MuddyWater intrusion into U.S. networks and an Israeli software arm

MuddyWater has established footholds in U.S. banks, airports, a non-profit, and the Israeli arm of a software company. The activity was assessed to have started in early February and was seen again after U.S. and Israeli military strikes on Iran. Broadcom's Symantec and Carbon Black Threat Hunter Team tied the operation to MuddyWater, also known as Seedworm, and described it as a broad access campaign rather than a single isolated compromise. The operators used a previously unknown backdoor called Dindoor, which executes through the Deno JavaScript runtime, and attempted to move data with Rclone to a Wasabi cloud bucket from the software company arm. Investigators also found a separate Python backdoor called Fakeset in other networks, with certificate reuse linking it to earlier MuddyWater tooling such as Stagecomp and Darkcomp. Available evidence does not quantify the full reach, initial access method, or downstream impact in each environment, but it does show persistence and attempted exfiltration across multiple victims.