Verticals Targeted: Banking, Aviation, Defense, Healthcare
Regions Targeted: US, Canada
Related Families: Dindoor, Fakeset, Stagecomp, Darkcomp
Executive Summary
Recent reporting indicates Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness. These developments represent another layer in Iran’s evolving hybrid warfare strategy. Iranian APT group MuddyWater has maintained access to multiple US organizations since early February, while Iran-linked infrastructure has targeted internet-connected surveillance cameras across the Middle East. Hacktivist group Handala has recently claimed responsibility for a destructive cyberattack against medical technology firm Stryker. Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.
Key Takeaways
- Iranian APT group MuddyWater has maintained access to multiple US organizations since early February 2026, including entities tied to banking, aviation, and defense-adjacent industries.
- Iran-linked infrastructure has targeted Hikvision and Dahua surveillance cameras across the Middle East using vulnerabilities including CVE-2017-7921, CVE-2021-33044, and others.
- Iranian-aligned hacktivist group Handala claimed responsibility for a destructive cyberattack against global medical technology firm Stryker, reportedly wiping large numbers of systems.
- Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.
Background
Iranian cyber activity observed during early 2026 reflects a strategy that blends intelligence collection, operational surveillance, and disruptive cyber operations. Activity attributed to both Iranian state-linked threat groups and affiliated proxy actors indicates Tehran continues to leverage cyberspace as a complementary domain alongside ongoing military escalation in the Middle East.
Existing Footholds in Western Networks
Beginning in early February 2026, activity associated with the Iranian advanced persistent threat (APT) group MuddyWater was identified on the networks of several organizations in the United States and Canada. Symantec and Carbon Black reported on this activity. Observed targets included a US bank, an airport, a non-profit organization, and the Israeli operations of a US software company supplying customers in the defense and aerospace sectors.
Researchers identified previously undocumented malware referred to as Dindoor, which was deployed within the software company’s network and later identified on additional victim systems. The backdoor leverages the Deno runtime for JavaScript and TypeScript, allowing operators to execute commands and maintain persistent access within compromised environments. A separate Python-based backdoor known as Fakeset was also observed on the networks of other victims, including the airport and non-profit organization.
Investigators additionally identified evidence of attempted data exfiltration using the cloud synchronization tool Rclone, suggesting that intelligence collection was likely a primary objective of the operation. Several malware samples were signed using digital certificates previously associated with MuddyWater activity, strengthening attribution to the Iranian group.
MuddyWater has long been linked to Iran’s Ministry of Intelligence and Security (MOIS) and historically focuses on espionage operations. However, the presence of Iranian operators inside networks tied to financial services, aviation infrastructure, and defense-sector supply chains during a period of geopolitical escalation raises the possibility that these footholds could later be leveraged for retaliatory or disruptive cyber activity. Pre-positioned access of this nature allows operators to maintain persistence inside critical environments, potentially enabling future sabotage, intelligence collection, or coercive operations.
IP Cameras as Digital ISR
In parallel with these network intrusions, researchers at Check Point Research observed a surge in attempts to exploit internet-connected surveillance cameras across the Middle East beginning February 28, 2026, coinciding with the start of major hostilities in the region. Compromised surveillance cameras can provide valuable intelligence, surveillance, and reconnaissance (ISR) capabilities, allowing operators to monitor targets in real time and conduct battle damage assessment following missile strikes.
Scanning activity originating from infrastructure attributed to Iranian actors targeted devices manufactured by Hikvision and Dahua, which are widely deployed across commercial, municipal, and government environments. The activity focused on several known vulnerabilities, including:
- CVE-2017-7921 – an improper authentication vulnerability in Hikvision firmware
- CVE-2021-36260 – a command injection vulnerability affecting Hikvision devices
- CVE-2023-6895 – a command injection vulnerability in Hikvision intercom systems
- CVE-2025-34067 – a remote code execution vulnerability in Hikvision management platforms
- CVE-2021-33044 – an authentication bypass vulnerability affecting Dahua products
Targets of the scanning activity included Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Lebanon, and Cyprus, several of which have experienced missile or drone activity linked to Iran. Compromised surveillance cameras can provide significant intelligence value during military operations. Access to these devices allows operators to observe locations in real time, monitor emergency response activity, and perform battle damage assessment (BDA) following missile strikes. In some cases, camera access may also support target verification or strike correction by providing immediate visual confirmation of impact locations.
Similar activity was previously reported during the June 2025 Iran-Israel conflict, when compromised cameras were believed to have been used to observe the aftermath of missile strikes against Israeli targets. The continued use of this tactic suggests Iranian actors view internet-connected surveillance infrastructure as a low-cost intelligence platform capable of augmenting traditional reconnaissance capabilities during periods of active conflict.
Proxy Disruption: Handala Targets Stryker
Iran-aligned proxy groups have also demonstrated a willingness to conduct disruptive cyber operations during the current escalation. According to Bleeping Computer, the hacktivist collective Handala claimed responsibility for a destructive cyberattack against medical technology manufacturer Stryker, a Fortune 500 company producing surgical and neurotechnology equipment.
According to statements attributed to the group, attackers exfiltrated approximately 50 terabytes of data before deploying destructive malware that wiped systems across the company’s global network. Reports from employees indicated that corporate laptops and mobile devices enrolled in enterprise device management systems were remotely wiped, disrupting operations and forcing some locations to revert to manual workflows.
Handala has previously been linked by researchers to Iran’s intelligence ecosystem and has conducted cyber operations targeting organizations associated with Israel. These operations frequently combine data theft, destructive activity, and information operations designed to amplify psychological and political pressure.
Analyst Commentary
The activity described above aligns with trends identified in several of our recent threat bulletins examining Iranian cyber operations during the current conflict. Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks highlighted the growing reliance on both state-backed threat groups and proxy actors to conduct retaliatory cyber operations against Western and Israeli targets. Our analysts noted Handala as one of the likely proxies to retaliate on Iran’s behalf. Subsequent reporting in Hybrid Warfare Evolves: Iranian Drone Strikes Impact AWS Infrastructure and Electronic Warfare Disruptions Near the Strait of Hormuz illustrated how Tehran increasingly combines cyber operations with kinetic and electronic warfare capabilities to apply pressure across multiple operational domains.
Taken together, these developments suggest that Iran’s cyber ecosystem remains operational but currently faces constraints. Military strikes targeting Iranian infrastructure and leadership appear to have disrupted elements of the country’s cyber command structure, reducing centralized coordination. As a result, recent operations show greater reliance on pre-positioned network access, commercially available infrastructure, and proxy actors conducting disruptive or intelligence-driven campaigns. These trends indicate that Iran’s cyber capabilities are presently surviving but not thriving, maintaining the ability to conduct espionage, surveillance, and disruptive attacks despite reduced operational cohesion. PolySwarm analysts continue to monitor the ongoing conflict for developments relevant to the cyber threat landscape
IOCs
PolySwarm has multiple samples of malware associated with MuddyWater’s targeting of US entities. Below is a selection of related hashes:
Dindoor
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4
7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef
b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0
bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
Click here to view all samples of Dindoor in our PolySwarm portal.
Fakeset
077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
Click here to view all samples of Fakeset in our PolySwarm portal.
Stagecomp
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
Click here to view all samples of Stagecomp in our PolySwarm portal.
Darkcomp
3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90
1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6
Click here to view all samples of Darkcomp in our PolySwarm portal.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
