Iran-Linked Seedworm Hackers Intensify Attacks on U.S. and Canadian Critical Infrastructure Amid Rising Geopolitical Tensions
Washington | As tensions escalate between Iran and Western nations, cybersecurity experts have reported a notable increase in activity from the Iranian hacking group known as Seedworm. This group has increasingly targeted digital networks linked to critical infrastructure in both the United States and Canada.
Seedworm has been detected infiltrating various systems since early February 2026. Threat intelligence researchers suggest that this campaign likely began weeks before the military conflict that erupted following coordinated strikes by the United States and Israel on February 28, significantly altering the strategic landscape in the region.
Analysts indicate that the timing of these intrusions points to a premeditated strategy rather than spontaneous reactions. The attackers appear to have established footholds within high-value networks over an extended preparation period.
Seedworm is identified as an advanced persistent threat group associated with Iran’s Ministry of Intelligence and Security. Over nearly a decade, the group has gained a reputation for conducting espionage operations across multiple sectors, including government, telecommunications, defense, and energy. Recent findings suggest that their activities may now extend to organizations involved in financial services, transportation infrastructure, and the aerospace industry.
Long-Running Cyber Campaign Expands Its Reach
Seedworm has been operational since at least 2017 and is known by several aliases, including MuddyWater, Temp Zagros, and Static Kitten. The group has progressively broadened its targeting beyond the Middle East.
Investigators have identified that Seedworm has compromised or attempted to breach the networks of a U.S. bank, a major airport, a software company linked to the defense and aerospace sectors, and several non-governmental organizations in North America. In one notable incident, the attackers showed particular interest in the Israeli operations of a multinational software firm. Analysts believe the group may have leveraged this company’s international infrastructure to navigate through interconnected networks.
The intrusions were already underway before the latest military conflict, indicating that the hackers had embedded themselves within targeted systems well in advance. Cybersecurity specialists assert that this strategy is typical of state-aligned espionage operations, which prioritize long-term access over immediate disruption.
A Digital Battlefield Beyond Iran’s Borders
Despite disruptions to internet connectivity within Iran during the ongoing conflict, Western cybersecurity agencies warn that Iranian-linked cyber operations remain active. The United Kingdom’s National Cyber Security Centre has recently cautioned that Iranian state-aligned actors still possess the capability to conduct cyber activities, even amid domestic infrastructure challenges.
Experts attribute this resilience to the decentralized nature of contemporary cyber operations. Many groups maintain infrastructure or personnel outside their home countries, allowing them to continue their campaigns even if domestic networks experience outages.
In addition to Seedworm, other actors aligned with Iran’s geopolitical interests have increased their online activities. One such group, known as DieNet, emerged in 2025 and has claimed responsibility for distributed denial-of-service attacks targeting sectors such as energy, healthcare, finance, and transportation. These attacks have employed common disruption techniques, including TCP SYN floods, DNS amplification, and NTP amplification, generating traffic surges designed to overwhelm digital systems.
The convergence of espionage campaigns by state-linked groups and disruptive attacks by ideologically aligned hackers has created a complex threat landscape.
New Backdoors and Stealth Techniques
Investigators have noted that the most recent Seedworm campaign introduced several new tools aimed at maintaining persistent access within compromised networks. Among these are two previously identified backdoors, Dindoor and Fakeset.
Dindoor operates through Deno, a runtime environment for JavaScript and TypeScript. This unconventional platform may enable the malware to evade traditional security monitoring systems designed to detect more conventional tools. The second backdoor, Fakeset, is written in Python and has been deployed on networks associated with an airport and a non-profit organization.
Both tools were digitally signed with certificates linked to identities previously associated with Seedworm malware, providing further evidence connecting the activity to the group’s established infrastructure. Other components of the intrusion included a downloader named Stagecomp, which was utilized to deploy a separate malware tool previously attributed to the same hacking operation by major cybersecurity firms.
In at least one instance, attackers attempted to exfiltrate data from a compromised network using Rclone, a legitimate file-transfer program commonly employed for cloud storage synchronization. Researchers suspect the files were intended for a cloud storage service, although it remains uncertain whether the transfer was successful.
Critical Infrastructure Under Pressure
Cybersecurity experts emphasize that the latest wave of activity highlights the vulnerability of interconnected infrastructure systems. Banks, airports, healthcare providers, and energy companies increasingly rely on complex digital environments linked through global supply chains and shared software platforms. A compromise in one organization can potentially create access points into several others.
To mitigate such threats, security specialists recommend implementing a range of protective measures, including multi-factor authentication for remote access, monitoring unusual outbound data transfers, and restricting external cloud storage connections. They also stress the importance of maintaining secure offline backups to facilitate rapid recovery in the event of destructive cyberattacks.
As geopolitical tensions increasingly spill into cyberspace, analysts observe that the line between traditional conflict and digital warfare is becoming increasingly blurred, with critical infrastructure systems often caught in the crossfire.
As reported by cyberwarriorsmiddleeast.com.
Follow the latest developments and breaking updates in the Latest News section.
Published on 2026-03-10 18:48:00 • By Editorial Desk
