Iranian APT on Networks of U.S. Bank, Airport, Software Company

March 6, 2026, 11:54 a.m.

Description

Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.

External References

https://otx.alienvault.com/pulse/69a9e3eea1d0b6fa8bf0f06d
https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
Tags
backdoor
apt
espionage
ddos
cyberattack
data exfiltration
critical infrastructure
iranian apt
pdq
geopolitical conflict
2026-03-05
bibiwiper
CVE-2017-7921
CVE-2023-6895
darkcomp
dindoor
fakeset
httpsnoop
phoenix
stagecomp
u.s. targets

Date

  • Created: March 5, 2026, 8:13 p.m.
  • Published: March 5, 2026, 8:13 p.m.
  • Modified: March 6, 2026, 11:54 a.m.

Indicators

  • 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
  • a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
  • 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
  • a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c
  • 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
  • c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
  • ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
  • 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
  • 15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84
  • 1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6
  • 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
  • 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
  • 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4
  • 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
  • 3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
  • b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0
  • 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
  • bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
  • a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
  • 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
  • 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef
  • 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
  • 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
  • 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
  • 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043
Download all indicators here!

Attack Patterns

  • Phoenix
  • Darkcomp
  • BibiWiper
  • HTTPSnoop
  • Stagecomp
  • Dindoor
  • Fakeset
  • PDQ
  • MuddyWater

Additional Informations

  • Energy
  • Finance
  • Transport
  • Government and administrations
  • Defense
  • Technologies
  • Air transport
  • moonzonet.com
  • elvenforest.s3.us-east-005.backblazeb2.com
  • uppdatefile.com
  • gitempire.s3.us-east-005.backblazeb2.com
  • serialmenot.com
  • Israel
  • Canada
  • United States of America

Linked vulnerabilities

CVE-2017-7921

None
Published:

CVE-2023-6895

None
Published: