Iran-Linked MuddyWater Deploys Dindoor Backdoor Against US Banks, Airports, and Defense Software Supplier

Broadcom's Symantec and Carbon Black Threat Hunter Team have identified a new campaign by Iranian state-sponsored group MuddyWater (Seedworm), which has embedded itself in several US organisations including banks, airports, a non-profit, and the Israeli arm of a defense and aerospace software supplier using a previously undocumented backdoor called Dindoor. The campaign is assessed to have begun in early February 2026, with recent activity detected following US and Israeli military strikes on Iran, and is attributed to MuddyWater's affiliation with Iran's Ministry of Intelligence and Security (MOIS). The targeting of a defense-sector software supplier's Israeli office signals an attempt to move laterally into broader defense and aerospace supply chains through a trusted vendor's infrastructure.

Key Takeaways

• MuddyWater (aka Seedworm, MOIS-affiliated) deployed a new backdoor named Dindoor across US banks, US airports, a Canadian non-profit, and the Israeli arm of a defense/aerospace software supplier — campaign began early February 2026\n· Broadcom Symantec and Carbon Black Threat Hunter Team published joint findings; the software supplier "is a supplier to the defense and aerospace industries" — its Israel operation appears to be the primary target\n· Activity escalated following US and Israeli military strikes on Iran; MOIS-linked campaigns targeting Western financial, transport, and defense-adjacent infrastructure represent a significant supply-chain and critical-infrastructure threat vector

Original source: The Hacker News / Broadcom Symantec