Dindoor backdoor activity in MuddyWater operations
Malware Activity
Summary
Hide ▲
Show ▼
Researchers identified Dindoor, a previously unknown backdoor, on targeted networks tied to MuddyWater, showing the group was using a new intrusion toolset. The malware appeared on the networks of a US bank, a Canadian non-profit organization, and the Israeli operation of a US software company. Dindoor executes through Deno and was signed with a certificate issued to “Amy Cherne”, suggesting deliberate operational tradecraft. Its appearance alongside related certificates and other backdoors indicates an active malware deployment effort against multiple organizations.
Related Happenings
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
DigiCert hit by network compromise
Incident
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
DigiCert hit by network compromise
IncidentAbout this happening: DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
Latest development: 04.05.2026 15:46
By April 17, DigiCert revoked 60 certificates tied to the support-portal compromise, including 27 explicitly linked to the threat actor and 11 used to sign Zhong Stealer, and canceled pending orders to close attacker access. DigiCert also enforced multi-factor authentication for administrative workflows, blocked access to initialization codes from proxied support users, restricted file types for support chat and Salesforce case attachments, and improved logging.
Trellix hit by network compromise
Incident
First: 02.05.2026 09:41
Last: 02.05.2026 09:41
Sources 1
About this happening:
**Trellix** confirmed a **breach** that gave attackers **unauthorized access** to a **portion of its source code**, creating potential security and intellectual-property risk. The...
Trellix hit by network compromise
IncidentAbout this happening: **Trellix** confirmed a **breach** that gave attackers **unauthorized access** to a **portion of its source code**, creating potential security and intellectual-property risk. The...
Latest development: 08.05.2026 16:23
RansomHouse claimed responsibility for the Trellix source code repository breach, posted screenshots from Trellix's appliance management system as proof, and said the intrusion occurred on April 17 and resulted in data encryption.
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Timeline
-
05.03.2026 02:00 2 articles · 2mo ago
MuddyWater campaign detected with Dindoor
Initial DisclosureBroadcom’s Symantec and Carbon Black detected a MuddyWater campaign targeting several US companies, including a US bank, a US airport, non-governmental organizations in the US and Canada, and the Israeli operation of a US software company. Researchers found a previously unknown Dindoor backdoor on the bank, Canadian non-profit, and Israeli software-company networks, a separate Python backdoor called Fakeset on the airport network, certificate reuse involving “Amy Cherne” and “Donald Gay”, and an attempted Rclone exfiltration to a Wasabi cloud storage bucket.
Show sources
- Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor — www.infosecurity-magazine.com — 06.03.2026 17:15
- Iran's MuddyWater Hackers Hit US Firms with New 'Dindoor' Backdoor — www.infosecurity-magazine.com — 06.03.2026 17:15