Iran-linked hackers have launched a cyber campaign targeting US companies, raising fears that critical infrastructure could soon come under attack.
Cybersecurity experts revealed Thursday that the Advanced Persistent Threat (APT) group Seedworm had infiltrated multiple organizations, including a bank, an airport and a software supplier to the defense and aerospace industries.
Researchers at Symantec and Carbon Black discovered attackers installed a hidden malicious program, known as a backdoor, allowing them to secretly regain access to compromised systems.
They did not disclose the names of the affected companies.
Investigators said the hackers appeared to be spying, stealing sensitive data and positioning themselves for potential future attacks.
‘These attacks are about sending a message rather than stealing information, which means any organization in the targeted country could be in the firing line,’ the researchers warned.
The cyber activity comes as the US and Israel launched a major military offensive against Iran that killed the country’s supreme leader and several senior officials.
‘Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries,’ the researchers said.
The cyber activity comes as the US and Israel launched a major military offensive against Iran, killing the country’s supreme leader and several senior officials.
Cybersecurity experts revealed Thursday that the Iranian hackers had infiltrated multiple US organizations, including a bank, an airport and a software supplier to the defense and aerospace industries (STOCK)
Iran has previously demonstrated significant cyber capabilities, particularly during periods of heightened geopolitical tension.
The cybersecurity experts warned that any future attacks could target critical sectors such as energy and utilities, transportation and logistics, finance, telecommunications, healthcare, and companies linked to defense and military supply chains.
The hacking group, also known as MuddyWater, Temp Zagros and Static Kitten, is believed to be part of the Iranian Ministry of Intelligence and Security (MOIS).
The activity appears to have begun in early February and has continued in recent days, even after US and Israeli military strikes on Iran, the cybersecurity researchers shared in a blog.
Several organizations have reported suspicious activity on their systems in recent weeks, including a US bank, an airport and a software company that supplies technology to the defense and aerospace industries.
Non-profit organizations in both the US and Canada were also affected.
Researchers said the software company operates in Israel, and its Israeli branch appears to have been the primary target of the activity.
They also discovered a previously unknown piece of malware, a hidden access tool they named ‘Dindoor,’ on the systems of the company’s Israeli branch.
Investigators said the hackers appeared to be spying, stealing sensitive data and positioning themselves for potential future attacks
The same backdoor was later found on the networks of a US bank and a Canadian non-profit organization, suggesting the attacks were part of a broader campaign.
The malware uses a programming tool known as Deno to run commands on infected systems and was digitally signed with a certificate issued to the name ‘Amy Cherne.’
Investigators also detected an attempt to copy data from the software company’s systems to external cloud storage using a file-transfer tool called Rclone.
However, it remains unclear whether any information was successfully stolen.
The experts warned that Iranian cyber groups may escalate their operations, potentially combining disruptive attacks with quieter efforts to gain access to sensitive systems.
‘The likely next steps for the nation’s cyber actors and supporters may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage,’ the researchers said.
The attacks come as cybersecurity firm CloudSek released a threat landscape assessment warning that more than 60 hacker groups mobilised within hours of the February 28, 2026, US-Iran military escalation.
They added that tens of thousands of US industrial control systems remain directly reachable from the internet, many with no authentication beyond a factory-default password.
