The post Omani Government Targeted in Blatant Iranian-Nexus Cyberespionage appeared first on Daily CyberSecurity.

Iranian threat group Boggy Serpens' cyberespionage evolves with AI-enhanced malware and refined social engineering. Unit 42 details their persistent targeting.

The post Boggy Serpens Threat Assessment appeared first on Unit 42.

Iran-linked APT MuddyWater targeted U.S. organizations, deploying the new Dindoor backdoor across sectors including banks, airports, and nonprofits.

Broadcom’s Symantec Threat Hunter Team uncovered a campaign by the Iran-linked MuddyWater  (aka SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) APT group targeting several U.S. organizations.

“Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days.” reads the report published by Broadcom’s Symantec.

The group deployed a new backdoor called Dindoor and infiltrated networks across multiple sectors, including banks, airports, nonprofits, and the Israeli branch of a software company.

The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also targeted European and North American countries.

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The MuddyWater APT has targeted several organizations in the U.S. and Canada since early February 2026. Victims include a U.S. bank, an airport, nonprofits, and a software supplier to the defense and aerospace sectors with operations in Israel. The previously unknown backdoor Dindoor relies on the Deno runtime to execute JavaScript and TypeScript code and was signed with a certificate issued to “Amy Cherne.”

The researchers also observed an attempt to exfiltrate data from a targeted software company using Rclone to a Wasabi Technologies cloud storage bucket, though it’s unclear if the transfer succeeded. The experts also spotted a separate Python backdoor, dubbed Fakeset, on U.S. airport and nonprofit networks, signed with certificates tied to Seedworm. The malware was hosted on Backblaze servers, and shared certificates with other Seedworm-linked malware families, suggesting the Iranian group was behind the intrusions.

“One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel.” continues the report. “That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line”

Recent activity linked to Iranian cyber actors shows a mix of espionage, disruption, and influence operations. The pro-Palestinian hacktivist group Handala has targeted Israeli officials and energy firms through phishing, data theft, ransomware, and leak campaigns, claiming breaches of organizations in Israel and the Gulf. Meanwhile, the Iranian APT Seedworm conducted spear-phishing attacks against academics, NGOs, and government entities to gather intelligence. Another group, Marshtreader, scanned vulnerable cameras in Israel for reconnaissance during regional tensions.

Hacktivist collective DieNet has also claimed DDoS attacks on U.S. critical infrastructure. Researchers warn that Iranian-aligned actors may escalate with DDoS attacks, defacements, credential theft, leaks, and potentially destructive operations targeting critical infrastructure, energy, transport, telecoms, healthcare, and defense sectors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

To Our Partners and Customers

The following intelligence brief was sent to all SentinelOne partners and customers today:

Executive Summary

Recent U.S. and Israeli strikes against Iranian targets, followed by Iranian attacks on multiple regional locations, present a highly dynamic geopolitical situation with credible cyber threat implications. Iran has historically incorporated cyber operations into periods of regional escalation.

Given the rapid escalation of geopolitical tensions, we assess that Iranian state-aligned cyber activity is likely to intensify in the near-term based on a long track record of leveraging cyber operations for asymmetric retaliation, coercive signaling, and strategic messaging. Prior campaigns, including destructive wiper malware, infrastructure disruption, and influence operations masquerading as ‘hacktivism’, demonstrate both capability and intent to operate in the cyber domain alongside kinetic action.

This report outlines Iran’s historical cyber posture, relevant tactics and tradecraft, and our forward-looking assessment of potential cyber responses in the days and weeks following the airstrikes.

We assess with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting – particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.

We recommend that all clients, especially those operating in, or supporting, U.S. and Israeli infrastructure, review their security posture and preparedness accordingly.

This assessment is current as of February 28, 2026 and reflects a rapidly evolving threat environment.

Iran’s Cyber Operations to Date

Iran presents a mature, well-resourced cyberthreat based on more than fifteen years of experience across a wide range of malicious cyber events.

Iran uses a diverse set of cyber tools to further state objectives, particularly preservation of the Iranian regime, including:

• Espionage and credential theft via APT34, APT39, APT42, and MuddyWater, targeting a wide range of military, civilian, telecommunications, and academic institutions, particularly against regional targets (Israel, Middle East) and the United States
• Disruptive and destructive campaigns, including the use of wiper malware
• Targeted spearphishing and social engineering campaigns, supporting strategic intelligence collection across multiple industries
• Fake hacktivist personas for plausible deniability and psychological impact (e.g., DarkBit, Cyber Av3ngers)
• Coordinated disinformation and influence ops across Telegram, X, and compromised news outlets
• Internet blackouts within Iran to control public opinion and narrative, while similarly countering the effect of foreign influence operations
• Proxy ransomware and criminal fronts blurring lines between state and financially motivated actors

Iranian cyber actors previously aligned their operations with kinetic campaigns, often acting as a force multiplier for regional allies like Hamas or as a standalone tool of retaliation. The TTPs employed by Iranian hacktivists increasingly mirror those used by state-sponsored APTs, raising critical questions about capability sharing and formal command-and-control relationships within this environment.

Expected Iranian Cyber Response to Current Events

1 – Precision Espionage Operations

Expect escalated targeting of Israeli defense, government, and intelligence networks using spearphishing, credential harvesting, and deployment of custom malware. Historically, groups such as APT34 (OilRig) and APT42 (TA453) leveraged legitimate access to move laterally and exfiltrate strategic intelligence. Additionally, U.S. military and government organizations will likely be targeted in similar campaigns.

Anticipated Targets:

• U.S. military and government organizations
• Israeli defense entities and affiliated research organizations
• U.S. and Israeli diplomatic infrastructure
• Defense contractors and supply chain partners
• Strategic allies and locations in theater

2 – Disruptive & Destructive Tactics

Iran has a well-documented history of using destructive malware and DDoS attacks to disrupt the critical infrastructure of its adversaries. We assess a high likelihood of similar tactics being deployed against U.S. and Israeli sectors, particularly utilities and public-facing systems.

Key techniques include:

• Deployment of wipers via fake hacktivist personas or directly-attributed APT clusters
• Exploitation of unpatched or poorly secured public-facing web services for defacement and initial access
• Use of scheduled tasks and LOLBins to execute custom wiper malware with stealth and persistence

Anticipated Targets:

• Transportation, Communication, Energy and Water utilities in U.S. and Israel
• Telecom, alerting systems, and national broadcast infrastructure
• Financial platforms and digital banking services

3 – Coordinated Influence & Disinformation Campaigns

Iranian-aligned actors are likely to amplify disinformation campaigns to shape public perception, particularly around civilian impact, military failure, and geopolitical instability. These efforts often run concurrently with real-world escalations and aim to degrade public trust in institutions.

Anticipated Themes:

• Allegations of Israeli war crimes
• U.S. and Israeli military losses
• Fabricated claims of successful Iranian cyber retaliation
• Disinformation on U.S.–Israel political division
• Leaks of manipulated or stolen documents misattributed to Israeli insiders
• Lack of support from the U.S. populace for ongoing strikes against Iran

4 – Probing Attacks on U.S. & Israeli Infrastructure

Iran has demonstrated readiness to expand attacks to Western infrastructure during periods of high tension. Recent examples include the exploitation of Unitronics PLCs at U.S. water treatment plants (late 2023), highlighting a shift toward ICS/OT targets. Such actions serve retaliatory and signaling purposes and are often designed to be low-impact yet high-visibility to maximize psychological effect.

Anticipated Targets:

• U.S. defense industrial base, especially contractors supporting military action
• Israeli military and key government organizations
• Critical infrastructure (water, energy, transportation) in the U.S. and Israel
• Regional partners (e.g., Jordan, UAE, Egypt, Saudi Arabia) aligned with U.S. and Israeli interests
• Media and academic institutions reporting on the conflict

SentinelOne Detection & Monitoring Posture

SentinelOne research and detection teams have closely followed Iranian cyber actors for many years. We provide multiple layers of protection and are closely monitoring emerging threat intelligence to maximize coverage.

We extensively cover techniques known to be used by Iranian threat groups including:

• PowerShell and script abuse
• Proxy tools
• Credential theft
• Keylogger components
• Wipers
• Browser credential theft
• DLL sideloading
• Tunneling tools (ngrok/Cloudflared)
• Scheduled task persistence
• Remote access tool abuse
• Active Directory reconnaissance
• Destructive boot tampering

These protections are not Iran-specific but known to be effective in detecting their operations.

We are monitoring the situation closely and can ship new detections quickly through Platform Rules updates or Live Security Updates.

Recommendations

1. Increase Vigilance Against Phishing and Credential Abuse

• Prioritize MFA enforcement and internal phishing detection
• Monitor for abuse of VPN, email, and collaboration platforms
• Monitor for suspicious activity involving legitimate user accounts and applications

2. Harden Critical Infrastructure and OT Environments

• Patch and segment exposed ICS components, especially common HMI/PLC vendors
• Scan all Internet-facing infrastructure, and patch any vulnerable Internet-facing services
• Consider removing or restricting network access to any non-critical Internet-facing services, especially if they are not protected by MFA
• Review DDoS mitigation playbooks and response procedures

3. Monitor for Influence Operations and Fake Leaks

• Establish rapid communication response protocols for disinformation relevant to your organization
• Be prepared for threat actors using “hacktivist” branding and Telegram/Telegram-style platforms for communication
• Consider there are likely masquerade efforts and this requires a detailed assessment to determine true origin

4. Review and Test Incident Response Plans

• Ensure IR and SOC teams maintain heightened alert status
• Simulate data-wipe and ransomware scenarios
• Simulate corporate social media hijacking scenarios and prepare for account pausing/access resets

5. Establish Clear Points of Contact

• Ensure internal organization has direct POCs for support for security incidents
• Communicate posture expectations and escalation paths internally

6. Monitor for activity associated with Iranian state-aligned threat actors

SentinelOne is proactively hunting for IOCs and TTPs associated with these groups. These threat hunts are being performed for all Wayfinder Threat Hunting customers. Any related hunt findings will be visible in the Wayfinder Threat Hunting dashboard.

Closing Note

This report is intended to support informed decision-making and proactive defensive measures amid a dynamic and escalating geopolitical conflict.

The cyber threat landscape associated with Iranian state-aligned actors is adaptive, and we assess that both targeting priorities and tactics may shift rapidly in response to real world developments, political statements, or perceived provocations.

We advise clients to treat this as a time-sensitive assessment and to revisit posture, incident response, and monitoring processes regularly.

For immediate questions or escalations, please contact your Client Success Lead or reach our Support teams directly at: https://www.sentinelone.com/global-services/get-support-now/

Appendix

Customers should consider activating Platform Detection Library rules to improve coverage. The following rules are known to be effective against Iranian cyber operations:

MuddyWater

• Possible MuddyWater DLL Drop Consistent with Audio Driver Sideloading

Credential Dumping

• Suspicious Task Creation for Credential Harvesting
• Python-Based Network Exploitation Tool
• Potential LSASS Dumping Tools
• Credential Dumping via Shadow Copy
• Interactive NTDS Harvesting via VSS
• Cached Domain Credential Dumping

Tunneling & Remote Access

• Ngrok Domain Contacted
• Cloudflared Persistent Tunnel Establishment Detected
• Anomalous Process Initiating Cloudflare Tunnel Traffic

Collection & Exfiltration

• Keylogging Script via PowerShell
• Chromium Browser Info Stealer via Remote Debugging
• Browser Credential and Cookie Data Access Attempt

PowerShell/Script Abuse

• PowerShell Script Execution via Time Based Integer IPv4
• Suspicious Usage of .NET Reflection via PowerShell
• Encoded Powershell Launching Command Line Download

Defense Evasion, Impact, Discovery

• Potential DLL Sideloading in PerfLogs Directory
• Disk Data Wipe Attempt via Dd Utility
• Boot Configuration Tampering via BCDEdit
• BloodHound Active Directory Reconnaissance File Creation

On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).

Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total cost of a data breach in the industrial sector was $5.56 million — an 18% increase for the industry compared to 2023. This represents the highest data breach cost increase of all industries surveyed in the report, rising by an average of $830,000 per breach over last year.

Ongoing vulnerabilities pose a serious threat to public safety and national security, especially as water systems and other critical infrastructure providers remain underprepared in the current threat landscape. Let’s take a closer look at the current state of critical infrastructure security, highlighting recent incidents, efforts to address vulnerabilities and the need for further collaboration between the government and private sectors.

Arkansas City Water Treatment Facility attacked

The cybersecurity incident at the Arkansas City Water Treatment Facility on September 22 exemplifies the growing risks. While city officials emphasized that the water supply remained safe and no disruption to service occurred, the breach still forced the facility to switch to manual operations. The incident is currently under investigation, with local authorities and cybersecurity experts collaborating to resolve the issue and prevent further attacks. But the Arkansas City breach is not an isolated incident; it mirrors a larger trend of attacks on water systems.

CISA has issued multiple warnings regarding the susceptibility of water and wastewater systems to cyber threats. Intruders often exploit outdated and unsecured OT and ICS environments, where systems are exposed to the internet or still using default credentials. This means cyber criminals can gain access using relatively simple techniques, which raises concerns about the overall preparedness of critical infrastructure operators.

CISA warnings and hacktivist activity

CISA’s September alert is not the first indication of the heightened threat to water and other critical infrastructure providers. Earlier in 2024, the agency warned that Russia-affiliated hacktivists were actively targeting ICS and OT environments in U.S. critical infrastructure facilities. Water systems, dams and sectors, such as energy and food, were particularly vulnerable to these attacks.

The situation worsened with the rise of the Cyber Army of Russia Reborn, a hacktivist group tied to Advanced Persistent Threat 44 (APT44), commonly known as Sandworm. The group has been quite busy exploiting weak cybersecurity postures of smaller water systems that lack adequate cyber defense resources.

According to Keith Lunden of Mandiant, “We expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT.” Unfortunately, hacktivist groups have exploited these gaps with relative ease. And without rapid intervention, these attacks will likely continue.

The State and Local Cybersecurity Grant Program (SLCGP)

Amidst the growing cyber threats, the U.S. Department of Homeland Security (DHS) has recognized the need for more support for state and local government cybersecurity. In fiscal year 2024, DHS announced the allocation of $280 million in grant funding for the State and Local Cybersecurity Grant Program (SLCGP). This funding aims to assist state, local, tribal and territorial governments in enhancing their cyber resilience. A special emphasis has been placed on protecting critical infrastructure systems like water utilities, energy grids and emergency services.

These grants will help organizations improve monitoring systems, patch vulnerabilities and implement critical cybersecurity measures such as multi-factor authentication and regular system audits. In states like Michigan, for example, government agencies are already working with local water utilities to provide cybersecurity training and support. The DHS funding could greatly expand these efforts, offering a much-needed boost to the security posture of critical infrastructure providers.

The Cyberspace Solarium Commission

In 2019, the Cyberspace Solarium Commission (CSC) was established by the U.S. Congress to develop a national cyber defense strategy. Currently, approximately 80% of its recommendations have been implemented. However, a final push is needed to address critical gaps, particularly regarding private-sector collaboration and insurance reforms.

One major challenge is identifying the “minimum security burdens” for systemically important entities critical to national security. This would ensure that high-priority infrastructure providers, such as key transportation systems and water utilities, receive the necessary support to prevent catastrophic events.

The CSC also highlighted the need to develop an economic continuity plan for cyber events. This would be nothing less than an incident response and resilience plan to protect the U.S. economy in the face of a major cyberattack. The commission also emphasized the need for better information sharing between government agencies, private industries and international partners to protect critical infrastructure from evolving cyber threats.

During a recent panel discussion, Senator Angus King, co-chair of CSC 2.0, pointed to the difficulties of building trust between the government and private sectors. Private entities own and operate the majority of the nation’s critical infrastructure, but historical tensions make collaboration challenging. King noted that the situation mirrors early tensions that existed between state officials and CISA. Nonetheless, the collaboration between private industry and government is essential to address the growing threat to critical infrastructure.

The state of critical infrastructure cybersecurity

The cybersecurity posture of U.S. critical infrastructure remains a concern. As seen in attacks like the Arkansas City Water Treatment Facility and other incidents targeting internet service providers, threat actors are increasingly focusing on essential services. These attacks are not limited to small municipalities. Larger-scale infrastructure providers, including ISPs and managed service providers, have also been targets.

The FBI recently disclosed that China-linked hackers compromised more than 260,000 network devices, underscoring the scale of the problem. Meanwhile, attacks attributed to the Chinese government have targeted ISPs and managed service providers through vulnerabilities in Versa Networks’ SD-WAN software, demonstrating the growing sophistication of these threats.

While the U.S. government is actively working to improve critical infrastructure cybersecurity, the attacks on water treatment systems and other essential services clearly reveal that more needs to be done. The DHS grant program and the recommendations of the Cyberspace Solarium Commission represent critical steps in this effort, but collaboration between government, private industry and international partners will be key to building a resilient defense against evolving threats.

The safety of critical infrastructure remains a pressing concern. Recent events should serve as a wake-up call for operators, policymakers and the public to take action before a cyberattack occurs that impacts human life and health. Undoubtedly, the threats are real — and any meaningful response requires a concerted effort.

The post Is the water safe? The state of critical infrastructure cybersecurity appeared first on Security Intelligence.