Escalation in the Shadows: Iranian APT Seedworm Deploys ‘Dindoor’ Backdoor in New Cyberoffensive

As geopolitical tensions escalate in the Middle East, the digital battlefield is seeing a parallel surge in activity. The Threat Hunter Team has released a critical report documenting a spike in cyberespionage by the Iranian-linked APT group Seedworm (also known as MuddyWater, Static Kitten, or Temp Zagros).

The activity, which began in early February 2026, has seen the group infiltrate the networks of multiple U.S.-based companies and organizations, often targeting entities with strategic ties to Israel.

The campaign’s victimology suggests a broad intelligence-gathering mission. According to the report, “A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks”.

The software company identified in the report serves as a critical supplier to the defense and aerospace industries. Notably, the group’s efforts seemed specifically focused on the firm’s Israeli outpost, appearing to follow a pattern of retaliation or reconnaissance following military strikes in the region.

The most significant technical discovery in this campaign is a previously undocumented tool in Seedworm’s arsenal. Researchers identified a new backdoor, which they have named Dindoor, on the networks of several targets.

Dindoor represents a continued evolution of the group’s capability to maintain persistent access within high-value networks. While the group has historically relied on a rotating set of custom tools, the emergence of Dindoor highlights their ongoing investment in developing fresh malware to bypass standard endpoint detection.

Seedworm’s operations are often complemented by hacktivist allies who use data leaks as a form of “intimidation ops” or “psyops”. Groups such as Handala have been observed using partial data leaks to amplify fear and pressure on targets.

“Hacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only partial – this is key escalation behavior,” the report warns.

Given the current state of regional conflict, the Threat Hunter Team assesses that the risk of further attacks is exceptionally high, particularly for Critical National Infrastructure (CNI).

As Seedworm continues its methodical intrusion into U.S. and Israeli networks, defenders are urged to hunt for indicators of the Dindoor backdoor and harden any public-facing logistics or supply-chain interfaces.