doctrine has evolved significantly over the past few years. UltraViolet Cyber's analysis notes that rather than prioritizing zero-day exploitation or novel malware, Iranian operators focus on repeatable access techniques. Password spraying, credential theft, and social engineering form the foundation of their initial access strategy, followed by persistence through widely deployed enterprise services. They're not necessarily the most sophisticated threat actor in the game, but they're effective, persistent, and increasingly well-resourced.

The Canadian Centre for Cyber Security issued an advisory cautioning that Iran will likely use its cyber apparatus to stage retaliatory attacks against critical infrastructure and information operations. Western organizations need to remain on high alert as the conflict continues and activity potentially escalates beyond hacktivism into genuinely destructive operations.

The recommendations are nothing revolutionary, but they bear repeating. Organizations should strengthen monitoring capabilities around identity systems and cloud control planes since that's where Iranian operators consistently focus their attention. Limit exposure to the internet wherever possible and disable remote access to operational technology systems unless absolutely necessary. Phishing-resistant multi-factor authentication should be mandatory, not optional. Network segmentation limits lateral movement when the inevitable breach occurs. Offline backups ensure that wipers can't destroy your ability to recover. And for the love of everything, patch your internet-facing applications, VPN gateways, and edge devices — because those are exactly what Iranian reconnaissance operations are scanning for right now.

The intersection of cyber operations and kinetic warfare in the current Middle East conflict represents something we've been warning about for years. State-sponsored hackers aren't just stealing data anymore. They're providing targeting intelligence, disrupting critical infrastructure, and supporting military operations in ways that blur the line between cyber conflict and actual war. MuddyWater embedding itself in U.S. banks and airports isn't just corporate espionage — it's positioning for potential escalation.

If your organization has any connection to defense, aerospace, financial services, or critical infrastructure, now would be an excellent time to assume you're already a target and act accordingly. The hackers certainly are.