Already Inside: How Iran's MuddyWater APT Quietly Embedded Itself in U.S. Critical Infrastructure

This report summarizes March 2026 disclosures that MuddyWater (an Iranian state-linked APT) had long-standing access to multiple high-value targets — including a U.S. bank, a U.S. airport, an Israeli-linked defense software firm, and a Canadian nonprofit — using novel and living-off-the-land tooling (Dindoor, Fakeset, Deno/Python runtimes), signed binaries, cloud-based exfiltration to Wasabi/Backblaze, and diverse C2 mechanisms (Telegram, Ethereum smart contracts), highlighting broad operational scale, supply-chain risk, exposed infrastructure, and potential for cyber access to enable kinetic effects.