Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Iranian Intelligence Group Embeds Backdoors in US Bank, Airport, and Software Firm Networks


An Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies' networks - including a bank, software firm, and airport - since the beginning of February, according to security researchers. The attackers used custom-made backdoors and Rclone to gain unauthorized access to the compromised networks.

  • Iranian cyberattacks attributed to Iranian intelligence groups have compromised networks and left backdoors and malicious code.
  • An Iranian cyber crew is believed to be embedded in multiple US companies' networks, including a bank, software firm, and airport, since February.
  • A previously unknown backdoor called Fakeset was found on the airport's networks as well as those of a US nonprofit.
  • The attackers used custom-made backdoors and Rclone, a secure runtime for JavaScript and TypeScript, to gain unauthorized access to compromised networks.
  • The Iranian intelligence group appears to be highly organized and well-resourced, with serious implications for national security and cybersecurity.



    • The recent surge in cyberattacks attributed to Iranian intelligence groups has left a trail of compromised networks, backdoors, and malicious code in its wake. According to security researchers, an Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies' networks - including a bank, software firm, and airport, among others - since the beginning of February.

    Symantec and Carbon Black's Threat Hunter Team uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (aka Seedworm, Static Kitten). The researchers found that the Iranian intelligence group had been using custom-made backdoors in their attacks, which allowed them to gain unauthorized access to the compromised networks.

    The affected organizations include non-governmental organizations in both the US and Canada, as well as a security researcher who has previously worked on similar projects. However, it is unclear what specific information or resources were being sought by the Iranian intelligence group. Brigid O Gorman, senior intelligence analyst with the Symantec and Carbon Black Threat Hunter Team, told The Register that "already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks."

    The recent surge in cyberattacks attributed to Iranian intelligence groups has raised concerns about their capabilities and intentions. MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.

    According to O Gorman, the Iranian intelligence group's use of custom-made backdoors in their attacks allowed them to gain unauthorized access to the compromised networks. The researchers found that one of the indicators "led to this cluster of attacks and allowed us to discover additional malware." The presence of these custom-made backdoors on multiple networks suggests a high level of sophistication and planning by the Iranian intelligence group.

    The attackers also appear to have used Rclone, a secure runtime for JavaScript and TypeScript, to execute their malware. This is particularly concerning as it highlights the vulnerability of cloud storage services to cyberattacks. The use of Rclone to exfiltrate data from the software company's networks suggests that the attackers were seeking sensitive information or resources.

    The recent surge in cyberattacks attributed to Iranian intelligence groups has raised concerns about their capabilities and intentions. MuddyWater is part of the Iranian Ministry of Intelligence and Security (MOIS), and has been carrying out cyber campaigns on behalf of the Iranian intel agency since approximately 2018.

    The attackers also appear to have used a previously unknown backdoor called Fakeset, which was found on the airport's networks as well as those of a US nonprofit. The backdoor was signed by certificates issued to "Amy Cherne" and "Donald Gay," and the latter has previously been used to sign Stagecomp and Darkcomp malware, both linked to MuddyWater.

    The use of these custom-made backdoors and Rclone suggests that the Iranian intelligence group is highly organized and well-resourced. This raises concerns about their capabilities and intentions, particularly in terms of information gathering and resource exfiltration.

    The presence of these backdoors on multiple networks also highlights the vulnerability of cloud storage services to cyberattacks. The use of secure runtimes like Rclone to execute malicious code suggests that the attackers are seeking to exploit vulnerabilities in this area.

    In light of these findings, it is clear that the recent surge in cyberattacks attributed to Iranian intelligence groups has serious implications for national security and cybersecurity. MuddyWater's use of custom-made backdoors and Rclone highlights their sophistication and planning, and raises concerns about their capabilities and intentions.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Iranian-Intelligence-Group-Embeds-Backdoors-in-US-Bank-Airport-and-Software-Firm-Networks-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

  • https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

  • https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us

  • https://attack.mitre.org/groups/G0069/

  • https://www.darkreading.com/threat-intelligence/iran-muddywater-new-malware-tensions-mount

  • https://kudelskisecurity.com/research/inside-a-muddywater-intrusion-exploitation-of-sharepoint-and-living-off-the-land-tactics

  • https://www.msn.com/en-us/news/other/iran-intelligence-backdoored-us-bank-airport-software-outfit-networks/ar-AA1XBD95

  • https://www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

  • https://www.group-ib.com/masked-actors/muddywater/

  • https://www.cloudsek.com/blog/middle-east-escalation-israel-iran-us-cyber-war-2026

  • https://www.tenable.com/blog/operation-epic-fury-potential-iranian-cyber-counteroffensive-operations

  • https://bazaar.abuse.ch/browse/tag/Amy-Cherne/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://www.yahoo.com/news/fbi-raids-leader-gay-furry-182407577.html

  • https://www.bignewsnetwork.com/news/274450816/gay-furry-hackers-attack-conservative-think-tank

  • https://security.muni.cz/en/articles/hacker-elites-how-the-most-dangerous-apt-groups-operate


    • Published: Thu Mar 5 13:42:04 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us