The Iranian advanced persistent threat group known as Seedworm — also tracked as MuddyWater, Temp Zagros, and Static Kitten — has been found actively operating inside the networks of multiple U.S. organizations since early February 2026, raising serious alarms across the cybersecurity community.
The group’s intensified activity follows the coordinated U.S. and Israeli military strikes on Iran on February 28, 2026, which led to the death of Iran’s Supreme Leader and dramatically escalated regional tensions.
Iran’s response has not been limited to conventional military retaliation; its cyber operatives appear to have used the rising conflict as a direct trigger to accelerate intrusions against American and allied targets.
Seedworm has been active since at least 2017 and is formally classified by CISA as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS).
Over the years, the group has shifted its targeting focus from the Middle East to include telecommunications companies, defense contractors, local governments, and oil and natural gas organizations across Asia, Africa, Europe, and North America.
The group develops its own custom malware while also leveraging legitimate dual-use tools, allowing it to blend quietly into normal network environments.
Symantec researchers identified intrusion activity on the networks of a U.S. bank, a U.S. airport, a software company with defense and aerospace industry ties, and non-governmental organizations in both the U.S. and Canada.
The software company’s Israeli operations appeared to be the primary focus in that intrusion, with Seedworm seemingly using the company’s global presence as a lateral access bridge.
Notably, these breaches were already underway before the military conflict formally began, suggesting the group had been quietly positioning itself inside high-value networks well in advance of the escalation.
The UK’s National Cyber Security Centre issued a formal alert warning that Iranian state-aligned actors “almost certainly currently maintain at least some capability to conduct cyber activity,” even with the ongoing disruption to internet infrastructure inside Iran itself.
Source: Cybersecurity News