Iran-linked Hackers Launch Coordinated Cyber Campaign Targeting U.S. Critical Infrastructure, Say Experts

Iran-linked hackers have launched a coordinated cyber campaign targeting U.S. companies, raising urgent concerns about the potential compromise of critical infrastructure. Cybersecurity experts revealed Thursday that the Advanced Persistent Threat (APT) group Seedworm has infiltrated multiple organizations, including a major bank, an airport, and a software supplier to the defense and aerospace industries. These attacks, occurring amid heightened geopolitical tensions, signal a shift toward more aggressive cyber operations as part of a broader strategy to destabilize adversaries.

Researchers at Symantec and Carbon Black uncovered the presence of a hidden malicious program—a backdoor—installed by hackers, allowing them to regain access to compromised systems. While the identities of the affected companies remain undisclosed, the malware's design suggests long-term surveillance and data exfiltration. The hackers are suspected of stealing sensitive information and setting the stage for future disruptive actions, according to the researchers. 'These attacks are about sending a message rather than stealing information,' they warned, 'which means any organization in the targeted country could be in the firing line.'

The cyber campaign coincides with a major U.S.-Israeli military offensive against Iran, which killed the country's supreme leader and several senior officials. Cybersecurity experts caution that such escalations may prompt Iran and its allies to retaliate with cyber operations targeting energy, utilities, transportation, and other critical sectors. 'Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries,' they said. This timeline underscores the growing integration of cyber warfare into traditional conflict dynamics.

The hacking group, also known as MuddyWater, Temp Zagros, and Static Kitten, is believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). Activity tied to the group dates back to early February and has continued through recent weeks, even after U.S. and Israeli military strikes on Iran. Affected organizations include a U.S. bank, an airport, a software firm supplying defense technology, and non-profits in the U.S. and Canada. Notably, the software company's Israeli branch appears to have been the primary target, where investigators discovered a previously unknown malware named 'Dindoor.'

The malware uses Deno, a programming tool, to execute commands on infected systems. Its digital signature is linked to 'Amy Cherne,' a name potentially tied to Iran's cyber operations. Researchers also observed an attempt to transfer data from the software firm's systems to external cloud storage using Rclone, though it remains unclear if any data was successfully exfiltrated. The same backdoor was later found on the networks of a U.S. bank and a Canadian non-profit, suggesting a broader, more systematic campaign.

Cybersecurity advisories emphasize the risks posed by unpatched industrial control systems. A report by CloudSek revealed that over 60 hacker groups mobilized within hours of the February 28, 2026, U.S.-Iran military escalation. Meanwhile, tens of thousands of U.S. industrial control systems remain directly accessible via the internet, many protected only by default passwords. This vulnerability could enable future attacks that disrupt critical infrastructure, such as power grids or water supply networks.

Experts warn that Iranian cyber groups may escalate their operations, combining high-visibility disruptions with covert access efforts. 'The likely next steps for the nation's cyber actors may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage,' the researchers said. As the Middle East war spirals, the stakes for global cybersecurity—and the safety of everyday citizens—have never been higher.