Full Report
This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
Analysis Summary
# Threat Actor: Seedworm
## Attribution & Identity
* **Primary Name:** Seedworm
* **Known Aliases:** MuddyWater, Temp Zagros, Static Kitten
* **Known Associations:** Identified by CISA as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
## Activity Summary
Activity associated with Seedworm was detected starting in early February 2026 and has continued through March 2026. This campaign coincided with heightened regional tensions following military strikes involving the U.S., Israel, and Iran. The group has been observed maintaining a presence on U.S. and Israeli networks, positioning itself for potential intelligence gathering or further disruptive operations.
## Tactics, Techniques & Procedures
* **Execution Runtimes:** Use of **Deno** (secure JavaScript/TypeScript runtime) to execute backdoors.
* **Software Signing:** Use of stolen or fraudulent code-signing certificates issued to "Amy Cherne" and "Donald Gay" to sign malware.
* **Data Exfiltration:** Utilization of **Rclone** for automated data transfer to cloud storage.
* **Cloud Misuse:** Leveraging legitimate cloud providers (Wasabi and Backblaze) for command-and-control (C2) and data staging.
* **Custom Malware:** Development and deployment of specialized Python-based and JavaScript-based backdoors.
* **Living off the Land:** Extensive use of dual-use tools alongside custom-developed kits.
## Targeting
* **Sectors:** Banking/Finance, Aviation (Airports), Software/IT, Non-Governmental Organizations (NGOs), Defense, Aerospace, Telecommunications, and Energy.
* **Geography:** Primarily United States, Israel, and Canada (previously observed in Asia, Africa, and Europe).
* **Victims:**
* An unnamed U.S. bank.
* An unnamed U.S. airport.
* A U.S. software company with operations in Israel (supplier to defense and aerospace).
* Non-profit organizations in the U.S. and Canada.
## Tools & Infrastructure
* **Malware Families:**
* **Dindoor:** A previously unknown JavaScript/TypeScript backdoor leveraging Deno.
* **Fakeset:** A Python-based backdoor.
* **Stagecomp:** A downloader malware.
* **Darkcomp:** A backdoor typically downloaded via Stagecomp.
* **Infrastructure:**
* **Cloud Buckets:** `wasabi[.]com`, `gitempire[.]s3[.]us-east-005[.]backblazeb2[.]com`, `elvenforest[.]s3[.]us-east-005[.]backblazeb2[.]com`
* **C2/Command Domains Management:**
* `uppdatefile[.]com`
* `serialmenot[.]com`
* `moonzonet[.]com`
## Implications
Seedworm’s persistent access to critical infrastructure and defense-related software providers suggests a strategic objective of long-term espionage. Since the group has established access prior to and during active military conflict, they remain in a high-leverage position to transition from spying to disruptive activity if directed by the Iranian state.
## Mitigations
* **Certificate Auditing:** Monitor and audit certificate-signed binaries; specifically flag or block certificates issued to "Amy Cherne" or "Donald Gay."
* **Runtimes Control:** Restrict the use of unauthorized developer runtimes like Deno on non-developer endpoints.
* **Cloud Monitoring:** Implement strict monitoring and egress filtering for Rclone activity to unconventional cloud storage providers like Wasabi or Backblaze S3 buckets.
* **Endpoint Defense:** Ensure EDR solutions are configured to detect Python-based process execution and suspicious JavaScript execution patterns.