In early 2026, Iranian cyber operations expanded significantly, with state-affiliated threat groups embedding themselves in US and Canadian networks. Simultaneously, they targeted internet-connected surveillance cameras across the Middle East to gather battlefield intelligence.
Infiltration of US Networks
The Iranian APT group, MuddyWater, linked to Iran’s Ministry of Intelligence and Security, has reportedly been maintaining unauthorized access to various American organizations since February 2026. The sectors affected include banking, aviation, defense supply chains, and non-profit organizations.
Reports from Symantec and Carbon Black exposed this illicit activity, highlighting MuddyWater’s use of undocumented malware to secure persistent access in victim networks. This approach aligns with state-sponsored espionage, focusing on sustained intelligence collection rather than immediate disruption.
Malware Tools and Tactics
PolySwarm analysts have identified several malware families associated with MuddyWater’s attacks on US entities, including Dindoor and Fakeset. The Dindoor backdoor was discovered infiltrating a US software company’s network, which serves defense and aerospace clients, using the Deno runtime for JavaScript and TypeScript to maintain access.
Fakeset, a Python-based backdoor, was detected in the networks of a US airport and a non-profit organization. These tools are engineered to remain undetected, ensuring long-term presence in compromised systems.
Surveillance Camera Exploitation
Beyond network penetration, Iranian infrastructure initiated extensive scanning of internet-connected surveillance cameras from February 28, 2026. Check Point Research documented a surge in exploit attempts targeting Hikvision and Dahua cameras, affecting commercial, government, and municipal setups across the region.
This activity spanned Israel, Qatar, Bahrain, Kuwait, the UAE, Lebanon, and Cyprus, coinciding with regional hostilities, and emphasizes Iran’s strategic use of these devices for real-time intelligence gathering.
The exploitation of surveillance cameras is a deliberate tactic to transform standard security equipment into intelligence platforms. Iranian actors leverage vulnerabilities like CVE-2017-7921 in Hikvision and CVE-2021-33044 in Dahua devices to monitor and assess locations.
Recommendations and Outlook
Organizations using Hikvision or Dahua cameras must apply all available firmware patches, especially those addressing known vulnerabilities. Segmentation of camera systems from core networks, disabling unnecessary remote access, and enforcing strong authentication are vital preventive measures.
For sectors targeted by MuddyWater, vigilance for unusual activities involving Deno runtime, unexpected Python processes, and Rclone traffic is crucial. Digital certificate-based detection and traffic inspection should be integrated into defense strategies to counter these sophisticated threats.
Given the current geopolitical tensions, organizations must prioritize these risks in their incident response strategies to mitigate potential impacts.
