Full Report
An Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies’ networks – including a bank, software firm, and airport, among others – since the beginning of February, with more activity in the days following the US and Israeli military strikes, according…
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Identification:** MuddyWater
* **Aliases:** Seedworm, Static Kitten
* **Associations:** Believed to be a subordinate element of the **Iranian Ministry of Intelligence and Security (MOIS)**.
* **Regulatory/Government Recognition:** Formally attributed to the MOIS by the FBI, CISA, and the UK’s National Cyber Security Centre (NCSC).
## Activity Summary
* **Timeline:** The actor has been active since approximately 2018. The current campaign described in the article began in **early February 2026**, showing a surge in activity following US and Israeli military strikes against Iranian interests.
* **Status:** The group has successfully embedded itself in multiple US corporate networks, maintaining persistent access through backdoors.
## Tactics, Techniques & Procedures
* **Network Persistence:** Maintains long-term access ("embedded") within victim networks.
* **Deployment of Backdoors:** Utilization of a previously unknown, custom backdoor discovered by security researchers at Symantec and Carbon Black.
* **Operational Security:** Known for evolving TTPs to evade detection by standard security monitoring tools.
## Targeting
* **Sectors:**
* Financial Services (Banking)
* Information Technology (Software firms)
* Transportation (Airports)
* Critical Infrastructure
* **Geography:** Primarily the **United States** (in the current campaign), with historical targeting across the Middle East, Europe, and North America.
* **Victims:** While specific names were not disclosed, victims include a US bank, a US software firm, and a US airport.
## Tools & Infrastructure
* **Malware Families:**
* Unknown custom backdoor (uncovered in the most recent February 2026 activity).
* Historical use of diverse remote access trojans (RATs) and script-based malware.
* **Infrastructure:**
* The article references the use of Indicators of Compromise (IoCs) shared by third parties and analyzed by Symantec and Carbon Black.
* *Note: Specific defanged IPs or C2 domains were not provided in the source text.*
## Implications
* **Strategic Escalation:** The timing of the campaign suggests that MuddyWater is being utilized as a tool for retaliatory signaling or intelligence gathering in response to kinetic military actions (US/Israeli strikes).
* **Persistent Threat:** The ability to remain embedded in high-value targets like banks and airports since early February indicates a high level of operational maturity and a significant risk of data exfiltration or potential future disruptive actions.
## Mitigations
* **Indicator Matching:** Organizations should review historical network logs for IoCs associated with MuddyWater/Seedworm provided by CISA and the FBI.
* **Anomaly Detection:** Focus on identifying unauthorized backdoors and unusual outbound traffic to suspicious infrastructure.
* **Threat Hunting:** Conduct proactive hunts within critical infrastructure networks, specifically looking for signs of persistence that may have bypassed automated alerts during the February timeframe.
* **Patch Management:** Ensure all public-facing assets are patched to prevent the initial access vectors commonly exploited by MOIS-linked groups.