Broadcom's Symantec and Carbon Black confirmed that a state intelligence-linked threat group compromised a bank, an airport, nonprofits, and a defense aerospace software supplier starting in early February 2026 — weeks before the kinetic strikes began on February 28. The group deployed the previously unknown Dindoor backdoor using the Deno JavaScript runtime and attempted data exfiltration via Rclone to cloud storage. Intel 471, Nozomi Networks, CrowdStrike, Flashpoint, and CSIS all documented the broader surge in state-aligned cyber operations targeting financial services, aviation, defense, industrial control systems, and government infrastructure across the conflict zone. The pre-positioning phase is over. The question is whether defenders find the implants before the operators activate them.

Links & Resources

• https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
• https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/
• https://www.helpnetsecurity.com/2026/03/06/seedworm-muddywater-backdoors-victims/
• https://www.securityweek.com/iranian-apt-hacks-us-airport-bank-software-company/
• https://www.infosecurity-magazine.com/news/iran-muddywater-hackers-us-firms/
• https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/
• https://www.csis.org/analysis/how-will-cyber-warfare-shape-us-israel-conflict-iran
• https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/