Overview
- Broadcom’s Symantec and Carbon Black linked the campaign to MuddyWater through reused signing certificates and reported activity continuing since early February.
- Dindoor, which executes via the Deno runtime, was found at a U.S. bank, a Canadian NGO, and the Israeli arm of a software supplier to defense and aerospace, signed as “Amy Cherne.”
- A separate Python backdoor dubbed Fakeset appeared at a U.S. airport and a nonprofit, signed with “Amy Cherne” and “Donald Gay” certificates and downloaded from Backblaze servers.
- Researchers observed an Rclone attempt to exfiltrate data from the software company to a Wasabi cloud bucket, with success unknown.
- FBI, CISA, and the UK NCSC attribute MuddyWater to Iran’s Ministry of Intelligence and Security, and while initial access is unclear, analysts caution the footholds could enable future operations.