Cybersecurity researchers say an Iranian state-linked hacking group known as Seedworm has gained access to several organizations connected to critical infrastructure in the United States and Israel, raising concerns about possible cyber operations targeting key industries.
According to threat intelligence findings published by Symantec and Carbon Black, the group has maintained covert access to multiple networks since early February. Seedworm, which the US Cybersecurity and Infrastructure Security Agency describes as connected to Iran’s Ministry of Intelligence and Security, is known for cyber espionage campaigns targeting governments and strategic industries.
Researchers said the hackers used a previously undocumented backdoor malware called Dindoor to gain unauthorized access to victim systems. The tool allows attackers to maintain persistent control over compromised networks while remaining difficult to detect. Once installed, the backdoor enables remote command execution and continued monitoring of internal systems.
The investigation identified several organizations affected by the intrusion. These include a US bank, a technology company with operations in Israel, an airport, and multiple non-governmental organizations located in the United States and Canada. Security teams at those organizations reportedly detected suspicious network activity linked to the breach.
Researchers noted that the attacks appeared shortly after military strikes by the United States and Israel against targets in Iran that began on February 28. While the report does not directly link the intrusions to those events, analysts said the timing highlights how geopolitical tensions can coincide with increased cyber activity by state-aligned groups.
Seedworm has been active for several years and is also known by the names MuddyWater and Mango Sandstorm in various threat intelligence tracking systems. The group has historically targeted organizations in the Middle East, including government agencies, telecommunications providers, and regional infrastructure operators.
The latest findings suggest the group has expanded its focus beyond the Middle East. Researchers said recent activity shows a broader targeting pattern that includes organizations in North America, Europe, Africa, and Asia. Critical sectors such as banking, aviation, and technology appear to be of particular interest.
Security analysts say the presence of attackers inside networks does not necessarily indicate that destructive operations are imminent. However, long-term access can allow threat actors to gather intelligence, map network infrastructure, and prepare for potential follow-up operations.
The discovery comes as cybersecurity agencies and private researchers warn that cyber activity linked to geopolitical conflicts may increase. Analysts tracking Iranian-aligned threat actors say reconnaissance and infiltration efforts often occur ahead of disruptive operations targeting infrastructure or government systems.
Organizations operating in sensitive sectors are being advised to review network monitoring practices and investigate unusual authentication activity that could indicate persistent access. The investigation into the Seedworm intrusions remains ongoing as researchers continue to analyze the malware and the scope of the affected networks.