Nation-State Iranian APT Hacked US Airport, Bank, Software Company The attacks, observed since February, show that Iranian hackers already have a presence in the networks of US organizations. By Ionut Arghire | March 6, 2026 (6:31 AM ET) Flipboard Reddit Whatsapp Whatsapp Email The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports. The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel. According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”. The compromised software firm, an aerospace and defense contractor, also has a presence in Israel, making it a target of interest for MuddyWater hackers. As part of the campaign , the APT deployed a new backdoor dubbed Dindoor on the networks of the software supplier’s Israeli branch, the US bank, and the Canadian NGO. The backdoor is signed with a certificate issued for ‘Amy Cherne’. The APT also attempted to exfiltrate data from the software company’s Israeli branch. Advertisement. Scroll to continue reading. Broadcom’s cybersecurity team also discovered a Python backdoor dubbed Fakeset on the networks of a US airport and a non-profit organization, also signed with an Amy Cherne certificate and with a certificate issued for ‘Donald Gay’, which was used in previous MuddyWater attacks as well. The observed activity has been disrupted, but other organizations might still be vulnerable to compromise, the Symantec and Carbon Black team says. “While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks,” the experts note. Active since at least 2017 and also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, MuddyWater has been officially linked by the US to the Iranian Ministry of Intelligence and Security (MOIS). The threat actor is known for targeting entities in the Middle East as part of espionage operations, and was seen last year deploying updated Android spyware during the Israel-Iran conflict. Last year, Amazon detailed the APT’s involvement in cyber-enabled kinetic targeting , hacking into live CCTV streams from Jerusalem in support of a missile attack. Related: Iranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical Disasters Related: Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low Related: US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Related: US Posts $10 Million Bounty for Iranian Hackers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire AI Security Firm JetStream Launches With $34 Million in Seed Funding Google Plans Two-Week Release Schedule for Chrome Global Coalition Publishes 6G Security and Resilience Principles Critical FreeScout Vulnerability Leads to Full Server Compromise 1.2 Million Affected by University of Hawaii Cancer Center Data Breach Android Update Patches Exploited Qualcomm Zero-Day Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise Researchers Uncover Method to Track Cars via Tire Sensors Latest News James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Data Security Firm Evervault Raises $25 Million in Series B Funding Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Reclaim Security Raises $20 Million to Accelerate Remediation LeakBase Cybercrime Forum Shut Down, Suspects Arrested Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Sonalee Parekh has joined SentinelOne as Chief Financial Officer. Chris Butera has been named Acting Executive Assistant Director for Cybersecurity at CISA. Software and firmware supply chain security company Binarly has appointed Gwenyth Castro as its new CEO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email