Domenica 05 Luglio 2026 22:43:05 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContatti
ItalianoEnglishArabic

Cyber Warfare & Nation-State Operations

Inside Iran’s Digital Playbook: Seedworm’s Stealthy Siege on US Critical Infrastructure

Published: 06 March 2026 15:31Category: Cyber Warfare & Nation-State OperationsGeo: Middle EastAuthor: AGONY

A new wave of Iranian cyber intrusions targets US defense and infrastructure networks, exposing fresh tactics and escalating digital risks.

In the shadow of rising military tensions between the US and Iran, a silent cyberwar is intensifying. Recent findings by Symantec have pulled the curtain back on a sweeping espionage campaign by the Iranian threat group Seedworm, which has burrowed into the digital veins of American banks, airports, NGOs, and defense contractors. As global attention fixates on kinetic conflict, a quieter-yet potentially devastating-battle is raging in cyberspace.

Symantec’s report details how Seedworm, operating under Iran’s Ministry of Intelligence and Security, leveraged a combination of custom malware and legitimate software tools to breach organizations across North America. Their campaign, which began in early 2026, coincides with escalating regional hostilities-raising alarms that cyber operations are being used as covert extensions of geopolitical conflict.

The attackers deployed a previously unknown backdoor, Dindoor, on the Israeli branch of a US defense software supplier, a US bank, and a Canadian nonprofit. Dindoor, notable for using the Deno runtime, was digitally signed with a certificate issued to a fictitious ‘Amy Cherne’-a classic trick to evade detection. In parallel, a Python-based backdoor called Fakeset, signed with both ‘Amy Cherne’ and ‘Donald Gay’ certificates, was found on a US airport’s network and a nonprofit. These certificates have longstanding links to Seedworm, tying the incidents to the Iranian group.

Beyond espionage, the attackers attempted to siphon data to cloud storage services like Wasabi and Backblaze using the Rclone tool, though it remains unclear if the exfiltration succeeded. The sophistication and variety of these tools highlight Seedworm’s evolving arsenal and their ability to blend custom code with legitimate utilities-a tactic known as “living off the land.”

The campaign isn’t occurring in isolation. Other Iran-aligned groups, such as hacktivist collective Handala and Marshtreader, have simultaneously launched phishing, ransomware, and disruptive denial-of-service attacks against Israeli, US, and Western targets. These efforts, sometimes amplified by data leak sites and social media theatrics, serve dual purposes: information gathering and psychological warfare.

Security experts warn that critical infrastructure-especially operational technology platforms, logistics systems, and contractor networks-faces heightened risk. The advice is clear: organizations must enforce strong network segmentation, restrict remote access, and monitor for abnormal activity, especially in systems controlling physical operations. The reuse of digital certificates and persistent presence in victim environments suggest that Seedworm’s endgame is not just data theft, but the ability to disrupt or manipulate key services at moments of strategic tension.

As the digital and physical fronts of modern conflict blur, the Seedworm campaign serves as a chilling reminder: the next major escalation may begin not with missiles, but with a mouse click. For defenders, vigilance and preparation are now as critical as ever.

WIKICROOK

  • Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a prolonged, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
  • Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
  • Living off the land: Living Off the Land means attackers use trusted, built-in system tools for malicious purposes, making their activities harder to detect.
  • Rclone: Rclone is a command-line tool for managing files across cloud services, but is also exploited by cybercriminals for data theft and exfiltration.
  • Digital certificate: A digital certificate is an electronic document that verifies the identity of websites or programs, helping ensure secure and trusted online communication.