Iranian APT Seedworm Targets U.S. and Israeli Interests Amid Regional Conflict

Published Date: March 10, 2026
Category: ShadowOpsIntel
Share:

Starting in early February 2026, the Iranian state-aligned group Seedworm has been observed active on the networks of multiple U.S.-based organizations. This activity coincides with heightened regional tensions following military strikes on Iran. The campaign utilizes both known and previously undiscovered backdoors to target critical sectors.

Severity: High

Targeted Entities

  • U.S. Bank: Compromised with the newly identified “Dindoor” backdoor.
  • U.S. Airport: Infected with the “Fakeset” Python backdoor.
  • U.S. Software Company (Defense/Aerospace Supplier): Targeted primarily at its Israeli operations; observed data exfiltration attempts.
  • Non-Governmental Organizations (NGOs): Targets identified in both the U.S. and Canada.

Malware & Tooling

Tool NameTypeKey Features / Observations
DindoorBackdoorNew discovery; leverages Deno runtime for JS/TS execution.
FakesetBackdoorPython-based; signed with certificates for “Amy Cherne” and “Donald Gay”.
RcloneDual-use ToolUsed in an attempt to exfiltrate data to a Wasabi cloud storage bucket.
StagecompMalwareUsed to download the Darkcomp backdoor; linked via shared certificates.

Infrastructure

  • Certificates: Malware signed by certificates issued to “Amy Cherne” and “Donald Gay”. The “Donald Gay” certificate has historical links to Seedworm.
  • Delivery/Storage: Fakeset was downloaded from Backblaze S3 buckets (gitempire and elvenforest).

Threat Actor Profile: Seedworm

  • Affiliation: Subordinate element of the Iranian Ministry of Intelligence and Security (MOIS).
  • Objective: Primarily classic espionage and information gathering.
  • Tactics: Known for custom malware, “living off the land” (LotL) techniques, and sophisticated social engineering/spear-phishing.
  • Recent Campaigns:
    • October 2025: Used the Phoenix backdoor to target 100+ government entities in the MENA region.
    • June–August 2025: Impersonated think tank experts (e.g., Suzanne Maloney) to target Middle East policy experts.

Broader Regional Threats

The conflict has activated other Iranian-aligned groups:

  • Handala: A hacktivist group conducting destructive wiper attacks and “hack-and-leak” operations against Israeli healthcare and energy sectors.
  • Marshtreader (Pink Sandstorm): Observed scanning for vulnerable cameras in Israel to likely assist in bombing damage assessments.
  • Druidfly: Linked to BibiWiper, a destructive tool that overwrites the Master Boot Record (MBR).

Recommendations

  1. Implement MFA for all remote access points to prevent unauthorized entry via stolen credentials.
  2. Educate users on “MFA fatigue” attacks where actors spam push notifications to gain access.
  3. Ensure all web applications, plugins, and VPN appliances are regularly updated with the latest security patches.
  4. Block or restrict access to external cloud storage platforms (e.g., Wasabi, Backblaze) if they are not required for business operations. Look for unauthorized use of Rclone or large data transfers to Wasabi or Backblaze.
  5. Isolate backup infrastructure and enable immutable backups to mitigate the threat of wipers like BibiWiper.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/0072981391527603aa7aa40314204f3a8c1aa8f59e228ec6ee180e2e4d8b660a/iocs

Source:

  • https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert