Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company

    Friday, March 6, 2026 In: Threat Research Print

    Date: 03/06/2026

    Severity: Critical

    Summary

    Seedworm (also known as MuddyWater) has been observed conducting cyber espionage activities against multiple organizations in the United States and Canada since early 2026. Targeted entities include a U.S. bank, airport, defense-related software company, and non-profit organizations. The attackers deployed previously unseen malware such as the Dindoor backdoor, which leverages the Deno runtime, and the Python-based Fakeset backdoor, while attempting data exfiltration using Rclone to cloud storage. Evidence including reused code-signing certificates and infrastructure links the activity to Seedworm, indicating ongoing espionage operations and the potential for further cyber attacks amid escalating geopolitical tensions.

    Indicators of Compromise (IOC) List

    URLs/Domain

    gitempire.s3.us-east-005.backblazeb2.com

    elvenforest.s3.us-east-005.backblazeb2.com

    uppdatefile.com

    serialmenot.com

    moonzonet.com

    Hash

    0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542

    1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1

    2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043

    2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5

    42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f

    7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4

    7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef

    b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0

    bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a

    c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e

    077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de

    15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84

    2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6

    4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be

    64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb

    64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1

    74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d

    94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444

    a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377

    a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c

    ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888

    24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14

    A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0

    3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90

    1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "serialmenot.com" or siteurl like "serialmenot.com" or url like "serialmenot.com" or domainname like "uppdatefile.com" or siteurl like "uppdatefile.com" or url like "uppdatefile.com" or domainname like "moonzonet.com" or siteurl like "moonzonet.com" or url like "moonzonet.com" or domainname like "gitempire.s3.us-east-005.backblazeb2.com" or siteurl like "gitempire.s3.us-east-005.backblazeb2.com" or url like "gitempire.s3.us-east-005.backblazeb2.com" or domainname like "elvenforest.s3.us-east-005.backblazeb2.com" or siteurl like "elvenforest.s3.us-east-005.backblazeb2.com" or url like "elvenforest.s3.us-east-005.backblazeb2.com"

    Detection Query 2 :

    sha256hash IN ("64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb","94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444","3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90","a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377","ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888","c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e","24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14","077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de","4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be","42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f","7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4","74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d","bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a","A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0","7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef","b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0","2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6","2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5","64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1","2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043","1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6","0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542","1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1","15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84","a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c")

    Reference:

    https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us


    Tags

    APTIranUnited StatesIsraelMuddyWaterCyber EspionageCanadaTransportation SystemsFinancial ServicesDefense Industrial BaseInformation TechnologyBackdoorPythonExfiltrationMalwareThreat Actor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.