Full Report
Symantec researchers identified cyber activity linked to the Iranian advanced persistent threat group Seedworm across the networks of... The post Symantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply chain networks appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Seedworm
## Attribution & Identity
* **Name/Alias:** Seedworm
* **Other Known Aliases:** MuddyWater, Static Kitten, TEMP.Zagros, Mercury.
* **Associated Groups:** Identified by CISA as a subordinate element within the **Iranian Ministry of Intelligence and Security (MOIS)**.
* **Background:** A long-standing Iranian advanced persistent threat (APT) group active since at least 2017.
## Activity Summary
Beginning in early February 2026, Seedworm launched a campaign targeting U.S. and North American infrastructure. This activity follows escalating regional tensions and military strikes involving the U.S., Israel, and Iran. The campaign is characterized by reconnaissance and the establishment of persistent footholds in strategically relevant Western networks, likely for espionage and information gathering.
## Tactics, Techniques & Procedures
* **Custom Malware Development:** Design and deployment of bespoke backdoors.
* **Living off the Land (LotL):** Use of dual-use and legitimate Windows/command-line tools to evade detection.
* **Certificate Abuse:** Use of stolen or fraudulent digital certificates (issued to "Amy Cherne" and "Donald Gay") to sign malicious payloads.
* **Cloud Exploitation:** Leveraging legitimate cloud storage services for payload delivery and data exfiltration.
* **Data Exfiltration:** Utilization of `Rclone` to move stolen data to cloud buckets.
* **Execution Environments:** Deployment of the Deno runtime (JavaScript/TypeScript) to execute malware payloads.
## Targeting
* **Sectors:** Banking/Finance, Aviation (Airports), Non-Governmental Organizations (NGOs), Software, Defense Supply Chain, Aerospace, and Critical National Infrastructure (CNI).
* **Geography:** Primarily United States, Canada, and Israel. Historically active in the Middle East, Asia, Africa, and Europe.
* **Victims:**
* An unnamed U.S. bank.
* An unnamed U.S. airport.
* Canadian and U.S. non-profits (NGOs).
* The Israeli branch of a U.S. software company supplying defense and aerospace industries.
## Tools & Infrastructure
* **Malware Families:**
* **Dindoor:** A newly identified JavaScript-based backdoor using the Deno runtime.
* **Fakeset:** A Python-based backdoor.
* **Stagecomp / Darkcomp:** Dropper and backdoor previously associated with the actor.
* **Infrastructure:**
* **Cloud Storage:** Backblaze (malware hosting), Wasabi (suspected exfiltration target).
* **Command Line Tools:** `Rclone`.
* **Signed Certificates:** Amy Cherne, Donald Gay.
## Implications
The shift in targeting toward U.S. critical infrastructure and defense supply chains suggests a strategic pivot or expansion by Iranian intelligence. These operations are likely aimed at long-term access for "just-in-case" disruptive capabilities or high-value espionage. The use of legitimate cloud services and signed binaries reflects a maturing toolkit designed to bypass traditional perimeter defenses and automated sandboxes.
## Mitigations
* **Enhanced Monitoring:** Increase scrutiny of terminal operating systems, schedules, and interfaces (rail/trucking/aviation baggage systems).
* **Binary Integrity:** Implement strict application whitelisting and alert on the appearance of binaries signed by unconventional or suspicious certificates (e.g., "Amy Cherne").
* **Cloud Traffic Analysis:** Monitor and restrict outbound traffic to cloud storage providers like Wasabi and Backblaze to authorized corporate accounts only.
* **Runtime Security:** Audit environments for the unauthorized presence of `Deno.exe` or `Rclone.exe`.
* **Network Segmentation:** Isolate contractor networks and passenger processing systems from core operational technology (OT) and sensitive data environments.