Latest Iranian cyber activity amid Middle East escalation

Threat summary

In a March 5, 2026 report, researchers detailed activity linked to the Iranian advanced persistent threat (APT) group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten), which is associated with the Iranian Ministry of Intelligence and Security (MOIS).

The group deployed two malware, a newly discovered backdoor called Dindoor and a Python-based tool called Fakeset, across multiple victim environments. The activity, traced back to February 2026 and continuing in recent days, affected a U.S. bank, a Canadian nonprofit organization, a U.S. airport, and the Israeli operations of a U.S. software company.

Dindoor uses the Deno runtime to execute cross-platform payloads with minimal dependencies, while Fakeset was downloaded from two Backblaze cloud storage servers. Overlaps in signing infrastructure and tooling with previously documented Seedworm malware indicate the same actor was responsible for these intrusions.

In a separate report from March 4, Israel announced a strike on a cluster of military sites on the eastern edge of Tehran that it says housed the headquarters of the Islamic Revolutionary Guard Corps (IRGC). According to Israel, the locations included the IRGC’s cyber and electronic warfare headquarters as well as its Intelligence Directorate, both tied to major cyber operations against U.S. and regional targets.

It remains unclear how much the attack disrupted Iran’s cyber capabilities amid an ongoing internet blackout in the country.

Separately, Check Point researchers published findings linking Iranian-aligned threat actors to coordinated compromises of internet-connected cameras across the Middle East. The activity bridged cyber intrusions and physical operations, with attackers using compromised cameras to collect intelligence, track troop movements, and support real-world strikes.

The report identifies multiple Iranian groups associated with the IRGC conducting long-running campaigns against camera networks in Israel, Iraq, and Gulf states, with targeting intensifying through late 2025 and early 2026. The operations exploit exposed camera interfaces vulnerable to old flaws, weak credentials, and unpatched firmware, enabling attackers to extract live video feeds and pivot deeper into networks.

Analysis

The activity demonstrates how cyber operations can directly support physical conflict and highlights how surveillance systems and other IoT devices have become strategic intelligence assets. Their compromise can support physical operations, enable lateral movement, and create spillover risk for those far from the conflict zone.

This underscores the need to treat IoT devices as part of the core security perimeter, as even organizations outside the region may be affected if their devices are exposed or misconfigured. 

Organizations should harden exposed devices and services by enforcing strong authentication, disabling unused interfaces, and ensuring timely patching of firmware and software vulnerabilities. Network segmentation, continuous monitoring of outbound connections, and restricting access to cloud storage platforms commonly abused by threat actors can reduce lateral movement opportunities.

For managed service providers, adopting zero trust principles, auditing all internet-connected cameras and IoT devices, and implementing strict configuration baselines are critical steps to limit the operational impact of similar campaigns and prevent spillover from regional conflicts.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up