MuddyWater Pre-Planted Backdoors in US Banks, Airports, and Defence Firms Before Iran Conflict

Before US and Israeli forces launched Operation Epic Fury on February 28, 2026 — the strikes that closed the Strait of Hormuz and triggered the current oil crisis — Iranian-linked hackers were already inside.

Security researchers at Unit 42 (Palo Alto Networks), Symantec Threat Intelligence, and CISA confirmed in early March that MuddyWater (also tracked as Seedworm, TEMP.Zagros, and Static Kitten — an IRGC/MOIS-linked APT group) had pre-positioned access inside US financial institutions, airports, Israeli defence contractors, and software companies weeks before the military strikes began.

This is what cyber pre-positioning looks like. And if your organisation falls into any of the targeted sectors, you need to act now.

The Fakeset and Dindoor Backdoors

MuddyWater's primary tools in the current campaign are two new Python-based backdoors: Fakeset and Dindoor.

Fakeset masquerades as a legitimate software component — typically a fake PDF viewer or document renderer embedded in a spearphishing attachment. Once installed, it establishes a persistent foothold via a scheduled task, communicates with C2 infrastructure over HTTPS (making it blend with normal outbound traffic), and waits for commands. Fakeset was first seen in November 2025 and went dormant — indicating preparation, not immediate exploitation.

Dindoor is a second-stage implant delivered after Fakeset has established persistence. It provides full remote shell access, exfiltrates credentials, and can pivot to internal network resources. The tool is coded in Python 3.10 and uses a custom communication protocol on port 443.

Both tools are modular — MuddyWater operators can push additional capability modules after initial infection. Unit 42 found evidence of credential dumping modules, lateral movement scripts targeting Windows Active Directory, and a module specifically designed to enumerate OT/SCADA network topology.

Who Was Targeted

The confirmed target sectors in the US, Israel, Egypt, Jordan, and UAE:

US targets: Software development companies (supply chain entry point), financial institutions (banks and payment processors), commercial airports (operations software), and defence contractors with civilian IT systems.

Israeli targets: Defence contractors, technology companies, and healthcare systems.

Regional targets: Egypt, Jordan, UAE — government agencies, telecoms, and energy companies.

CISA's advisory issued March 6 specifically called out that MuddyWater activity significantly increased in the week of February 21-28 — the week before Operation Epic Fury. This is the "pre-positioning before conflict" pattern that intelligence agencies warned about after Russia's pre-invasion activity in Ukraine in early 2022.

The Broader Iranian Cyber Operation

MuddyWater is one component of a coordinated Iranian cyber campaign. Post-Operation Epic Fury, at least five distinct Iranian threat groups escalated operations simultaneously:

CyberAv3ngers — an IRGC-affiliated group targeting operational technology (OT) systems, specifically water treatment, industrial control systems, and building management systems.

APT34 / OilRig — focuses on energy companies, telecoms, and government networks across the Gulf states, Jordan, and Egypt. Exfiltrates long-term intelligence rather than causing immediate disruption.

Altoufan / HANDALA — hacktivist-facing group that claims DDoS attacks and data leaks. Public-facing operations to demonstrate capability and cause reputational damage.

A coordinating channel described as an "Electronic Operations Room" reportedly synchronises at least 60 hacktivist groups alongside the state APTs. This creates plausible deniability — Iran can attribute individual incidents to "independent" hacktivists while the APTs do the actual persistent access work.

What Developers and Security Teams Need to Do

Immediate (this week)

Rotate all credentials that touch production systems. This is non-negotiable if your organisation is in any of the affected sectors. MuddyWater's Fakeset specifically targets credential caches. Rotate Active Directory service accounts, cloud provider API keys, GitHub deploy tokens, and CI/CD pipeline secrets.

Check for Python processes with unexpected scheduled tasks. Fakeset and Dindoor both use scheduled tasks for persistence. On Windows: Task Scheduler, looking for entries created in November 2025 through February 2026 that run Python executables from unusual paths. On Linux: crontab -l and /etc/cron.d/.

Audit outbound HTTPS on port 443 to unexpected destinations. Both backdoors communicate over HTTPS. Look for low-volume, regular beaconing (every 5-15 minutes) to IP addresses in Iranian-adjacent hosting infrastructure. Your SIEM should flag this.

Check your software supply chain. MuddyWater's targeting of US software development companies is specifically because software companies are a supply chain entry point to downstream customers. If you are a software vendor, audit what you ship. If you are a software customer, ask vendors about their security posture.

Medium-term (this month)

SBOM audit. Generate a Software Bill of Materials for every production application. Cross-reference Python dependencies against known-malicious packages. MuddyWater has previously compromised Python packages on PyPI.

OT/ICS network segmentation review. The Dindoor SCADA enumeration module suggests Iranian operators are mapping industrial networks for future targeting. If you have any OT/ICS systems, verify that network segmentation between IT and OT is enforced at the firewall level, not just policy.

Enable MFA on every remote access pathway. VPN, RDP, SSH via jump host, cloud console access — no exceptions. This is the single highest-leverage action for stopping lateral movement once initial access is gained.

The "Pre-Positioned" Pattern

The most important word in how analysts are describing this campaign is "pre-positioned."

MuddyWater did not start attacking when Operation Epic Fury launched. It started gaining access weeks before. The backdoors sat dormant, waiting. This is standard practice for state-backed APTs preparing for conflict — establish access while tensions are elevated but before kinetic action begins, when defenders are not yet on maximum alert.

Russia used the same playbook in Ukraine: Sandworm pre-positioned in Ukrainian critical infrastructure months before the February 2022 invasion. Some of that access was used; some was preserved for future use.

The implication for defenders: if MuddyWater got in during January-February 2026, those backdoors may still be active. The conflict has not ended. The tactical question is not "did they get in?" but "are they still in, and what are they waiting for?"

Unit 42 estimates that only a fraction of initial access cases result in detected intrusions. The undetected cases are the concern.

CISA and Unit 42 Resources

CISA published advisory AA26-065A on March 6, 2026, covering MuddyWater TTPs with IOCs (indicators of compromise) including C2 IP addresses, Fakeset and Dindoor hashes, and YARA detection rules. Unit 42's threat intelligence blog has the full technical breakdown. If you have not read both, stop and do that today.

The IOCs include 47 IP addresses associated with C2 infrastructure and 12 domain patterns used for beaconing. Cross-reference these against your firewall logs for the past 90 days.

Bottom Line

The Hormuz crisis is an oil and shipping story. But it has a cyber dimension that is directly relevant to every developer and security team touching financial, infrastructure, or defence-adjacent systems.

Iranian APTs pre-positioned before the conflict started. They are still active. CISA says so. Unit 42 says so.

Rotate credentials. Check for dormant Python processes. Review your supply chain. This is not a theoretical risk.