They Didn’t Wait for the War. They Were Already In.

While bombs were falling on Tehran, Iranian hackers were already sitting inside American networks — watching, waiting, and preparing.

According to threat intelligence reports published this week by Symantec and Carbon Black, the Iranian state-sponsored hacking group known as Seedworm (also called MuddyWater, Static Kitten, and TEMP.Zagros) has been actively operating inside multiple U.S. organizations since early February 2026 — weeks before the first missiles hit Iran.

The targets aren’t random. They’re strategic:

• A major U.S. bank
• A U.S. airport
• A software company that supplies the defense and aerospace industry (specifically its Israeli operations)
• Non-governmental organizations in both the U.S. and Canada

The hackers deployed a previously unknown backdoor called Dindoor that security researchers had never seen before. That means signature-based detection — the kind most antivirus relies on — won’t catch it.

‘The cyber war didn’t start when the bombs dropped,’ said Denis Calderone, principal and CTO at Suzu Labs. ‘It was well underway in February.’

Who Is Seedworm?

Seedworm isn’t a random criminal gang. It’s a professional intelligence operation.

According to CISA (the U.S. Cybersecurity and Infrastructure Security Agency), the FBI, and the UK’s National Cyber Security Centre, Seedworm is ‘a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).’ They’ve been conducting cyber campaigns on behalf of the Iranian government since at least 2017.

Originally, Seedworm focused on targets in the Middle East — Saudi Arabia, Iraq, Israel, the UAE. But over time, they expanded to telecommunications, defense, government, and energy organizations across Asia, Africa, Europe, and North America.

They’re not script kiddies. They develop custom malware, exploit zero-day vulnerabilities, and operate sophisticated command-and-control infrastructure. The fact that they had brand new tooling deployed and operational before the military conflict started tells you everything about their level of preparation.

What They Found Inside

The Symantec and Carbon Black threat hunting team discovered the intrusions after receiving indicators of compromise (IOCs) linked to MuddyWater from a third party. What they found was alarming:

The Dindoor Backdoor

Dindoor is a new piece of malware that uses Deno — a JavaScript and TypeScript runtime environment — to execute commands on infected machines. It was found on:

• The Israeli branch of a U.S. software company (a defense/aerospace supplier)
• A major U.S. bank
• A Canadian non-governmental organization

The malware was digitally signed with a certificate issued to ‘Amy Cherne’ — a signature already associated with Seedworm operations.

The Fakeset Backdoor

A separate Python-based backdoor called Fakeset was found on:

• A U.S. airport’s network
• A U.S. nonprofit organization

Fakeset was signed with certificates issued to both ‘Amy Cherne’ and ‘Donald Gay.’ The Donald Gay certificate has been used to sign other Seedworm-linked malware including Stagecomp and Darkcomp — directly connecting this new activity to the established Iranian threat group.

Data Exfiltration Attempts

Researchers observed an attempt to steal data from the software company using Rclone — a legitimate file-transfer tool — to move files to a Wasabi cloud storage bucket. It’s unclear if the transfer succeeded, but the intent is clear: intelligence gathering and potential preparation for future attacks.

Why This Matters: Pre-Positioning for Attack

Here’s what makes this particularly dangerous: the hackers gained access before the military conflict began.

‘Already having a presence on U.S. and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks,’ the Symantec researchers noted.

This is a classic nation-state tactic called pre-positioning. You infiltrate networks during peacetime, establish persistent access, and wait. When the conflict escalates, you already have the access you need to:

• Steal intelligence — military plans, defense capabilities, business strategies
• Disrupt operations — shut down systems, delete data, cause chaos
• Hold infrastructure hostage — ransomware attacks on critical systems
• Send a message — deface websites, leak data, embarrass targets

‘Even if the motive wasn’t disruption originally, it’s possible that groups such as Seedworm could pivot in response to the war and launch disruptive attacks on organizations they’ve already compromised,’ said Brigid O Gorman, senior intelligence analyst at Symantec.

It’s Not Just Seedworm

Seedworm isn’t the only Iranian cyber group that’s been activated. Security researchers are tracking increased activity from multiple Iranian-linked actors:

• Charming Kitten (APT35) — Known for spear-phishing campaigns targeting journalists, activists, and government officials
• OilRig (APT34) — Focuses on energy and telecommunications sectors
• Handala Hack Team — Claims breaches of Israeli healthcare, hosting, and energy companies; using Starlink to maintain operations during Iran’s internet blackout
• DieNet — Pro-Palestinian hacktivists claiming DDoS attacks on U.S. energy, financial, healthcare, and transit systems
• Cyber Islamic Resistance — Alliance with Russian hacktivists targeting Israeli and U.S. systems

Between February 28 and March 2, 2026, the pro-Russian hacktivist group Z-Pentest claimed responsibility for compromising multiple U.S.-based entities, including industrial control systems (ICS), SCADA systems, and CCTV networks.

This is coordinated. This is escalating. And it’s targeting American infrastructure.

What This Means for Businesses

You might think: ‘I’m not a bank or an airport. Why would Iranian hackers target me?’

Here’s why:

1. Supply Chain Access

The software company that was compromised supplies the defense and aerospace industry. Attackers don’t always hit the target directly — they go through suppliers, vendors, and partners. If you do business with any organization that could be considered a target, you’re a potential entry point.

2. Opportunistic Targeting

Nation-state hackers often use automated scanning to find vulnerable systems. If your network has exposed services, default passwords, or unpatched vulnerabilities, you could be compromised simply because you were easy — not because you were specifically targeted.

3. Hacktivist Collateral Damage

Groups like DieNet and Z-Pentest don’t discriminate carefully. They target sectors — energy, financial, healthcare, transit. If you’re in those industries, you’re in their crosshairs regardless of your size.

4. Ransomware Pivot

Access gained for espionage can easily be monetized through ransomware. Even if an Iranian group doesn’t care about your data, they might sell access to criminal organizations who do.

How to Protect Yourself

The security researchers provided specific recommendations. Here’s what you should do:

Immediate Actions

• Hunt for indicators of compromise. Search your logs for connections to known Seedworm infrastructure. The Symantec report includes specific IOCs including certificate signatures and malware hashes.
• Enable multi-factor authentication everywhere. MFA on all remote access points, VPNs, email, and cloud services. This is non-negotiable.
• Monitor for unusual outbound data transfers. Tools like Rclone being used to transfer data to cloud storage buckets is a red flag.
• Review remote access. Who has VPN access? Who can RDP into your systems? Audit and restrict.

Network Security

• Segment your networks. Separate operational technology (OT) networks from IT networks. If attackers get into one, they shouldn’t automatically have access to everything.
• Restrict access to external cloud storage. Block or monitor connections to services like Wasabi, Backblaze, and other cloud platforms commonly abused by attackers.
• Deploy web application firewalls. Keep rule sets updated to catch exploitation attempts.

Resilience

• Maintain offline, immutable backups. If attackers pivot to destructive attacks, your backups are your lifeline. Make sure they can’t be reached from compromised systems.
• Test your incident response plan. If you discovered Iranian hackers in your network tomorrow, what would you do? Know the answer before you need it.
• Monitor threat intelligence. Stay informed about new indicators of compromise, tactics, and targeting.

The War Is Already Here

Iranian missiles are hitting targets across the Middle East. U.S. and Israeli forces are bombing Tehran. But the frontline of this conflict isn’t just in the physical world — it’s in networks, servers, and systems across America.

Iranian hackers were inside U.S. banks and airports before the first bomb fell. They’re still there. And they’re not alone — a coalition of state-sponsored groups and hacktivists are probing American infrastructure looking for weaknesses.

The question isn’t whether your organization could be targeted. The question is whether you’d know if you already had been.

Now is the time to hunt. Now is the time to harden. Now is the time to prepare.

Need Help Securing Your Business?

At Pendergrass Consulting, we help businesses assess their security posture, hunt for threats, and implement protections against exactly these kinds of attacks. If you’re concerned about your exposure — or want someone to review your network for signs of compromise — we’re here to help.

Contact us today for a security assessment.

Pendergrass Consulting provides cybersecurity, IT support, and technology consulting services throughout the Triangle area, including Raleigh, Durham, Chapel Hill, Cary, Apex, and the surrounding communities.